From sle-security-updates at lists.suse.com Sun Mar 1 11:31:32 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sun, 1 Mar 2020 19:31:32 +0100 (CET) Subject: SUSE-CU-2020:67-1: Security update of suse/sle15 Message-ID: <20200301183132.6A2C7F79E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:67-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.170 Container Release : 6.2.170 Severity : moderate Type : security References : 1148244 1148788 1160594 1160764 1161779 1163922 1164562 CVE-2019-3687 CVE-2020-8013 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2681-1 Released: Tue Oct 15 22:01:40 2019 Summary: Recommended update for libdb-4_8 Type: recommended Severity: moderate References: 1148244 Description: This update for libdb-4_8 fixes the following issues: - Add off-page deadlock patch as found and documented by Red Hat. (bsc#1148244) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 Description: This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 Description: This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). From sle-security-updates at lists.suse.com Sun Mar 1 11:36:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sun, 1 Mar 2020 19:36:07 +0100 (CET) Subject: SUSE-CU-2020:68-1: Security update of suse/sles12sp3 Message-ID: <20200301183607.37CF7F79E@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:68-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.115 , suse/sles12sp3:latest Container Release : 24.115 Severity : moderate Type : security References : 1123886 1160594 1160764 1161779 1163922 CVE-2020-8013 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:545-1 Released: Fri Feb 28 15:50:46 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1123886,1160594,1160764,1161779,1163922,CVE-2020-8013 Description: This update for permissions fixes the following issues: Security issues fixed: - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). From sle-security-updates at lists.suse.com Mon Mar 2 10:14:23 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Mar 2020 18:14:23 +0100 (CET) Subject: SUSE-SU-2020:0555-1: moderate: Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer Message-ID: <20200302171423.79227F79E@maintenance.suse.de> SUSE Security Update: Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0555-1 Rating: moderate References: #1111622 #1122668 Cross-References: CVE-2018-18074 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Manager Tools 12 SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Point of Sale 12-SP2 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP2 SUSE Linux Enterprise High Availability 12-SP1 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues: python-cfn-lint was included as a new package in 0.21.4. python-aws-sam-translator was updated to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications - Initial build + Version 1.9.0 - Add patch to drop compatible releases operator from setup.py, required for SLES12 as the setuptools version is too old + ast_drop-compatible-releases-operator.patch python-jsonschema was updated to 2.6.0: * Improved performance on CPython by adding caching around ref resolution Update to version 2.5.0: * Improved performance on CPython by adding caching around ref resolution (#203) Update to version 2.4.0: * Added a CLI (#134) * Added absolute path and absolute schema path to errors (#120) * Added ``relevance`` * Meta-schemas are now loaded via ``pkgutil`` * Added ``by_relevance`` and ``best_match`` (#91) * Fixed ``format`` to allow adding formats for non-strings (#125) * Fixed the ``uri`` format to reject URI references (#131) - Install /usr/bin/jsonschema with update-alternatives support python-nose2 was updated to 0.9.1: * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) python-scandir was included in version 2.3.2. python-requests was updated to version 2.20.1 (bsc#1111622) * Fixed bug with unintended Authorization header stripping for redirects using default ports (http/80, https/443). * remove restriction for urllib3 < 1.24 Update to version 2.20.0: * Bugfixes + Content-Type header parsing is now case-insensitive (e.g. charset=utf8 v Charset=utf8). + Fixed exception leak where certain redirect urls would raise uncaught urllib3 exceptions. + Requests removes Authorization header from requests redirected from https to http on the same hostname. (CVE-2018-18074) + should_bypass_proxies now handles URIs without hostnames (e.g. files). * Dependencies + Requests now supports urllib3 v1.24. * Deprecations + Requests has officially stopped support for Python 2.6. Update to version 2.19.1: * Fixed issue where status_codes.py???s init function failed trying to append to a __doc__ value of None. Update to version 2.19.0: * Improvements + Warn about possible slowdown with cryptography version < 1.3.4 + Check host in proxy URL, before forwarding request to adapter. + Maintain fragments properly across redirects. (RFC7231 7.1.2) + Removed use of cgi module to expedite library load time. + Added support for SHA-256 and SHA-512 digest auth algorithms. + Minor performance improvement to Request.content. + Migrate to using collections.abc for 3.7 compatibility. * Bugfixes + Parsing empty Link headers with parse_header_links() no longer return one bogus entry. + Fixed issue where loading the default certificate bundle from a zip archive would raise an IOError. + Fixed issue with unexpected ImportError on windows system which do not support winreg module. + DNS resolution in proxy bypass no longer includes the username and password in the request. This also fixes the issue of DNS queries failing on macOS. + Properly normalize adapter prefixes for url comparison. + Passing None as a file pointer to the files param no longer raises an exception. + Calling copy on a RequestsCookieJar will now preserve the cookie policy correctly. * We now support idna v2.7 and urllib3 v1.23. update to version 2.18.4: * Improvements + Error messages for invalid headers now include the header name for easier debugging * Dependencies + We now support idna v2.6. update to version 2.18.3: * Improvements + Running $ python -m requests.help now includes the installed version of idna. * Bugfixes + Fixed issue where Requests would raise ConnectionError instead of SSLError when encountering SSL problems when using urllib3 v1.22. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-555=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-555=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-555=1 - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2020-555=1 - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-555=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-555=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-555=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-555=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-555=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-555=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-555=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-555=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-555=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-555=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-555=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-555=1 - SUSE Linux Enterprise Point of Sale 12-SP2: zypper in -t patch SUSE-SLE-POS-12-SP2-2020-555=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-555=1 - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2020-555=1 - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2020-555=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-555=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2020-555=1 - SUSE Linux Enterprise High Availability 12-SP1: zypper in -t patch SUSE-SLE-HA-12-SP1-2020-555=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-555=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-555=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): python-asn1crypto-0.24.0-2.5.1 python-botocore-1.12.213-28.12.1 python-jsonpatch-1.1-10.4.1 python-packaging-17.1-2.5.1 python3-asn1crypto-0.24.0-2.5.1 python3-jsonpointer-1.0-10.3.1 python3-packaging-17.1-2.5.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE OpenStack Cloud 8 (x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE OpenStack Cloud 8 (noarch): python-asn1crypto-0.24.0-2.5.1 python-botocore-1.12.213-28.12.1 python-jsonpatch-1.1-10.4.1 python-jsonpointer-1.0-10.3.1 python-packaging-17.1-2.5.1 python3-asn1crypto-0.24.0-2.5.1 python3-jsonpointer-1.0-10.3.1 python3-packaging-17.1-2.5.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 - SUSE OpenStack Cloud 7 (noarch): python-asn1crypto-0.24.0-2.5.1 python-jsonpatch-1.1-10.4.1 python-jsonpointer-1.0-10.3.1 python-packaging-17.1-2.5.1 python-pyparsing-2.2.0-7.6.1 python3-asn1crypto-0.24.0-2.5.1 python3-jsonpointer-1.0-10.3.1 python3-packaging-17.1-2.5.1 python3-pyparsing-2.2.0-7.6.1 - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE Manager Server 3.2 (ppc64le s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 - SUSE Manager Proxy 3.2 (x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python-pyparsing-2.2.0-7.6.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 python3-pyparsing-2.2.0-7.6.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python-pyparsing-2.2.0-7.6.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 python3-pyparsing-2.2.0-7.6.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python-requests-2.20.1-8.7.7 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 - SUSE Linux Enterprise Server 12-SP4 (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python-pyparsing-2.2.0-7.6.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 python3-pyparsing-2.2.0-7.6.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python-pyparsing-2.2.0-7.6.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 python3-pyparsing-2.2.0-7.6.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python-pyparsing-2.2.0-7.6.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 python3-pyparsing-2.2.0-7.6.1 - SUSE Linux Enterprise Point of Sale 12-SP2 (x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE Linux Enterprise Module for Public Cloud 12 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): cfn-lint-0.21.4-2.3.1 python-boto3-1.9.213-14.9.1 python-botocore-1.12.213-28.12.1 python-docutils-0.15.2-3.4.2 python-functools32-3.2.3.2-2.6.1 python-jsonpatch-1.1-10.4.1 python-jsonpointer-1.0-10.3.1 python-jsonschema-2.6.0-5.3.1 python-requests-2.20.1-8.7.7 python-s3transfer-0.2.1-8.3.1 python3-aws-sam-translator-1.11.0-2.3.1 python3-boto3-1.9.213-14.9.1 python3-botocore-1.12.213-28.12.1 python3-cfn-lint-0.21.4-2.3.1 python3-docutils-0.15.2-3.4.2 python3-jsonpatch-1.1-10.4.1 python3-jsonpointer-1.0-10.3.1 python3-jsonschema-2.6.0-5.3.1 python3-requests-2.20.1-8.7.7 python3-s3transfer-0.2.1-8.3.1 - SUSE Linux Enterprise Module for Containers 12 (x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE Linux Enterprise High Availability 12-SP5 (noarch): python-requests-2.20.1-8.7.7 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 - SUSE Linux Enterprise High Availability 12-SP1 (ppc64le s390x x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 - SUSE Linux Enterprise High Availability 12-SP1 (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python-pyparsing-2.2.0-7.6.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 python3-pyparsing-2.2.0-7.6.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - SUSE Enterprise Storage 5 (noarch): python-asn1crypto-0.24.0-2.5.1 python-packaging-17.1-2.5.1 python3-asn1crypto-0.24.0-2.5.1 python3-packaging-17.1-2.5.1 - SUSE CaaS Platform 3.0 (noarch): python-jsonpatch-1.1-10.4.1 python-jsonpointer-1.0-10.3.1 - SUSE CaaS Platform 3.0 (x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 - HPE Helion Openstack 8 (x86_64): python-PyYAML-5.1.2-26.9.4 python-PyYAML-debuginfo-5.1.2-26.9.4 python-PyYAML-debugsource-5.1.2-26.9.4 python3-PyYAML-5.1.2-26.9.4 - HPE Helion Openstack 8 (noarch): python-asn1crypto-0.24.0-2.5.1 python-botocore-1.12.213-28.12.1 python-jsonpatch-1.1-10.4.1 python-jsonpointer-1.0-10.3.1 python-packaging-17.1-2.5.1 python3-asn1crypto-0.24.0-2.5.1 python3-jsonpointer-1.0-10.3.1 python3-packaging-17.1-2.5.1 References: https://www.suse.com/security/cve/CVE-2018-18074.html https://bugzilla.suse.com/1111622 https://bugzilla.suse.com/1122668 From sle-security-updates at lists.suse.com Mon Mar 2 10:20:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Mar 2020 18:20:22 +0100 (CET) Subject: SUSE-SU-2020:0558-1: important: Security update for the Linux Kernel Message-ID: <20200302172022.0A017F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0558-1 Rating: important References: #1050244 #1050549 #1051510 #1051858 #1061840 #1065600 #1065729 #1071995 #1083647 #1085030 #1086301 #1086313 #1086314 #1088810 #1104745 #1105392 #1109837 #1111666 #1112178 #1112374 #1112504 #1113956 #1114279 #1114648 #1114685 #1118338 #1123328 #1127682 #1129551 #1133021 #1133147 #1140025 #1142685 #1144162 #1144333 #1151927 #1153535 #1153917 #1154243 #1154601 #1156609 #1157155 #1157157 #1157424 #1157480 #1157692 #1157966 #1158013 #1158026 #1158071 #1159028 #1159096 #1159271 #1159377 #1159394 #1159588 #1159911 #1159955 #1160147 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160469 #1160470 #1160476 #1160560 #1160618 #1160678 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1160979 #1161087 #1161243 #1161360 #1161472 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161702 #1161875 #1161907 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 #1162109 #1162139 #1162171 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163206 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1163971 #1164051 #1164069 #1164098 #1164115 #1164314 #1164315 #1164388 #1164471 #1164598 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 Cross-References: CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-16994 CVE-2019-19036 CVE-2019-19045 CVE-2019-19054 CVE-2019-19318 CVE-2019-19927 CVE-2019-19965 CVE-2020-2732 CVE-2020-7053 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 15 vulnerabilities and has 150 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). - CVE-2020-8992: An issue was discovered in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bnc#1164069). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service or possibly obtain sensitive information from kernel memory (bnc#1162109). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c (bnc#1160966). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures (bnc#1161522). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service (bnc#1161523). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures (bnc#1161518). - CVE-2019-14896: A heap overflow was found in the add_ie_rates() function of the Marvell Wifi Driver (bsc#1157157). - CVE-2019-14897: A stack overflow was found in the lbs_ibss_join_existing() function of the Marvell Wifi Driver (bsc#1157155). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911). - CVE-2019-19927: Fixed an out-of-bounds read access when mounting a crafted f2fs filesystem image and performing some operations, related to ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c (bnc#1160147). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda: Add JasperLake PCI ID and codec vid (bsc#1111666). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda - Apply sync-write workaround to old Intel platforms, too (bsc#1111666). - ALSA: hda: Clear RIRB status before reading WP (bsc#1111666). - ALSA: hda - constify and cleanup static NodeID tables (bsc#1111666). - ALSA: hda: constify copied structure (bsc#1111666). - ALSA: hda: Constify snd_kcontrol_new items (bsc#1111666). - ALSA: hda: Constify snd_pci_quirk tables (bsc#1111666). - ALSA: hda: correct kernel-doc parameter descriptions (bsc#1111666). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda: hdmi - add Tigerlake support (bsc#1111666). - ALSA: hda/hdmi - Clean up Intel platform-specific fixup checks (bsc#1111666). - ALSA: hda: hdmi - fix pin setup on Tigerlake (bsc#1111666). - ALSA: hda: More constifications (bsc#1111666). - ALSA: hda: patch_hdmi: remove warnings with empty body (bsc#1111666). - ALSA: hda: patch_realtek: fix empty macro usage in if block (bsc#1111666). - ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported for HP cPC (bsc#1111666). - ALSA: hda/realtek - Add new codec supported for ALCS1200A (bsc#1111666). - ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen (bsc#1111666). - ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too (bsc#1111666). - ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC (bsc#1111666). - ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda/realtek - More constifications (bsc#1111666). - ALSA: hda/realtek - Set EAPD control to default for ALC222 (bsc#1111666). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: sh: Fix unused variable warnings (bsc#1111666). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 (bsc#1111666). - ALSA: usb-audio: Fix endianess in descriptor validation (bsc#1111666). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI (bsc#1111666). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - ath10k: Correct the DMA direction for management tx buffers (bsc#1111666). - ath10k: pci: Fix comment on ath10k_pci_dump_memory_sram (bsc#1111666). - ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe (bsc#1111666). - ath9k: fix storage endpoint lookup (git-fixes). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - bnxt: apply computed clamp value for coalece parameter (bsc#1104745). - bnxt_en: Fix MSIX request logic for RDMA driver (bsc#1104745 ). - bnxt_en: Return error if FW returns more data than dump length (bsc#1104745). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - bpf: add self-check logic to liveness analysis (bsc#1160618). - bpf: add verifier stats and log_level bit 2 (bsc#1160618). - bpf: Fix incorrect verifier simulation of ARSH under ALU32 (bsc#1083647). - bpf: improve stacksafe state comparison (bco#1160618). - bpf: improve verification speed by droping states (bsc#1160618). - bpf: improve verification speed by not remarking live_read (bsc#1160618). - bpf: improve verifier branch analysis (bsc#1160618). - bpf: increase complexity limit and maximum program size (bsc#1160618). - bpf: increase verifier log limit (bsc#1160618). - bpf: Reject indirect var_off stack access in raw mode (bsc#1160618). - bpf: Reject indirect var_off stack access in unpriv mode (bco#1160618). - bpf: Sanity check max value for var_off stack access (bco#1160618). - bpf/sockmap: Read psock ingress_msg before sk_receive_queue (bsc#1083647). - bpf: speed up stacksafe check (bco#1160618). - bpf: Support variable offset stack access from helpers (bco#1160618). - bpf: verifier: teach the verifier to reason about the BPF_JSET instruction (bco#1160618). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() (bsc#1111666). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 (bsc#1111666). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - Btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - Btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - Btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - Btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - Btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - Btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - Btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - Btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - Btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - Btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - cdrom: respect device capabilities during opening action (boo#1164632). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix deadlocks in autodisconnect work (bsc#1111666). - cfg80211: fix memory leak in cfg80211_cqm_rssi_update (bsc#1111666). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - CIFS: add support for flock (bsc#1144333). - CIFS: Close cached root handle only if it had a lease (bsc#1144333). - CIFS: Close open handle after interrupted close (bsc#1144333). - CIFS: close the shared root handle on tree disconnect (bsc#1144333). - CIFS: Do not miss cancelled OPEN responses (bsc#1144333). - CIFS: Fix lookup of root ses in DFS referral cache (bsc#1144333). - CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - CIFS: fix mount option display for sec=krb5i (bsc#1161907). - CIFS: Fix mount options set in automount (bsc#1144333). - CIFS: Fix NULL pointer dereference in mid callback (bsc#1144333). - CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - CIFS: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - CIFS: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - CIFS: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - CIFS: Properly process SMB3 lease breaks (bsc#1144333). - CIFS: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - CIFS: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: imx: clk-composite-8m: add lock to gate/mux (git-fixes). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: caam/qi2 - fix typo in algorithm's driver name (bsc#1111666). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_device_set_cg_state' (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) (bsc#1111666). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'invalid' (bsc#1111666). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc (bsc#1111666). - drm/amd/powerplay: remove set but not used variable 'us_mvdd' (bsc#1111666). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915: Add missing include file <linux/math64.h> (bsc#1051510). - drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() (bsc#1111666). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/i915/gvt: Pin vgpu dma address before using (bsc#1112178) - drm/i915/gvt: set guest display buffer as readonly (bsc#1112178) - drm/i915/gvt: use vgpu lock for active state setting (bsc#1112178) - drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set (bsc#1111666). - drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV (bsc#1111666). - drm/i915/perf: add missing delay for OA muxes configuration (bsc#1111666). - drm/i915: Sanity check mmap length against object size (bsc#1111666). - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1111666). - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau/bar/gf100: ensure BAR is mapped (bsc#1111666). - drm/nouveau/bar/nv50: check bar1 vmm return value (bsc#1111666). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/nouveau/mmu: qualify vmm during dtor (bsc#1111666). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rect: Avoid division by zero (bsc#1111666). - drm/rect: update kerneldoc for drm_rect_clip_scaled() (bsc#1111666). - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/sun4i: hdmi: Remove duplicate cleanup calls (bsc#1113956) - drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 (bsc#1111666). - drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model (bsc#1111666). - drm/ttm: ttm_tt_init_fields() can be static (bsc#1111666). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext2: check err when partial != NULL (bsc#1163859). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fscrypt: do not set policy for a dead directory (bsc#1163846). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hotplug/drc-info: Add code to search ibm,drc-info property (bsc#1157480 ltc#181028). - hv_netvsc: Fix offset usage in netvsc_send_table() (bsc#1164598). - hv_netvsc: Fix send_table offset in case of a host bug (bsc#1164598). - hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1164598). - hv_netvsc: Fix unwanted rx_table reset (bsc#1164598). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs (bsc#1163206). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - IB/hfi1: Do not cancel unused work item (bsc#1114685 ). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11178). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11179). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iommu/iova: Init the struct iova to fix the possible memleak (bsc#1160469). - iommu/mediatek: Correct the flush_iotlb_all callback (bsc#1160470). - iommu: Remove device link to group on failure (bsc#1160755). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: change monitor DMA to be coherent (bsc#1161243). - iwlwifi: clear persistence bit according to device family (bsc#1111666). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - iwlwifi: trans: Clear persistence bit when starting the FW (bsc#1111666). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kABI fixup for alloc_dax_region (bsc#1158071,bsc#1160678). - kABI: protect struct sctp_ep_common (kabi). - kABI: Protest new fields in BPF structs (bsc#1160618). - kabi/severities: Whitelist rpaphp_get_drc_props (bsc#1157480 ltc#181028). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - kvm: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - libnvdimm: Fix devm_nsio_enable() kabi (bsc#1153535). - libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (bsc#1153535). - libnvdimm/pfn: Account for PAGE_SIZE > info-block-size in nd_pfn_init() (bsc#1127682 bsc#1153535 ltc#175033 ltc#181834). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - livepatch: Simplify stack trace retrieval (jsc#SLE-11179). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix ieee80211_txq_setup_flows() failure path (bsc#1111666). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO (bsc#1112374). - mmc: sdhci: Add a quirk for broken command queuing (git-fixes). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci: Workaround broken command queuing on Intel GLK (git-fixes). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - mm, debug_pagealloc: do not rely on static keys too early (VM debuging functionality, bsc#1159096). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - mwifiex: delete unused mwifiex_get_intf_num() (bsc#1111666). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: update set_mac_address logic (bsc#1111666). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - net: add sendmsg_locked and sendpage_locked to af_inet6 (bsc#1144162). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: sched: correct flower port blocking (git-fixes). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net, sysctl: Fix compiler warning when only cBPF is present (bsc#1109837). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI: rpaphp: Add drc-info support for hotplug slot registration (bsc#1157480 ltc#181028). - PCI: rpaphp: Annotate and correctly byte swap DRC properties (bsc#1157480 ltc#181028). - PCI: rpaphp: Avoid a sometimes-uninitialized warning (bsc#1157480 ltc#181028). - PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info (bsc#1157480 ltc#181028). - PCI: rpaphp: Do not rely on firmware feature to imply drc-info support (bsc#1157480 ltc#181028). - PCI: rpaphp: Fix up pointer to first drc-info entry (bsc#1157480 ltc#181028). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: cherryview: Fix irq_valid_mask calculation (bsc#1111666). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Enable support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (bsc#1071995 bsc#1161875). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/papr_scm: Do not enable direct map for a region by default (bsc#1129551). - powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths (bsc#1142685 ltc#179509). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/pseries: Add cpu DLPAR support for drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Enable support for ibm,drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Fix bad drc_index_start value parsing of drc-info entry (bsc#1157480 ltc#181028). - powerpc/pseries: Fix drc-info mappings of logical cpus to drc-index (bsc#1157480 ltc#181028). - powerpc/pseries: Fix vector5 in ibm architecture vector table (bsc#1157480 ltc#181028). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries: Revert support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - ppp: Adjust indentation into ppp_async_input (git-fixes). - pseries/drc-info: Search DRC properties for CPU indexes (bsc#1157480 ltc#181028). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: add missing endpoint sanity check (bsc#1051510). - r8152: get default setting of WOL before initializing (bsc#1051510). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Conflict with too old powerpc-utils (jsc#ECO-920, jsc#SLE-11054, jsc#SLE-11322). - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rsi_91x_usb: fix interface sanity check (git-fixes). - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - s390: add stack switch helper (jsc#SLE-11179). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11179). - s390: always inline current_stack_pointer() (jsc#SLE-11179). - s390: always inline disabled_wait (jsc#SLE-11179). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11179). - s390: clean up stacks setup (jsc#SLE-11179). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11179). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11179). - s390: fine-tune stack switch helper (jsc#SLE-11179). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11179). - s390/ftrace: generate traced function stack frame (jsc#SLE-11178 jsc#SLE-11179). - s390/ftrace: save traced function caller (jsc#SLE-11179). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11179). - s390/head64: correct init_task stack setup (jsc#SLE-11179). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11179). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11179). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11179). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11179). - s390/kasan: avoid report in get_wchan (jsc#SLE-11179). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11179). - s390: preserve kabi for stack unwind API (jsc#SLE-11179). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11179). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11179). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11179). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11179). - s390: unify stack size definitions (jsc#SLE-11179). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11179). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11179). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11179). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11179). - s390/unwind: correct stack switching during unwind (jsc#SLE-11179). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11179). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11179). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11179). - s390/unwind: fix mixing regs and sp (jsc#SLE-11179). - s390/unwind: introduce stack unwind API (jsc#SLE-11179). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11179). - s390/unwind: remove stack recursion warning (jsc#SLE-11179). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11179). - s390/unwind: start unwinding from reliable state (jsc#SLE-11179). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11179). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11179). - s390/unwind: unify task is current checks (jsc#SLE-11179). - scsi: lpfc: fix build failure with DEBUGFS disabled (bsc#1154601). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sfc: Remove 'PCIE error reporting unavailable' (bsc#1161472). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - SMB3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - SMB3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11178). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11179). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11179). - stacktrace: Provide common infrastructure (jsc#SLE-11179). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11179). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11179). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11179). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - Temporary workaround for bsc#1159096 should no longer be needed. - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Cleanup stack trace code (jsc#SLE-11179). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - USB: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - USB: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - USB: core: fix check for duplicate endpoints (git-fixes). - USB: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - USB: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: legacy: set max_speed to super-speed (bsc#1051510). - USB: gadget: Zero ffs_io_data (bsc#1051510). - USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - USBip: Fix error path of vhci_recv_ret_submit() (git-fixes). - USB: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - USB: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - USB: roles: fix a potential use after free (git-fixes). - USB: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - USB: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - USB: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - USB: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - USB: serial: ir-usb: fix IrLAP framing (bsc#1051510). - USB: serial: ir-usb: fix link-speed handling (bsc#1051510). - USB: serial: keyspan: handle unbound ports (bsc#1051510). - USB: serial: opticon: fix control-message timeouts (bsc#1051510). - USB: serial: option: Add support for Quectel RM500Q (bsc#1051510). - USB: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - USB: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - USB: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - USB: serial: quatech2: handle unbound ports (bsc#1051510). - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - USB: serial: suppress driver bind attributes (bsc#1051510). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/amd_nb: Add PCI device IDs for family 17h, model 70h (bsc#1163206). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/MCE/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/MCE: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - x86/resctrl: Prevent possible overrun during bitmap operations (bsc#1114648). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xfrm: fix sa selector validation (bsc#1156609). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-558=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.10.1 kernel-source-azure-4.12.14-16.10.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.10.1 kernel-azure-base-4.12.14-16.10.1 kernel-azure-base-debuginfo-4.12.14-16.10.1 kernel-azure-debuginfo-4.12.14-16.10.1 kernel-azure-debugsource-4.12.14-16.10.1 kernel-azure-devel-4.12.14-16.10.1 kernel-syms-azure-4.12.14-16.10.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19927.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1127682 https://bugzilla.suse.com/1129551 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144162 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1153535 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1154601 https://bugzilla.suse.com/1156609 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157480 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158071 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159096 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159377 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160147 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160469 https://bugzilla.suse.com/1160470 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160618 https://bugzilla.suse.com/1160678 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161243 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161472 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161875 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163206 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164598 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 From sle-security-updates at lists.suse.com Mon Mar 2 10:43:30 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Mar 2020 18:43:30 +0100 (CET) Subject: SUSE-SU-2020:0557-1: moderate: Security update for python36 Message-ID: <20200302174330.7C726F798@maintenance.suse.de> SUSE Security Update: Security update for python36 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0557-1 Rating: moderate References: #1162367 #1162423 #1162825 Cross-References: CVE-2019-9674 CVE-2020-8492 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for python36 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is "C", coerce it to C.UTF-8 (bsc#1162423). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-557=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython3_6m1_0-3.6.10-4.6.1 libpython3_6m1_0-debuginfo-3.6.10-4.6.1 python36-3.6.10-4.6.1 python36-base-3.6.10-4.6.1 python36-base-debuginfo-3.6.10-4.6.1 python36-base-debugsource-3.6.10-4.6.1 python36-debuginfo-3.6.10-4.6.1 python36-debugsource-3.6.10-4.6.1 References: https://www.suse.com/security/cve/CVE-2019-9674.html https://www.suse.com/security/cve/CVE-2020-8492.html https://bugzilla.suse.com/1162367 https://bugzilla.suse.com/1162423 https://bugzilla.suse.com/1162825 From sle-security-updates at lists.suse.com Mon Mar 2 10:46:31 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Mar 2020 18:46:31 +0100 (CET) Subject: SUSE-SU-2020:0559-1: important: Security update for the Linux Kernel Message-ID: <20200302174631.1C191F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0559-1 Rating: important References: #1046303 #1050244 #1051510 #1051858 #1061840 #1065600 #1065729 #1071995 #1085030 #1086301 #1086313 #1086314 #1088810 #1104427 #1105392 #1111666 #1112178 #1112504 #1114279 #1118338 #1123328 #1127371 #1133021 #1133147 #1134973 #1140025 #1143959 #1144333 #1151910 #1151927 #1153917 #1154243 #1155331 #1155334 #1156259 #1156286 #1156462 #1157155 #1157157 #1157303 #1157424 #1157692 #1157853 #1157966 #1158013 #1158021 #1158026 #1158533 #1158819 #1159028 #1159271 #1159297 #1159394 #1159483 #1159484 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160476 #1160560 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1160979 #1161087 #1161360 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161702 #1161875 #1161907 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 #1162109 #1162139 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1163971 #1164069 #1164098 #1164115 #1164314 #1164315 #1164388 #1164471 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 Cross-References: CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-16994 CVE-2019-18808 CVE-2019-19036 CVE-2019-19045 CVE-2019-19054 CVE-2019-19066 CVE-2019-19318 CVE-2019-19319 CVE-2019-19447 CVE-2019-19767 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2020-2732 CVE-2020-7053 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves 23 vulnerabilities and has 136 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). - CVE-2020-8992: An issue was discovered in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bnc#1164069). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service or possibly obtain sensitive information from kernel memory (bnc#1162109). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c (bnc#1160966). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures (bnc#1161522). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service (bnc#1161523). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures (bnc#1161518). - CVE-2019-14896: A heap overflow was found in the add_ie_rates() function of the Marvell Wifi Driver (bsc#1157157). - CVE-2019-14897: A stack overflow was found in the lbs_ibss_join_existing() function of the Marvell Wifi Driver (bsc#1157155). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911). - CVE-2019-20095: Fixed a memory leak and denial of service in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c, where some error-handling cases did not free allocated hostcmd memory (bnc#1159909). - CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c related to put_links (bnc#1159910). - CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908). - CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819). - CVE-2019-19319: A setxattr operation, after a mount of a crafted ext4 image, could cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021). - CVE-2019-19767: The Linux kernel mishandled ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297). - CVE-2019-18808: A memory leak in the ccp_run_sha_cmd() in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption) (bnc#1156259). - CVE-2019-19066: A memory leak in the bfad_im_get_stats() in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures (bnc#1157303). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: echoaudio: simplify get_audio_levels (bsc#1051510). - ALSA: fireface: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/hdmi - Fix duplicate unref of pci_dev (bsc#1051510). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda/realtek - Line-out jack does not work on a Dell AIO (bsc#1051510). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: oxfw: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ASoC: wm8962: fix lambda value (git-fixes). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - Btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - Btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - Btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - Btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - Btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - Btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - Btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - Btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - Btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - Btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - Btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - Btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - Btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - Btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - Btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - Btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - Btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - Btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - Btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - Btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - Btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - Btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - Btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - Btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - Btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - Btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - Btrfs: skip log replay on orphaned roots (bsc#1161935). - Btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - Btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - Btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - Btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - Btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - Btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - Btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - Btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - Btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - Btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - cdrom: respect device capabilities during opening action (boo#1164632). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: add support for flock (bsc#1144333). - CIFS: Close cached root handle only if it had a lease (bsc#1144333). - CIFS: Close open handle after interrupted close (bsc#1144333). - CIFS: close the shared root handle on tree disconnect (bsc#1144333). - CIFS: Do not miss cancelled OPEN responses (bsc#1144333). - CIFS: Fix lookup of root ses in DFS referral cache (bsc#1144333). - CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - CIFS: fix mount option display for sec=krb5i (bsc#1161907). - CIFS: Fix mount options set in automount (bsc#1144333). - CIFS: Fix NULL pointer dereference in mid callback (bsc#1144333). - CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - CIFS: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - CIFS: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - CIFS: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - CIFS: Properly process SMB3 lease breaks (bsc#1144333). - CIFS: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - CIFS: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - Cover up kABI breakage due to DH key verification (bsc#1155331). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - dma-buf: Fix memory leak in sync_file_merge() (git-fixes). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915: Add missing include file <linux/math64.h> (bsc#1051510). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - e1000e: Add support for Comet Lake (bsc#1158533). - e1000e: Add support for Tiger Lake (bsc#1158533). - e1000e: Increase pause and refresh time (bsc#1158533). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext2: check err when partial != NULL (bsc#1163859). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - Fix partial checked out tree build ... so that bisection does not break. - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fscrypt: do not set policy for a dead directory (bsc#1163846). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11179). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iommu: Remove device link to group on failure (bsc#1160755). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: protect struct sctp_ep_common (kabi). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - kexec: bail out upon SIGKILL when allocating memory (git-fixes). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - livepatch: Simplify stack trace retrieval (jsc#SLE-11179). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: sched: correct flower port blocking (git-fixes). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: fdp: fix incorrect free object (networking-stable-19_11_10). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - NFC: st21nfca: fix double free (networking-stable-19_11_10). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (bsc#1071995 bsc#1161875). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: add missing endpoint sanity check (bsc#1051510). - r8152: get default setting of WOL before initializing (bsc#1051510). - random: move FIPS continuous test to output functions (bsc#1155334). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - README.BRANCH: Update the branch name to cve/linux-4.12 - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - resource: fix locking in find_next_iomem_res() (bsc#1114279). - Revert "ath10k: fix DMA related firmware crashes on multiple devices" (git-fixes). - Revert "Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers" (bsc#1051510). - Revert "mmc: sdhci: Fix incorrect switch to HS mode" (bsc#1051510). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/modules.fips: update module list (bsc#1157853) - rsi_91x_usb: fix interface sanity check (git-fixes). - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - s390: add stack switch helper (jsc#SLE-11179). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11179). - s390: always inline current_stack_pointer() (jsc#SLE-11179). - s390: always inline disabled_wait (jsc#SLE-11179). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11179). - s390: clean up stacks setup (jsc#SLE-11179). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11179). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11179). - s390: fine-tune stack switch helper (jsc#SLE-11179). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11179). - s390/ftrace: generate traced function stack frame (jsc#SLE-11178 jsc#SLE-11179). - s390/ftrace: save traced function caller (jsc#SLE-11179). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11179). - s390/head64: correct init_task stack setup (jsc#SLE-11179). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11179). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11179). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11179). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11179). - s390/kasan: avoid report in get_wchan (jsc#SLE-11179). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11179). - s390: preserve kabi for stack unwind API (jsc#SLE-11179). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11179). - s390/qeth: clean up page frag creation (git-fixes). - s390/qeth: consolidate skb allocation (git-fixes). - s390/qeth: ensure linear access to packet headers (git-fixes). - s390/qeth: guard against runt packets (git-fixes). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11179). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11179). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11179). - s390: unify stack size definitions (jsc#SLE-11179). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11179). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11179). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11179). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11179). - s390/unwind: correct stack switching during unwind (jsc#SLE-11179). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11179). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11179). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11179). - s390/unwind: fix mixing regs and sp (jsc#SLE-11179). - s390/unwind: introduce stack unwind API (jsc#SLE-11179). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11179). - s390/unwind: remove stack recursion warning (jsc#SLE-11179). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11179). - s390/unwind: start unwinding from reliable state (jsc#SLE-11179). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11179). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11179). - s390/unwind: unify task is current checks (jsc#SLE-11179). - sched/fair: Add tmp_alone_branch assertion (bnc#1156462). - sched/fair: Fix insertion in rq->leaf_cfs_rq_list (bnc#1156462). - sched/fair: Fix O(nr_cgroups) in the load balancing path (bnc#1156462). - sched/fair: Optimize update_blocked_averages() (bnc#1156462). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - scsi: zfcp: trace channel log even for FCP command responses (git-fixes). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - SMB3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - SMB3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11179). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11179). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11179). - stacktrace: Provide common infrastructure (jsc#SLE-11179). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11179). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11179). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11179). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Cleanup stack trace code (jsc#SLE-11179). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - USB: adutux: fix interface sanity check (bsc#1051510). - USB: Allow USB device to be warm reset in suspended state (bsc#1051510). - USB: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - USB: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - USB: core: fix check for duplicate endpoints (git-fixes). - USB: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - USB: core: urb: fix URB structure initialization function (bsc#1051510). - USB: documentation: flags on usb-storage versus UAS (bsc#1051510). - USB: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - USB: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - USB: dwc3: ep0: Clear started flag on completion (bsc#1051510). - USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - USB: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - USB: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: legacy: set max_speed to super-speed (bsc#1051510). - USB: gadget: pch_udc: fix use after free (bsc#1051510). - USB: gadget: u_serial: add missing port entry locking (bsc#1051510). - USB: gadget: Zero ffs_io_data (bsc#1051510). - USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - USB: idmouse: fix interface sanity checks (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - USB: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - USB: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - USB: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - USB: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - USB: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - USB: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - USB: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - USB: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - USB: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - USB: serial: ir-usb: fix IrLAP framing (bsc#1051510). - USB: serial: ir-usb: fix link-speed handling (bsc#1051510). - USB: serial: keyspan: handle unbound ports (bsc#1051510). - USB: serial: opticon: fix control-message timeouts (bsc#1051510). - USB: serial: option: Add support for Quectel RM500Q (bsc#1051510). - USB: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - USB: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - USB: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - USB: serial: quatech2: handle unbound ports (bsc#1051510). - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - USB: serial: suppress driver bind attributes (bsc#1051510). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - USB: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - USB: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - USB: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - USB: xhci: only set D3hot for pci device (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/MCE/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/MCE: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-559=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (noarch): kernel-devel-azure-4.12.14-6.37.1 kernel-source-azure-4.12.14-6.37.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): kernel-azure-4.12.14-6.37.1 kernel-azure-base-4.12.14-6.37.1 kernel-azure-base-debuginfo-4.12.14-6.37.1 kernel-azure-debuginfo-4.12.14-6.37.1 kernel-azure-debugsource-4.12.14-6.37.1 kernel-azure-devel-4.12.14-6.37.1 kernel-syms-azure-4.12.14-6.37.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156462 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161875 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 From sle-security-updates at lists.suse.com Mon Mar 2 13:14:51 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Mar 2020 21:14:51 +0100 (CET) Subject: SUSE-SU-2020:0560-1: important: Security update for the Linux Kernel Message-ID: <20200302201451.CAEFCF79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0560-1 Rating: important References: #1046303 #1050244 #1050549 #1051510 #1051858 #1061840 #1065600 #1065729 #1071995 #1083647 #1085030 #1086301 #1086313 #1086314 #1088810 #1090888 #1103989 #1103990 #1103991 #1104353 #1104427 #1104745 #1105392 #1109837 #1111666 #1112178 #1112374 #1112504 #1113956 #1114279 #1114685 #1115026 #1118338 #1118661 #1123328 #1126206 #1127371 #1127611 #1127682 #1129551 #1129770 #1133021 #1133147 #1134973 #1140025 #1142685 #1143959 #1144162 #1144333 #1146519 #1146544 #1151548 #1151910 #1151927 #1152107 #1152631 #1153535 #1153917 #1154243 #1154601 #1154768 #1154916 #1155331 #1155334 #1155689 #1156259 #1156286 #1156462 #1157155 #1157157 #1157169 #1157303 #1157424 #1157480 #1157692 #1157853 #1157895 #1157908 #1157966 #1158013 #1158021 #1158026 #1158071 #1158094 #1158132 #1158381 #1158533 #1158637 #1158638 #1158639 #1158640 #1158641 #1158643 #1158644 #1158645 #1158646 #1158647 #1158649 #1158651 #1158652 #1158819 #1158823 #1158824 #1158827 #1158834 #1158893 #1158900 #1158903 #1158904 #1158954 #1159024 #1159028 #1159271 #1159297 #1159377 #1159394 #1159483 #1159484 #1159500 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160147 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160469 #1160470 #1160476 #1160560 #1160618 #1160678 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1160979 #1161087 #1161243 #1161360 #1161472 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161702 #1161907 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 #1162109 #1162139 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163206 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1163971 #1164051 #1164069 #1164098 #1164115 #1164314 #1164315 #1164388 #1164471 #1164598 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 Cross-References: CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-15213 CVE-2019-16746 CVE-2019-16994 CVE-2019-18808 CVE-2019-19036 CVE-2019-19045 CVE-2019-19051 CVE-2019-19054 CVE-2019-19066 CVE-2019-19318 CVE-2019-19319 CVE-2019-19332 CVE-2019-19338 CVE-2019-19447 CVE-2019-19523 CVE-2019-19526 CVE-2019-19527 CVE-2019-19532 CVE-2019-19533 CVE-2019-19535 CVE-2019-19537 CVE-2019-19767 CVE-2019-19927 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2020-2732 CVE-2020-7053 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that solves 36 vulnerabilities and has 196 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8992: An issue was discovered in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bnc#1164069). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c. It did not check the length of variable elements in a beacon head, leading to a buffer overflow (bnc#1152107). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518). - CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157). - CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911). - CVE-2019-19927: A slab-out-of-bounds read access could have been caused when mounting a crafted f2fs filesystem image and performing some operations on it, in drivers/gpu/drm/ttm/ttm_page_alloc.c (bnc#1160147). - CVE-2019-20095: Several memory leaks were found in drivers/net/wireless/marvell/mwifiex/cfg80211.c, aka CID-003b686ace82 (bnc#1159909). - CVE-2019-20054: There was a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e (bnc#1159910). - CVE-2019-20096: There was a memory leak in __feat_register_sp() in net/dccp/feat.c, aka CID-1d3ff0950e2b (bnc#1159908). - CVE-2019-19966: There was a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that could have caused a denial of service, aka CID-dea37a972655 (bnc#1159841). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819). - CVE-2019-19319: A slab-out-of-bounds write access could have occured when setxattr was called after mounting of a specially crafted ext4 image (bnc#1158021). - CVE-2019-19767: There were multiple use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163 (bnc#1159297). - CVE-2019-18808: A memory leak in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption), aka CID-128c66429247 (bnc#1156259). - CVE-2019-19066: A memory leak in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption), aka CID-0e62395da2bd (bnc#1157303). - CVE-2019-19051: A memory leak in drivers/net/wimax/i2400m/op-rfkill.c allowed attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7 (bnc#1159024). - CVE-2019-19338: There was an incomplete fix for an issue with Transactional Synchronisation Extensions in the KVM code (bsc#1158954). - CVE-2019-19332: An out-of-bounds memory write issue was found in the way the KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could have used this flaw to crash the system (bnc#1158827). - CVE-2019-19537: There was a race condition bug that could be caused by a malicious USB character device, aka CID-303911cfc5b9. (bsc#1158904). - CVE-2019-19535: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042 (bsc#1158903). - CVE-2019-19527: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e (bsc#1158900). - CVE-2019-19526: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098 (bsc#1158893). - CVE-2019-19533: There was an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464 (bsc#1158834). - CVE-2019-19532: There were multiple out-of-bounds write bugs that can be caused by a malicious USB HID device, aka CID-d9d4b1e46d95 (bsc#1158824). - CVE-2019-19523: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79 (bsc#1158823). - CVE-2019-15213: A use-after-free bug caused by a malicious USB device was found in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544). - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Do not wait to serialise with oops messages when panic()ing (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI / LPSS: Ignore acpi_device_fix_up_power() return value (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: OSL: only free map once in osl.c (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: echoaudio: simplify get_audio_levels (bsc#1051510). - ALSA: fireface: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda - Apply sync-write workaround to old Intel platforms, too (bsc#1111666). - ALSA: hda - constify and cleanup static NodeID tables (bsc#1111666). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda/hdmi - Add new pci ids for AMD GPU display audio (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - Clean up Intel platform-specific fixup checks (bsc#1111666). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/hdmi - Fix duplicate unref of pci_dev (bsc#1051510). - ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD (git-fixes). - ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker (bsc#1111666). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Add Headset Mic supported for HP cPC (bsc#1111666). - ALSA: hda/realtek - Add new codec supported for ALCS1200A (bsc#1111666). - ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen (bsc#1111666). - ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too (bsc#1111666). - ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 (git-fixes). - ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC (bsc#1111666). - ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G (git-fixes). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Line-out jack does not work on a Dell AIO (bsc#1051510). - ALSA: hda/realtek - More constifications (bsc#1111666). - ALSA: hda/realtek - Set EAPD control to default for ALC222 (bsc#1111666). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda: Add JasperLake PCI ID and codec vid (bsc#1111666). - ALSA: hda: Clear RIRB status before reading WP (bsc#1111666). - ALSA: hda: constify copied structure (bsc#1111666). - ALSA: hda: Constify snd_kcontrol_new items (bsc#1111666). - ALSA: hda: Constify snd_pci_quirk tables (bsc#1111666). - ALSA: hda: correct kernel-doc parameter descriptions (bsc#1111666). - ALSA: hda: hdmi - add Tigerlake support (bsc#1111666). - ALSA: hda: hdmi - fix pin setup on Tigerlake (bsc#1111666). - ALSA: hda: More constifications (bsc#1111666). - ALSA: hda: patch_hdmi: remove warnings with empty body (bsc#1111666). - ALSA: hda: patch_realtek: fix empty macro usage in if block (bsc#1111666). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: oxfw: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: pcm: oss: Avoid potential buffer overflows (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: sh: Fix unused variable warnings (bsc#1111666). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 (bsc#1111666). - ALSA: usb-audio: Fix endianess in descriptor validation (bsc#1111666). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: compress: fix unsigned integer overflow check (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI (bsc#1111666). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ASoC: wm8962: fix lambda value (git-fixes). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - ath10k: Correct the DMA direction for management tx buffers (bsc#1111666). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath10k: pci: Fix comment on ath10k_pci_dump_memory_sram (bsc#1111666). - ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe (bsc#1111666). - ath6kl: Fix off by one error in scan completion (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - atl1e: checking the status of atl1e_write_phy_reg (bsc#1051510). - audit: Allow auditd to set pid to 0 to end auditing (bsc#1158094). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1159377). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1159377). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading (bsc#1051510). - bnxt: apply computed clamp value for coalece parameter (bsc#1104745). - bnxt_en: Fix MSIX request logic for RDMA driver (bsc#1104745 ). - bnxt_en: Return error if FW returns more data than dump length (bsc#1104745). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - bpf, offload: Unlock on error in bpf_offload_dev_create() (bsc#1109837). - bpf/sockmap: Read psock ingress_msg before sk_receive_queue (bsc#1083647). - bpf/stackmap: Fix deadlock with rq_lock in bpf_get_stack() (bsc#1083647). - bpf: add self-check logic to liveness analysis (bsc#1160618). - bpf: add verifier stats and log_level bit 2 (bsc#1160618). - bpf: Fix incorrect verifier simulation of ARSH under ALU32 (bsc#1083647). - bpf: improve stacksafe state comparison (bco#1160618). - bpf: improve verification speed by droping states (bsc#1160618). - bpf: improve verification speed by not remarking live_read (bsc#1160618). - bpf: improve verifier branch analysis (bsc#1160618). - bpf: increase complexity limit and maximum program size (bsc#1160618). - bpf: increase verifier log limit (bsc#1160618). - bpf: Make use of probe_user_write in probe write helper (bsc#1083647). - bpf: Reject indirect var_off stack access in raw mode (bsc#1160618). - bpf: Reject indirect var_off stack access in unpriv mode (bco#1160618). - bpf: Sanity check max value for var_off stack access (bco#1160618). - bpf: skmsg, fix potential psock NULL pointer dereference (bsc#1109837). - bpf: speed up stacksafe check (bco#1160618). - bpf: Support variable offset stack access from helpers (bco#1160618). - bpf: verifier: teach the verifier to reason about the BPF_JSET instruction (bco#1160618). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() (bsc#1111666). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 (bsc#1111666). - brcmfmac: set F2 watermark to 256 for 4373 (bsc#1111666). - brcmfmac: set SDIO F1 MesBusyCtrl for CYW4373 (bsc#1111666). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can: peak_usb: report bus recovery as well (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors (bsc#1051510). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - cdrom: respect device capabilities during opening action (boo#1164632). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix deadlocks in autodisconnect work (bsc#1111666). - cfg80211: fix memory leak in cfg80211_cqm_rssi_update (bsc#1111666). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cgroup,writeback: do not switch wbs immediately on dead wbs if the memcg is dead (bsc#1158645). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: add support for flock (bsc#1144333). - cifs: Close cached root handle only if it had a lease (bsc#1144333). - cifs: Close open handle after interrupted close (bsc#1144333). - cifs: close the shared root handle on tree disconnect (bsc#1144333). - cifs: Do not miss cancelled OPEN responses (bsc#1144333). - cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mount option display for sec=krb5i (bsc#1161907). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: Fix NULL pointer dereference in mid callback (bsc#1144333). - cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - cifs: Properly process SMB3 lease breaks (bsc#1144333). - cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: imx: clk-composite-8m: add lock to gate/mux (git-fixes). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - Cover up kABI breakage due to DH key verification (bsc#1155331). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: caam/qi2 - fix typo in algorithm's driver name (bsc#1111666). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: mxc-scc - fix build warnings on ARM64 (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - dma-buf: Fix memory leak in sync_file_merge() (git-fixes). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drivers/base/platform.c: kmemleak ignore a known leak (bsc#1051510). - drivers/regulator: fix a missing check of return value (bsc#1051510). - drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero (bsc#1111666). - drm/amd/powerplay: remove set but not used variable 'us_mvdd' (bsc#1111666). - drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_device_set_cg_state' (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1114279) - drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) (bsc#1111666). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'invalid' (bsc#1111666). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915/gvt: Pin vgpu dma address before using (bsc#1112178) - drm/i915/gvt: set guest display buffer as readonly (bsc#1112178) - drm/i915/gvt: use vgpu lock for active state setting (bsc#1112178) - drm/i915/perf: add missing delay for OA muxes configuration (bsc#1111666). - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() (bsc#1111666). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set (bsc#1111666). - drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV (bsc#1111666). - drm/i915: Reacquire priolist cache after dropping the engine lock (bsc#1129770). - drm/i915: Sanity check mmap length against object size (bsc#1111666). - drm/msm: include linux/sched/task.h (bsc#1112178) - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau/bar/gf100: ensure BAR is mapped (bsc#1111666). - drm/nouveau/bar/nv50: check bar1 vmm return value (bsc#1111666). - drm/nouveau/mmu: qualify vmm during dtor (bsc#1111666). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rect: Avoid division by zero (bsc#1111666). - drm/rect: update kerneldoc for drm_rect_clip_scaled() (bsc#1111666). - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/rockchip: Round up _before_ giving to the clock framework (bsc#1114279) - drm/sun4i: hdmi: Remove duplicate cleanup calls (bsc#1113956) - drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 (bsc#1111666). - drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model (bsc#1111666). - drm/ttm: ttm_tt_init_fields() can be static (bsc#1111666). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1111666). - drm: panel-lvds: Potential Oops in probe error handling (bsc#1114279) - e1000e: Add support for Comet Lake (bsc#1158533). - e1000e: Add support for Tiger Lake (bsc#1158533). - e1000e: Increase pause and refresh time (bsc#1158533). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable (bsc#1158646). - ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either (bsc#1158647). - EDAC/ghes: Fix locking and memory barrier issues (bsc#1114279). EDAC/ghes: Do not warn when incrementing refcount on 0 (bsc#1114279). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext2: check err when partial != NULL (bsc#1163859). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: fix mount failure with quota configured as module (bsc#1164471). - ext4: fix punch hole for inline_data file systems (bsc#1158640). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - ext4: update direct I/O read lock pattern for IOCB_NOWAIT (bsc#1158639). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - fix partial checked out tree build ... so that bisection does not break. - fix the locking in dcache_readdir() and friends (bsc#1123328). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fscrypt: do not set policy for a dead directory (bsc#1163846). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - HID: doc: fix wrong data structure reference for UHID_OUTPUT (bsc#1051510). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: intel-ish-hid: fixes incorrect error handling (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - hotplug/drc-info: Add code to search ibm,drc-info property (bsc#1157480 ltc#181028). - hv_netvsc: Fix offset usage in netvsc_send_table() (bsc#1164598). - hv_netvsc: Fix send_table offset in case of a host bug (bsc#1164598). - hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1164598). - hv_netvsc: Fix unwanted rx_table reset (bsc#1164598). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs (bsc#1163206). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - hwrng: stm32 - fix unbalanced pm_runtime_enable (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - IB/hfi1: Do not cancel unused work item (bsc#1114685 ). - IB/mlx5: Fix steering rule of drop and count (bsc#1103991 ). - IB/mlx5: Remove dead code (bsc#1103991). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - ice: fix stack leakage (bsc#1118661). - idr: Fix idr_alloc_u32 on 32-bit systems (bsc#1051510). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - iomap: Fix pipe page leakage during splicing (bsc#1158651). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iommu/iova: Init the struct iova to fix the possible memleak (bsc#1160469). - iommu/mediatek: Correct the flush_iotlb_all callback (bsc#1160470). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iommu: Remove device link to group on failure (bsc#1160755). - ipmi: Do not allow device module unload when in use (bsc#1154768). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: change monitor DMA to be coherent (bsc#1161243). - iwlwifi: clear persistence bit according to device family (bsc#1111666). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - iwlwifi: mvm: force TCM re-evaluation on TCM resume (bsc#1111666). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - iwlwifi: pcie: fix erroneous print (bsc#1111666). - iwlwifi: trans: Clear persistence bit when starting the FW (bsc#1111666). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kABI fix for "ipmi: Do not allow device module unload when in use" (bsc#1154768). - kABI fixup for alloc_dax_region (bsc#1158071,bsc#1160678). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kABI/severities: Whitelist rpaphp_get_drc_props (bsc#1157480 ltc#181028). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: protect struct sctp_ep_common (kabi). - kABI: Protest new fields in BPF structs (bsc#1160618). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - kexec: bail out upon SIGKILL when allocating memory (git-fixes). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - KVM: x86: Remove a spurious export of a static function (bsc#1158954). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - lib: crc64: include for 'crc64_be' (bsc#1163762). - libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (bsc#1153535). - libnvdimm/pfn: Account for PAGE_SIZE > info-block-size in nd_pfn_init() (bsc#1127682 bsc#1153535 ltc#175033 ltc#181834). - libnvdimm: Fix devm_nsio_enable() kabi (bsc#1153535). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - loop: fix no-unmap write-zeroes request behavior (bsc#1158637). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix ieee80211_txq_setup_flows() failure path (bsc#1111666). - mac80211: fix station inactive_time shortly after boot (bsc#1051510). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - mailbox: mailbox-test: fix null pointer if no mmio (bsc#1051510). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix control handler not freed on init error (git-fixes). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media: uvcvideo: Fix error path in control parsing failure (git-fixes). - media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mei: bus: prefix device names on bus with the bus name (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO (bsc#1112374). - mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel (bsc#1112374). - mm, memory_hotplug: do not clear numa_node association after hot_remove (bnc#1115026). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: sdhci: Add a quirk for broken command queuing (git-fixes). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci: Workaround broken command queuing on Intel GLK (git-fixes). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - moduleparam: fix parameter description mismatch (bsc#1051510). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mqprio: Fix out-of-bounds access in mqprio_dump (bsc#1109837). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - mwifiex: debugfs: correct histogram spacing, formatting (bsc#1051510). - mwifiex: delete unused mwifiex_get_intf_num() (bsc#1111666). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: fix potential NULL dereference and use after free (bsc#1051510). - mwifiex: update set_mac_address logic (bsc#1111666). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - nbd: prevent memory leak (bsc#1158638). - net, sysctl: Fix compiler warning when only cBPF is present (bsc#1109837). - net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx4_en: Fix wrong limitation for number of TX rings (bsc#1103989). - net/mlx5: Accumulate levels for chains prio namespaces (bsc#1103990). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlx5e: Query global pause state before setting prio2buffer (bsc#1103990). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: add sendmsg_locked and sendpage_locked to af_inet6 (bsc#1144162). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net: hns3: fix ETS bandwidth validation bug (bsc#1104353 ). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: phy: at803x: Change error to EINVAL for invalid MAC (bsc#1051510). - net: phy: broadcom: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: Check against net_device being NULL (bsc#1051510). - net: phy: dp83867: Set up RGMII TX delay (bsc#1051510). - net: phy: Fix not to call phy_resume() if PHY is not attached (bsc#1051510). - net: phy: Fix the register offsets in Broadcom iProc mdio mux driver (bsc#1051510). - net: phy: fixed_phy: Fix fixed_phy not checking GPIO (bsc#1051510). - net: phy: marvell: clear wol event before setting it (bsc#1051510). - net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: meson-gxl: check phy_write return value (bsc#1051510). - net: phy: micrel: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 (bsc#1051510). - net: phy: mscc: read 'vsc8531,vddmac' as an u32 (bsc#1051510). - net: phy: xgene: disable clk on error paths (bsc#1051510). - net: phy: xgmiitorgmii: Check phy_driver ready before accessing (bsc#1051510). - net: phy: xgmiitorgmii: Check read_status results (bsc#1051510). - net: phy: xgmiitorgmii: Support generic PHY status read (bsc#1051510). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net: sched: correct flower port blocking (git-fixes). - net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key (bsc#1109837). - net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues (bsc#1109837). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: fdp: fix incorrect free object (networking-stable-19_11_10). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - NFC: st21nfca: fix double free (networking-stable-19_11_10). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - ocfs2: fix panic due to ocfs2_wq is null (bsc#1158644). - ocfs2: fix passing zero to 'PTR_ERR' warning (bsc#1158649). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity() (bsc#1051510). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI: pciehp: Avoid returning prematurely from sysfs requests (git-fixes). - PCI: rpaphp: Add drc-info support for hotplug slot registration (bsc#1157480 ltc#181028). - PCI: rpaphp: Annotate and correctly byte swap DRC properties (bsc#1157480 ltc#181028). - PCI: rpaphp: Avoid a sometimes-uninitialized warning (bsc#1157480 ltc#181028). - PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info (bsc#1157480 ltc#181028). - PCI: rpaphp: Do not rely on firmware feature to imply drc-info support (bsc#1157480 ltc#181028). - PCI: rpaphp: Fix up pointer to first drc-info entry (bsc#1157480 ltc#181028). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: cherryview: Fix irq_valid_mask calculation (bsc#1111666). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - pinctrl: xway: fix gpio-hog related boot issues (bsc#1051510). - pktcdvd: remove warning on attempting to register non-passthrough dev (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - PM / AVS: SmartReflex: NULL check before some freeing functions is not needed (bsc#1051510). - PM / Domains: Deal with multiple states but no governor in genpd (bsc#1051510). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/papr_scm: Do not enable direct map for a region by default (bsc#1129551). - powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths (bsc#1142685 ltc#179509). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries/mobility: notify network peers after migration (bsc#1152631 ltc#181798). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc/pseries: Add cpu DLPAR support for drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/pseries: Enable support for ibm,drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Fix bad drc_index_start value parsing of drc-info entry (bsc#1157480 ltc#181028). - powerpc/pseries: Fix drc-info mappings of logical cpus to drc-index (bsc#1157480 ltc#181028). - powerpc/pseries: Fix vector5 in ibm architecture vector table (bsc#1157480 ltc#181028). - powerpc/pseries: Revert support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Enable support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - pseries/drc-info: Search DRC properties for CPU indexes (bsc#1157480 ltc#181028). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: Clear chip_data in pwm_put() (bsc#1051510). - pwm: clps711x: Fix period calculation (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: add missing endpoint sanity check (bsc#1051510). - r8152: get default setting of WOL before initializing (bsc#1051510). - random: move FIPS continuous test to output functions (bsc#1155334). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - RDMA/bnxt_re: Enable SRIOV VF support on Broadcom's 57500 adapter series (bsc#1154916). - RDMA/bnxt_re: Fix chip number validation Broadcom's Gen P5 series (bsc#1157895). - RDMA/bnxt_re: Fix missing le16_to_cpu (bsc#1157895). - RDMA/hns: Bugfix for qpc/cqc timer configuration (bsc#1104427 bsc#1126206). - RDMA/hns: Correct the value of srq_desc_size (bsc#1104427 ). - RDMA/hns: Fix to support 64K page for srq (bsc#1104427 ). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - README.BRANCH: Removing myself from the maintainer list - README.BRANCH: Update the branch name to cve/linux-4.12 - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - regulator: tps65910: fix a missing check of return value (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - reset: fix reset_control_ops kerneldoc comment (bsc#1051510). - resource: fix locking in find_next_iomem_res() (bsc#1114279). - Revert "ath10k: fix DMA related firmware crashes on multiple devices" (git-fixes). - Revert "Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers" (bsc#1051510). - Revert "locking/pvqspinlock: Do not wait if vCPU is preempted" (bsc#1050549). - Revert "mmc: sdhci: Fix incorrect switch to HS mode" (bsc#1051510). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Conflict with too old powerpc-utils (jsc#ECO-920, jsc#SLE-11054, jsc#SLE-11322). - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/modules.fips: update module list (bsc#1157853) - rsi_91x_usb: fix interface sanity check (git-fixes). - rt2800: remove errornous duplicate condition (git-fixes). - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl818x: fix potential use after free (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (bsc#1111666). - s390/qeth: clean up page frag creation (git-fixes). - s390/qeth: consolidate skb allocation (git-fixes). - s390/qeth: ensure linear access to packet headers (git-fixes). - s390/qeth: guard against runt packets (git-fixes). - sched/fair: Add tmp_alone_branch assertion (bnc#1156462). - sched/fair: Fix insertion in rq->leaf_cfs_rq_list (bnc#1156462). - sched/fair: Fix O(nr_cgroups) in the load balancing path (bnc#1156462). - sched/fair: Optimize update_blocked_averages() (bnc#1156462). - sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132). - scsi: lpfc: fix build failure with DEBUGFS disabled (bsc#1154601). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Added support for MPI and PEP regions for ISP28XX (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Correctly retrieve and interpret active flash region (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix incorrect SFUB length used for Secure Flash Update MB Cmd (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - scsi: zfcp: trace channel log even for FCP command responses (git-fixes). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: max310x: Fix tx_empty() callback (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sfc: Remove 'PCIE error reporting unavailable' (bsc#1161472). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch (bsc#1051510). - spi: omap2-mcspi: Set FIFO DMA trigger level to word length (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: rtl8192e: fix potential use after free (bsc#1051510). - staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids (bsc#1051510). - staging: rtl8723bs: Drop ACPI device ids (bsc#1051510). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stm class: Fix a double free of stm_source_device (bsc#1051510). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - thermal: Fix deadlock in thermal thermal_zone_device_check (bsc#1051510). - tipc: fix a missing check of genlmsg_put (bsc#1051510). - tipc: fix link name length check (bsc#1051510). - tipc: fix memory leak in tipc_nl_compat_publ_dump (bsc#1051510). - tipc: fix skb may be leaky in tipc_link_input (bsc#1051510). - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - uaccess: Add non-pagefault user-space write function (bsc#1083647). - ubifs: Correctly initialize c->min_log_bytes (bsc#1158641). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Limit the number of pages in shrink_liability (bsc#1158643). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - usb: adutux: fix interface sanity check (bsc#1051510). - usb: Allow USB device to be warm reset in suspended state (bsc#1051510). - usb: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - usb: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - usb: core: fix check for duplicate endpoints (git-fixes). - usb: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - usb: core: urb: fix URB structure initialization function (bsc#1051510). - usb: documentation: flags on usb-storage versus UAS (bsc#1051510). - usb: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - usb: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - usb: dwc3: ep0: Clear started flag on completion (bsc#1051510). - usb: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - usb: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - usb: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: legacy: set max_speed to super-speed (bsc#1051510). - usb: gadget: pch_udc: fix use after free (bsc#1051510). - usb: gadget: u_serial: add missing port entry locking (bsc#1051510). - usb: gadget: Zero ffs_io_data (bsc#1051510). - usb: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usb: idmouse: fix interface sanity checks (bsc#1051510). - usb: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - usb: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - usb: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - usb: roles: fix a potential use after free (git-fixes). - usb: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for U-Blox C099-F9P (bsc#1051510). - usb: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - usb: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - usb: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - usb: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - usb: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - usb: serial: ir-usb: fix IrLAP framing (bsc#1051510). - usb: serial: ir-usb: fix link-speed handling (bsc#1051510). - usb: serial: keyspan: handle unbound ports (bsc#1051510). - usb: serial: opticon: fix control-message timeouts (bsc#1051510). - usb: serial: option: Add support for Quectel RM500Q (bsc#1051510). - usb: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - usb: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - usb: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - usb: serial: quatech2: handle unbound ports (bsc#1051510). - usb: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - usb: serial: suppress driver bind attributes (bsc#1051510). - usb: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - usb: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - usb: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - usb: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - usb: xhci: only set D3hot for pci device (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - video: backlight: Add devres versions of of_find_backlight (bsc#1090888) Taken for 6010831dde5. - video: backlight: Add of_find_backlight helper in backlight.c (bsc#1090888) Taken for 6010831dde5. - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: sama5d4: fix WDD value to be always set to max (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/amd_nb: Add PCI device IDs for family 17h, model 70h (bsc#1163206). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - x86/speculation: Fix incorrect MDS/TAA mitigation status (bsc#1114279). - x86/speculation: Fix redundant MDS mitigation message (bsc#1114279). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xfs: Sanity check flags of Q_XQUOTARM call (bsc#1158652). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-560=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.34.1 kernel-default-debugsource-4.12.14-197.34.1 kernel-default-livepatch-4.12.14-197.34.1 kernel-default-livepatch-devel-4.12.14-197.34.1 kernel-livepatch-4_12_14-197_34-default-1-3.5.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-15213.html https://www.suse.com/security/cve/CVE-2019-16746.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19051.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19332.html https://www.suse.com/security/cve/CVE-2019-19338.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19523.html https://www.suse.com/security/cve/CVE-2019-19526.html https://www.suse.com/security/cve/CVE-2019-19527.html https://www.suse.com/security/cve/CVE-2019-19532.html https://www.suse.com/security/cve/CVE-2019-19533.html https://www.suse.com/security/cve/CVE-2019-19535.html https://www.suse.com/security/cve/CVE-2019-19537.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19927.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1103989 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1115026 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1126206 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1127682 https://bugzilla.suse.com/1129551 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144162 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146544 https://bugzilla.suse.com/1151548 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1152107 https://bugzilla.suse.com/1152631 https://bugzilla.suse.com/1153535 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1154601 https://bugzilla.suse.com/1154768 https://bugzilla.suse.com/1154916 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1155689 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156462 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157480 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157895 https://bugzilla.suse.com/1157908 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158071 https://bugzilla.suse.com/1158094 https://bugzilla.suse.com/1158132 https://bugzilla.suse.com/1158381 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1158637 https://bugzilla.suse.com/1158638 https://bugzilla.suse.com/1158639 https://bugzilla.suse.com/1158640 https://bugzilla.suse.com/1158641 https://bugzilla.suse.com/1158643 https://bugzilla.suse.com/1158644 https://bugzilla.suse.com/1158645 https://bugzilla.suse.com/1158646 https://bugzilla.suse.com/1158647 https://bugzilla.suse.com/1158649 https://bugzilla.suse.com/1158651 https://bugzilla.suse.com/1158652 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1158823 https://bugzilla.suse.com/1158824 https://bugzilla.suse.com/1158827 https://bugzilla.suse.com/1158834 https://bugzilla.suse.com/1158893 https://bugzilla.suse.com/1158900 https://bugzilla.suse.com/1158903 https://bugzilla.suse.com/1158904 https://bugzilla.suse.com/1158954 https://bugzilla.suse.com/1159024 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159377 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159500 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160147 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160469 https://bugzilla.suse.com/1160470 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160618 https://bugzilla.suse.com/1160678 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161243 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161472 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163206 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164598 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 From sle-security-updates at lists.suse.com Mon Mar 2 13:46:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Mar 2020 21:46:50 +0100 (CET) Subject: SUSE-SU-2020:0560-1: important: Security update for the Linux Kernel Message-ID: <20200302204650.CE014F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0560-1 Rating: important References: #1046303 #1050244 #1050549 #1051510 #1051858 #1061840 #1065600 #1065729 #1071995 #1083647 #1085030 #1086301 #1086313 #1086314 #1088810 #1090888 #1103989 #1103990 #1103991 #1104353 #1104427 #1104745 #1105392 #1109837 #1111666 #1112178 #1112374 #1112504 #1113956 #1114279 #1114685 #1115026 #1118338 #1118661 #1123328 #1126206 #1127371 #1127611 #1127682 #1129551 #1129770 #1133021 #1133147 #1134973 #1140025 #1142685 #1143959 #1144162 #1144333 #1146519 #1146544 #1151548 #1151910 #1151927 #1152107 #1152631 #1153535 #1153917 #1154243 #1154601 #1154768 #1154916 #1155331 #1155334 #1155689 #1156259 #1156286 #1156462 #1157155 #1157157 #1157169 #1157303 #1157424 #1157480 #1157692 #1157853 #1157895 #1157908 #1157966 #1158013 #1158021 #1158026 #1158071 #1158094 #1158132 #1158381 #1158533 #1158637 #1158638 #1158639 #1158640 #1158641 #1158643 #1158644 #1158645 #1158646 #1158647 #1158649 #1158651 #1158652 #1158819 #1158823 #1158824 #1158827 #1158834 #1158893 #1158900 #1158903 #1158904 #1158954 #1159024 #1159028 #1159271 #1159297 #1159377 #1159394 #1159483 #1159484 #1159500 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160147 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160469 #1160470 #1160476 #1160560 #1160618 #1160678 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1160979 #1161087 #1161243 #1161360 #1161472 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161702 #1161907 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 #1162109 #1162139 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163206 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1163971 #1164051 #1164069 #1164098 #1164115 #1164314 #1164315 #1164388 #1164471 #1164598 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 Cross-References: CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-15213 CVE-2019-16746 CVE-2019-16994 CVE-2019-18808 CVE-2019-19036 CVE-2019-19045 CVE-2019-19051 CVE-2019-19054 CVE-2019-19066 CVE-2019-19318 CVE-2019-19319 CVE-2019-19332 CVE-2019-19338 CVE-2019-19447 CVE-2019-19523 CVE-2019-19526 CVE-2019-19527 CVE-2019-19532 CVE-2019-19533 CVE-2019-19535 CVE-2019-19537 CVE-2019-19767 CVE-2019-19927 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2020-2732 CVE-2020-7053 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves 36 vulnerabilities and has 196 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8992: An issue was discovered in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bnc#1164069). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c. It did not check the length of variable elements in a beacon head, leading to a buffer overflow (bnc#1152107). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518). - CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157). - CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911). - CVE-2019-19927: A slab-out-of-bounds read access could have been caused when mounting a crafted f2fs filesystem image and performing some operations on it, in drivers/gpu/drm/ttm/ttm_page_alloc.c (bnc#1160147). - CVE-2019-20095: Several memory leaks were found in drivers/net/wireless/marvell/mwifiex/cfg80211.c, aka CID-003b686ace82 (bnc#1159909). - CVE-2019-20054: There was a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e (bnc#1159910). - CVE-2019-20096: There was a memory leak in __feat_register_sp() in net/dccp/feat.c, aka CID-1d3ff0950e2b (bnc#1159908). - CVE-2019-19966: There was a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that could have caused a denial of service, aka CID-dea37a972655 (bnc#1159841). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819). - CVE-2019-19319: A slab-out-of-bounds write access could have occured when setxattr was called after mounting of a specially crafted ext4 image (bnc#1158021). - CVE-2019-19767: There were multiple use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163 (bnc#1159297). - CVE-2019-18808: A memory leak in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption), aka CID-128c66429247 (bnc#1156259). - CVE-2019-19066: A memory leak in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption), aka CID-0e62395da2bd (bnc#1157303). - CVE-2019-19051: A memory leak in drivers/net/wimax/i2400m/op-rfkill.c allowed attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7 (bnc#1159024). - CVE-2019-19338: There was an incomplete fix for an issue with Transactional Synchronisation Extensions in the KVM code (bsc#1158954). - CVE-2019-19332: An out-of-bounds memory write issue was found in the way the KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could have used this flaw to crash the system (bnc#1158827). - CVE-2019-19537: There was a race condition bug that could be caused by a malicious USB character device, aka CID-303911cfc5b9. (bsc#1158904). - CVE-2019-19535: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042 (bsc#1158903). - CVE-2019-19527: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e (bsc#1158900). - CVE-2019-19526: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098 (bsc#1158893). - CVE-2019-19533: There was an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464 (bsc#1158834). - CVE-2019-19532: There were multiple out-of-bounds write bugs that can be caused by a malicious USB HID device, aka CID-d9d4b1e46d95 (bsc#1158824). - CVE-2019-19523: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79 (bsc#1158823). - CVE-2019-15213: A use-after-free bug caused by a malicious USB device was found in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544). - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Do not wait to serialise with oops messages when panic()ing (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI / LPSS: Ignore acpi_device_fix_up_power() return value (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: OSL: only free map once in osl.c (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: echoaudio: simplify get_audio_levels (bsc#1051510). - ALSA: fireface: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda - Apply sync-write workaround to old Intel platforms, too (bsc#1111666). - ALSA: hda - constify and cleanup static NodeID tables (bsc#1111666). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda/hdmi - Add new pci ids for AMD GPU display audio (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - Clean up Intel platform-specific fixup checks (bsc#1111666). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/hdmi - Fix duplicate unref of pci_dev (bsc#1051510). - ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD (git-fixes). - ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker (bsc#1111666). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Add Headset Mic supported for HP cPC (bsc#1111666). - ALSA: hda/realtek - Add new codec supported for ALCS1200A (bsc#1111666). - ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen (bsc#1111666). - ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too (bsc#1111666). - ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 (git-fixes). - ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC (bsc#1111666). - ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G (git-fixes). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Line-out jack does not work on a Dell AIO (bsc#1051510). - ALSA: hda/realtek - More constifications (bsc#1111666). - ALSA: hda/realtek - Set EAPD control to default for ALC222 (bsc#1111666). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda: Add JasperLake PCI ID and codec vid (bsc#1111666). - ALSA: hda: Clear RIRB status before reading WP (bsc#1111666). - ALSA: hda: constify copied structure (bsc#1111666). - ALSA: hda: Constify snd_kcontrol_new items (bsc#1111666). - ALSA: hda: Constify snd_pci_quirk tables (bsc#1111666). - ALSA: hda: correct kernel-doc parameter descriptions (bsc#1111666). - ALSA: hda: hdmi - add Tigerlake support (bsc#1111666). - ALSA: hda: hdmi - fix pin setup on Tigerlake (bsc#1111666). - ALSA: hda: More constifications (bsc#1111666). - ALSA: hda: patch_hdmi: remove warnings with empty body (bsc#1111666). - ALSA: hda: patch_realtek: fix empty macro usage in if block (bsc#1111666). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: oxfw: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: pcm: oss: Avoid potential buffer overflows (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: sh: Fix unused variable warnings (bsc#1111666). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 (bsc#1111666). - ALSA: usb-audio: Fix endianess in descriptor validation (bsc#1111666). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: compress: fix unsigned integer overflow check (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI (bsc#1111666). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ASoC: wm8962: fix lambda value (git-fixes). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - ath10k: Correct the DMA direction for management tx buffers (bsc#1111666). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath10k: pci: Fix comment on ath10k_pci_dump_memory_sram (bsc#1111666). - ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe (bsc#1111666). - ath6kl: Fix off by one error in scan completion (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - atl1e: checking the status of atl1e_write_phy_reg (bsc#1051510). - audit: Allow auditd to set pid to 0 to end auditing (bsc#1158094). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1159377). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1159377). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading (bsc#1051510). - bnxt: apply computed clamp value for coalece parameter (bsc#1104745). - bnxt_en: Fix MSIX request logic for RDMA driver (bsc#1104745 ). - bnxt_en: Return error if FW returns more data than dump length (bsc#1104745). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - bpf, offload: Unlock on error in bpf_offload_dev_create() (bsc#1109837). - bpf/sockmap: Read psock ingress_msg before sk_receive_queue (bsc#1083647). - bpf/stackmap: Fix deadlock with rq_lock in bpf_get_stack() (bsc#1083647). - bpf: add self-check logic to liveness analysis (bsc#1160618). - bpf: add verifier stats and log_level bit 2 (bsc#1160618). - bpf: Fix incorrect verifier simulation of ARSH under ALU32 (bsc#1083647). - bpf: improve stacksafe state comparison (bco#1160618). - bpf: improve verification speed by droping states (bsc#1160618). - bpf: improve verification speed by not remarking live_read (bsc#1160618). - bpf: improve verifier branch analysis (bsc#1160618). - bpf: increase complexity limit and maximum program size (bsc#1160618). - bpf: increase verifier log limit (bsc#1160618). - bpf: Make use of probe_user_write in probe write helper (bsc#1083647). - bpf: Reject indirect var_off stack access in raw mode (bsc#1160618). - bpf: Reject indirect var_off stack access in unpriv mode (bco#1160618). - bpf: Sanity check max value for var_off stack access (bco#1160618). - bpf: skmsg, fix potential psock NULL pointer dereference (bsc#1109837). - bpf: speed up stacksafe check (bco#1160618). - bpf: Support variable offset stack access from helpers (bco#1160618). - bpf: verifier: teach the verifier to reason about the BPF_JSET instruction (bco#1160618). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() (bsc#1111666). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 (bsc#1111666). - brcmfmac: set F2 watermark to 256 for 4373 (bsc#1111666). - brcmfmac: set SDIO F1 MesBusyCtrl for CYW4373 (bsc#1111666). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can: peak_usb: report bus recovery as well (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors (bsc#1051510). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - cdrom: respect device capabilities during opening action (boo#1164632). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix deadlocks in autodisconnect work (bsc#1111666). - cfg80211: fix memory leak in cfg80211_cqm_rssi_update (bsc#1111666). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cgroup,writeback: do not switch wbs immediately on dead wbs if the memcg is dead (bsc#1158645). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: add support for flock (bsc#1144333). - cifs: Close cached root handle only if it had a lease (bsc#1144333). - cifs: Close open handle after interrupted close (bsc#1144333). - cifs: close the shared root handle on tree disconnect (bsc#1144333). - cifs: Do not miss cancelled OPEN responses (bsc#1144333). - cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mount option display for sec=krb5i (bsc#1161907). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: Fix NULL pointer dereference in mid callback (bsc#1144333). - cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - cifs: Properly process SMB3 lease breaks (bsc#1144333). - cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: imx: clk-composite-8m: add lock to gate/mux (git-fixes). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - Cover up kABI breakage due to DH key verification (bsc#1155331). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: caam/qi2 - fix typo in algorithm's driver name (bsc#1111666). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: mxc-scc - fix build warnings on ARM64 (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - dma-buf: Fix memory leak in sync_file_merge() (git-fixes). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drivers/base/platform.c: kmemleak ignore a known leak (bsc#1051510). - drivers/regulator: fix a missing check of return value (bsc#1051510). - drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero (bsc#1111666). - drm/amd/powerplay: remove set but not used variable 'us_mvdd' (bsc#1111666). - drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_device_set_cg_state' (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1114279) - drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) (bsc#1111666). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'invalid' (bsc#1111666). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915/gvt: Pin vgpu dma address before using (bsc#1112178) - drm/i915/gvt: set guest display buffer as readonly (bsc#1112178) - drm/i915/gvt: use vgpu lock for active state setting (bsc#1112178) - drm/i915/perf: add missing delay for OA muxes configuration (bsc#1111666). - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() (bsc#1111666). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set (bsc#1111666). - drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV (bsc#1111666). - drm/i915: Reacquire priolist cache after dropping the engine lock (bsc#1129770). - drm/i915: Sanity check mmap length against object size (bsc#1111666). - drm/msm: include linux/sched/task.h (bsc#1112178) - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau/bar/gf100: ensure BAR is mapped (bsc#1111666). - drm/nouveau/bar/nv50: check bar1 vmm return value (bsc#1111666). - drm/nouveau/mmu: qualify vmm during dtor (bsc#1111666). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rect: Avoid division by zero (bsc#1111666). - drm/rect: update kerneldoc for drm_rect_clip_scaled() (bsc#1111666). - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/rockchip: Round up _before_ giving to the clock framework (bsc#1114279) - drm/sun4i: hdmi: Remove duplicate cleanup calls (bsc#1113956) - drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 (bsc#1111666). - drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model (bsc#1111666). - drm/ttm: ttm_tt_init_fields() can be static (bsc#1111666). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1111666). - drm: panel-lvds: Potential Oops in probe error handling (bsc#1114279) - e1000e: Add support for Comet Lake (bsc#1158533). - e1000e: Add support for Tiger Lake (bsc#1158533). - e1000e: Increase pause and refresh time (bsc#1158533). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable (bsc#1158646). - ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either (bsc#1158647). - EDAC/ghes: Fix locking and memory barrier issues (bsc#1114279). EDAC/ghes: Do not warn when incrementing refcount on 0 (bsc#1114279). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext2: check err when partial != NULL (bsc#1163859). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: fix mount failure with quota configured as module (bsc#1164471). - ext4: fix punch hole for inline_data file systems (bsc#1158640). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - ext4: update direct I/O read lock pattern for IOCB_NOWAIT (bsc#1158639). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - fix partial checked out tree build ... so that bisection does not break. - fix the locking in dcache_readdir() and friends (bsc#1123328). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fscrypt: do not set policy for a dead directory (bsc#1163846). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - HID: doc: fix wrong data structure reference for UHID_OUTPUT (bsc#1051510). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: intel-ish-hid: fixes incorrect error handling (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - hotplug/drc-info: Add code to search ibm,drc-info property (bsc#1157480 ltc#181028). - hv_netvsc: Fix offset usage in netvsc_send_table() (bsc#1164598). - hv_netvsc: Fix send_table offset in case of a host bug (bsc#1164598). - hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1164598). - hv_netvsc: Fix unwanted rx_table reset (bsc#1164598). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs (bsc#1163206). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - hwrng: stm32 - fix unbalanced pm_runtime_enable (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - IB/hfi1: Do not cancel unused work item (bsc#1114685 ). - IB/mlx5: Fix steering rule of drop and count (bsc#1103991 ). - IB/mlx5: Remove dead code (bsc#1103991). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - ice: fix stack leakage (bsc#1118661). - idr: Fix idr_alloc_u32 on 32-bit systems (bsc#1051510). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - iomap: Fix pipe page leakage during splicing (bsc#1158651). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iommu/iova: Init the struct iova to fix the possible memleak (bsc#1160469). - iommu/mediatek: Correct the flush_iotlb_all callback (bsc#1160470). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iommu: Remove device link to group on failure (bsc#1160755). - ipmi: Do not allow device module unload when in use (bsc#1154768). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: change monitor DMA to be coherent (bsc#1161243). - iwlwifi: clear persistence bit according to device family (bsc#1111666). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - iwlwifi: mvm: force TCM re-evaluation on TCM resume (bsc#1111666). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - iwlwifi: pcie: fix erroneous print (bsc#1111666). - iwlwifi: trans: Clear persistence bit when starting the FW (bsc#1111666). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kABI fix for "ipmi: Do not allow device module unload when in use" (bsc#1154768). - kABI fixup for alloc_dax_region (bsc#1158071,bsc#1160678). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kABI/severities: Whitelist rpaphp_get_drc_props (bsc#1157480 ltc#181028). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: protect struct sctp_ep_common (kabi). - kABI: Protest new fields in BPF structs (bsc#1160618). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - kexec: bail out upon SIGKILL when allocating memory (git-fixes). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - KVM: x86: Remove a spurious export of a static function (bsc#1158954). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - lib: crc64: include for 'crc64_be' (bsc#1163762). - libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (bsc#1153535). - libnvdimm/pfn: Account for PAGE_SIZE > info-block-size in nd_pfn_init() (bsc#1127682 bsc#1153535 ltc#175033 ltc#181834). - libnvdimm: Fix devm_nsio_enable() kabi (bsc#1153535). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - loop: fix no-unmap write-zeroes request behavior (bsc#1158637). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix ieee80211_txq_setup_flows() failure path (bsc#1111666). - mac80211: fix station inactive_time shortly after boot (bsc#1051510). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - mailbox: mailbox-test: fix null pointer if no mmio (bsc#1051510). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix control handler not freed on init error (git-fixes). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media: uvcvideo: Fix error path in control parsing failure (git-fixes). - media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mei: bus: prefix device names on bus with the bus name (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO (bsc#1112374). - mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel (bsc#1112374). - mm, memory_hotplug: do not clear numa_node association after hot_remove (bnc#1115026). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: sdhci: Add a quirk for broken command queuing (git-fixes). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci: Workaround broken command queuing on Intel GLK (git-fixes). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - moduleparam: fix parameter description mismatch (bsc#1051510). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mqprio: Fix out-of-bounds access in mqprio_dump (bsc#1109837). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - mwifiex: debugfs: correct histogram spacing, formatting (bsc#1051510). - mwifiex: delete unused mwifiex_get_intf_num() (bsc#1111666). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: fix potential NULL dereference and use after free (bsc#1051510). - mwifiex: update set_mac_address logic (bsc#1111666). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - nbd: prevent memory leak (bsc#1158638). - net, sysctl: Fix compiler warning when only cBPF is present (bsc#1109837). - net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx4_en: Fix wrong limitation for number of TX rings (bsc#1103989). - net/mlx5: Accumulate levels for chains prio namespaces (bsc#1103990). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlx5e: Query global pause state before setting prio2buffer (bsc#1103990). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: add sendmsg_locked and sendpage_locked to af_inet6 (bsc#1144162). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net: hns3: fix ETS bandwidth validation bug (bsc#1104353 ). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: phy: at803x: Change error to EINVAL for invalid MAC (bsc#1051510). - net: phy: broadcom: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: Check against net_device being NULL (bsc#1051510). - net: phy: dp83867: Set up RGMII TX delay (bsc#1051510). - net: phy: Fix not to call phy_resume() if PHY is not attached (bsc#1051510). - net: phy: Fix the register offsets in Broadcom iProc mdio mux driver (bsc#1051510). - net: phy: fixed_phy: Fix fixed_phy not checking GPIO (bsc#1051510). - net: phy: marvell: clear wol event before setting it (bsc#1051510). - net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: meson-gxl: check phy_write return value (bsc#1051510). - net: phy: micrel: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 (bsc#1051510). - net: phy: mscc: read 'vsc8531,vddmac' as an u32 (bsc#1051510). - net: phy: xgene: disable clk on error paths (bsc#1051510). - net: phy: xgmiitorgmii: Check phy_driver ready before accessing (bsc#1051510). - net: phy: xgmiitorgmii: Check read_status results (bsc#1051510). - net: phy: xgmiitorgmii: Support generic PHY status read (bsc#1051510). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net: sched: correct flower port blocking (git-fixes). - net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key (bsc#1109837). - net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues (bsc#1109837). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: fdp: fix incorrect free object (networking-stable-19_11_10). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - NFC: st21nfca: fix double free (networking-stable-19_11_10). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - ocfs2: fix panic due to ocfs2_wq is null (bsc#1158644). - ocfs2: fix passing zero to 'PTR_ERR' warning (bsc#1158649). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity() (bsc#1051510). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI: pciehp: Avoid returning prematurely from sysfs requests (git-fixes). - PCI: rpaphp: Add drc-info support for hotplug slot registration (bsc#1157480 ltc#181028). - PCI: rpaphp: Annotate and correctly byte swap DRC properties (bsc#1157480 ltc#181028). - PCI: rpaphp: Avoid a sometimes-uninitialized warning (bsc#1157480 ltc#181028). - PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info (bsc#1157480 ltc#181028). - PCI: rpaphp: Do not rely on firmware feature to imply drc-info support (bsc#1157480 ltc#181028). - PCI: rpaphp: Fix up pointer to first drc-info entry (bsc#1157480 ltc#181028). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: cherryview: Fix irq_valid_mask calculation (bsc#1111666). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - pinctrl: xway: fix gpio-hog related boot issues (bsc#1051510). - pktcdvd: remove warning on attempting to register non-passthrough dev (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - PM / AVS: SmartReflex: NULL check before some freeing functions is not needed (bsc#1051510). - PM / Domains: Deal with multiple states but no governor in genpd (bsc#1051510). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/papr_scm: Do not enable direct map for a region by default (bsc#1129551). - powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths (bsc#1142685 ltc#179509). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries/mobility: notify network peers after migration (bsc#1152631 ltc#181798). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc/pseries: Add cpu DLPAR support for drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/pseries: Enable support for ibm,drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Fix bad drc_index_start value parsing of drc-info entry (bsc#1157480 ltc#181028). - powerpc/pseries: Fix drc-info mappings of logical cpus to drc-index (bsc#1157480 ltc#181028). - powerpc/pseries: Fix vector5 in ibm architecture vector table (bsc#1157480 ltc#181028). - powerpc/pseries: Revert support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Enable support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - pseries/drc-info: Search DRC properties for CPU indexes (bsc#1157480 ltc#181028). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: Clear chip_data in pwm_put() (bsc#1051510). - pwm: clps711x: Fix period calculation (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: add missing endpoint sanity check (bsc#1051510). - r8152: get default setting of WOL before initializing (bsc#1051510). - random: move FIPS continuous test to output functions (bsc#1155334). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - RDMA/bnxt_re: Enable SRIOV VF support on Broadcom's 57500 adapter series (bsc#1154916). - RDMA/bnxt_re: Fix chip number validation Broadcom's Gen P5 series (bsc#1157895). - RDMA/bnxt_re: Fix missing le16_to_cpu (bsc#1157895). - RDMA/hns: Bugfix for qpc/cqc timer configuration (bsc#1104427 bsc#1126206). - RDMA/hns: Correct the value of srq_desc_size (bsc#1104427 ). - RDMA/hns: Fix to support 64K page for srq (bsc#1104427 ). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - README.BRANCH: Removing myself from the maintainer list - README.BRANCH: Update the branch name to cve/linux-4.12 - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - regulator: tps65910: fix a missing check of return value (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - reset: fix reset_control_ops kerneldoc comment (bsc#1051510). - resource: fix locking in find_next_iomem_res() (bsc#1114279). - Revert "ath10k: fix DMA related firmware crashes on multiple devices" (git-fixes). - Revert "Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers" (bsc#1051510). - Revert "locking/pvqspinlock: Do not wait if vCPU is preempted" (bsc#1050549). - Revert "mmc: sdhci: Fix incorrect switch to HS mode" (bsc#1051510). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Conflict with too old powerpc-utils (jsc#ECO-920, jsc#SLE-11054, jsc#SLE-11322). - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/modules.fips: update module list (bsc#1157853) - rsi_91x_usb: fix interface sanity check (git-fixes). - rt2800: remove errornous duplicate condition (git-fixes). - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl818x: fix potential use after free (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (bsc#1111666). - s390/qeth: clean up page frag creation (git-fixes). - s390/qeth: consolidate skb allocation (git-fixes). - s390/qeth: ensure linear access to packet headers (git-fixes). - s390/qeth: guard against runt packets (git-fixes). - sched/fair: Add tmp_alone_branch assertion (bnc#1156462). - sched/fair: Fix insertion in rq->leaf_cfs_rq_list (bnc#1156462). - sched/fair: Fix O(nr_cgroups) in the load balancing path (bnc#1156462). - sched/fair: Optimize update_blocked_averages() (bnc#1156462). - sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132). - scsi: lpfc: fix build failure with DEBUGFS disabled (bsc#1154601). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Added support for MPI and PEP regions for ISP28XX (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Correctly retrieve and interpret active flash region (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix incorrect SFUB length used for Secure Flash Update MB Cmd (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - scsi: zfcp: trace channel log even for FCP command responses (git-fixes). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: max310x: Fix tx_empty() callback (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sfc: Remove 'PCIE error reporting unavailable' (bsc#1161472). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch (bsc#1051510). - spi: omap2-mcspi: Set FIFO DMA trigger level to word length (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: rtl8192e: fix potential use after free (bsc#1051510). - staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids (bsc#1051510). - staging: rtl8723bs: Drop ACPI device ids (bsc#1051510). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stm class: Fix a double free of stm_source_device (bsc#1051510). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - thermal: Fix deadlock in thermal thermal_zone_device_check (bsc#1051510). - tipc: fix a missing check of genlmsg_put (bsc#1051510). - tipc: fix link name length check (bsc#1051510). - tipc: fix memory leak in tipc_nl_compat_publ_dump (bsc#1051510). - tipc: fix skb may be leaky in tipc_link_input (bsc#1051510). - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - uaccess: Add non-pagefault user-space write function (bsc#1083647). - ubifs: Correctly initialize c->min_log_bytes (bsc#1158641). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Limit the number of pages in shrink_liability (bsc#1158643). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - usb: adutux: fix interface sanity check (bsc#1051510). - usb: Allow USB device to be warm reset in suspended state (bsc#1051510). - usb: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - usb: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - usb: core: fix check for duplicate endpoints (git-fixes). - usb: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - usb: core: urb: fix URB structure initialization function (bsc#1051510). - usb: documentation: flags on usb-storage versus UAS (bsc#1051510). - usb: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - usb: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - usb: dwc3: ep0: Clear started flag on completion (bsc#1051510). - usb: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - usb: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - usb: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: legacy: set max_speed to super-speed (bsc#1051510). - usb: gadget: pch_udc: fix use after free (bsc#1051510). - usb: gadget: u_serial: add missing port entry locking (bsc#1051510). - usb: gadget: Zero ffs_io_data (bsc#1051510). - usb: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usb: idmouse: fix interface sanity checks (bsc#1051510). - usb: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - usb: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - usb: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - usb: roles: fix a potential use after free (git-fixes). - usb: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for U-Blox C099-F9P (bsc#1051510). - usb: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - usb: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - usb: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - usb: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - usb: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - usb: serial: ir-usb: fix IrLAP framing (bsc#1051510). - usb: serial: ir-usb: fix link-speed handling (bsc#1051510). - usb: serial: keyspan: handle unbound ports (bsc#1051510). - usb: serial: opticon: fix control-message timeouts (bsc#1051510). - usb: serial: option: Add support for Quectel RM500Q (bsc#1051510). - usb: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - usb: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - usb: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - usb: serial: quatech2: handle unbound ports (bsc#1051510). - usb: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - usb: serial: suppress driver bind attributes (bsc#1051510). - usb: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - usb: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - usb: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - usb: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - usb: xhci: only set D3hot for pci device (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - video: backlight: Add devres versions of of_find_backlight (bsc#1090888) Taken for 6010831dde5. - video: backlight: Add of_find_backlight helper in backlight.c (bsc#1090888) Taken for 6010831dde5. - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: sama5d4: fix WDD value to be always set to max (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/amd_nb: Add PCI device IDs for family 17h, model 70h (bsc#1163206). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - x86/speculation: Fix incorrect MDS/TAA mitigation status (bsc#1114279). - x86/speculation: Fix redundant MDS mitigation message (bsc#1114279). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xfs: Sanity check flags of Q_XQUOTARM call (bsc#1158652). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-560=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-560=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-560=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-560=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-560=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-560=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-560=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.34.1 kernel-default-debugsource-4.12.14-197.34.1 kernel-default-extra-4.12.14-197.34.1 kernel-default-extra-debuginfo-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.34.1 kernel-default-debugsource-4.12.14-197.34.1 kernel-obs-qa-4.12.14-197.34.1 kernel-vanilla-4.12.14-197.34.1 kernel-vanilla-base-4.12.14-197.34.1 kernel-vanilla-base-debuginfo-4.12.14-197.34.1 kernel-vanilla-debuginfo-4.12.14-197.34.1 kernel-vanilla-debugsource-4.12.14-197.34.1 kernel-vanilla-devel-4.12.14-197.34.1 kernel-vanilla-devel-debuginfo-4.12.14-197.34.1 kernel-vanilla-livepatch-devel-4.12.14-197.34.1 kselftests-kmp-default-4.12.14-197.34.1 kselftests-kmp-default-debuginfo-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le x86_64): kernel-debug-4.12.14-197.34.1 kernel-debug-base-4.12.14-197.34.1 kernel-debug-base-debuginfo-4.12.14-197.34.1 kernel-debug-debuginfo-4.12.14-197.34.1 kernel-debug-debugsource-4.12.14-197.34.1 kernel-debug-devel-4.12.14-197.34.1 kernel-debug-devel-debuginfo-4.12.14-197.34.1 kernel-debug-livepatch-devel-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 s390x): kernel-default-livepatch-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): kernel-docs-html-4.12.14-197.34.1 kernel-source-vanilla-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): kernel-kvmsmall-4.12.14-197.34.1 kernel-kvmsmall-base-4.12.14-197.34.1 kernel-kvmsmall-base-debuginfo-4.12.14-197.34.1 kernel-kvmsmall-debuginfo-4.12.14-197.34.1 kernel-kvmsmall-debugsource-4.12.14-197.34.1 kernel-kvmsmall-devel-4.12.14-197.34.1 kernel-kvmsmall-devel-debuginfo-4.12.14-197.34.1 kernel-kvmsmall-livepatch-devel-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): kernel-zfcpdump-debuginfo-4.12.14-197.34.1 kernel-zfcpdump-debugsource-4.12.14-197.34.1 kernel-zfcpdump-man-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.34.1 kernel-default-debugsource-4.12.14-197.34.1 kernel-default-livepatch-4.12.14-197.34.1 kernel-default-livepatch-devel-4.12.14-197.34.1 kernel-livepatch-4_12_14-197_34-default-1-3.5.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.34.1 kernel-default-debugsource-4.12.14-197.34.1 reiserfs-kmp-default-4.12.14-197.34.1 reiserfs-kmp-default-debuginfo-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.34.1 kernel-obs-build-debugsource-4.12.14-197.34.1 kernel-syms-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.34.1 kernel-source-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.34.1 kernel-default-base-4.12.14-197.34.1 kernel-default-base-debuginfo-4.12.14-197.34.1 kernel-default-debuginfo-4.12.14-197.34.1 kernel-default-debugsource-4.12.14-197.34.1 kernel-default-devel-4.12.14-197.34.1 kernel-default-devel-debuginfo-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.34.1 kernel-macros-4.12.14-197.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.34.1 kernel-zfcpdump-4.12.14-197.34.1 kernel-zfcpdump-debuginfo-4.12.14-197.34.1 kernel-zfcpdump-debugsource-4.12.14-197.34.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.34.1 cluster-md-kmp-default-debuginfo-4.12.14-197.34.1 dlm-kmp-default-4.12.14-197.34.1 dlm-kmp-default-debuginfo-4.12.14-197.34.1 gfs2-kmp-default-4.12.14-197.34.1 gfs2-kmp-default-debuginfo-4.12.14-197.34.1 kernel-default-debuginfo-4.12.14-197.34.1 kernel-default-debugsource-4.12.14-197.34.1 ocfs2-kmp-default-4.12.14-197.34.1 ocfs2-kmp-default-debuginfo-4.12.14-197.34.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-15213.html https://www.suse.com/security/cve/CVE-2019-16746.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19051.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19332.html https://www.suse.com/security/cve/CVE-2019-19338.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19523.html https://www.suse.com/security/cve/CVE-2019-19526.html https://www.suse.com/security/cve/CVE-2019-19527.html https://www.suse.com/security/cve/CVE-2019-19532.html https://www.suse.com/security/cve/CVE-2019-19533.html https://www.suse.com/security/cve/CVE-2019-19535.html https://www.suse.com/security/cve/CVE-2019-19537.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19927.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1103989 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1115026 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1126206 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1127682 https://bugzilla.suse.com/1129551 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144162 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146544 https://bugzilla.suse.com/1151548 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1152107 https://bugzilla.suse.com/1152631 https://bugzilla.suse.com/1153535 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1154601 https://bugzilla.suse.com/1154768 https://bugzilla.suse.com/1154916 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1155689 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156462 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157480 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157895 https://bugzilla.suse.com/1157908 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158071 https://bugzilla.suse.com/1158094 https://bugzilla.suse.com/1158132 https://bugzilla.suse.com/1158381 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1158637 https://bugzilla.suse.com/1158638 https://bugzilla.suse.com/1158639 https://bugzilla.suse.com/1158640 https://bugzilla.suse.com/1158641 https://bugzilla.suse.com/1158643 https://bugzilla.suse.com/1158644 https://bugzilla.suse.com/1158645 https://bugzilla.suse.com/1158646 https://bugzilla.suse.com/1158647 https://bugzilla.suse.com/1158649 https://bugzilla.suse.com/1158651 https://bugzilla.suse.com/1158652 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1158823 https://bugzilla.suse.com/1158824 https://bugzilla.suse.com/1158827 https://bugzilla.suse.com/1158834 https://bugzilla.suse.com/1158893 https://bugzilla.suse.com/1158900 https://bugzilla.suse.com/1158903 https://bugzilla.suse.com/1158904 https://bugzilla.suse.com/1158954 https://bugzilla.suse.com/1159024 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159377 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159500 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160147 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160469 https://bugzilla.suse.com/1160470 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160618 https://bugzilla.suse.com/1160678 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161243 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161472 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163206 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164598 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 From sle-security-updates at lists.suse.com Tue Mar 3 07:14:01 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Mar 2020 15:14:01 +0100 (CET) Subject: SUSE-SU-2019:3060-2: moderate: Security update for libpng16 Message-ID: <20200303141401.2F216FCEF@maintenance.suse.de> SUSE Security Update: Security update for libpng16 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3060-2 Rating: moderate References: #1124211 #1141493 Cross-References: CVE-2017-12652 CVE-2019-7317 Affected Products: SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for libpng16 fixes the following issues: Security issues fixed: - CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when png_image_free() was called under png_safe_execute (bsc#1124211). - CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-569=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-569=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-569=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-569=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-569=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-569=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-569=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-569=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-569=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-569=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-569=1 Package List: - SUSE OpenStack Cloud 8 (x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE OpenStack Cloud 7 (s390x x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le): libpng16-16-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 - SUSE Enterprise Storage 5 (x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 References: https://www.suse.com/security/cve/CVE-2017-12652.html https://www.suse.com/security/cve/CVE-2019-7317.html https://bugzilla.suse.com/1124211 https://bugzilla.suse.com/1141493 From sle-security-updates at lists.suse.com Tue Mar 3 07:20:25 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Mar 2020 15:20:25 +0100 (CET) Subject: SUSE-SU-2020:0568-1: moderate: Security update for ovmf Message-ID: <20200303142025.608BDF79E@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0568-1 Rating: moderate References: #1153072 #1163927 #1163959 #1163969 Cross-References: CVE-2019-14553 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ovmf fixes the following issues: Security issues fixed: - CVE-2019-14563: Fixed a memory corruption caused by insufficient numeric truncation (bsc#1163959). - CVE-2019-14553: Fixed the TLS certification verification in HTTPS-over-IPv6 boot sequences (bsc#1153072). - CVE-2019-14559: Fixed a remotely exploitable memory leak in the ARP handling code (bsc#1163927). - CVE-2019-14575: Fixed an insufficient signature check in the DxeImageVerificationHandler (bsc#1163969). - Enabled HTTPS-over-IPv6 (bsc#1153072). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-568=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-5.29.3 ovmf-tools-2017+git1510945757.b2662641d5-5.29.3 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.29.3 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.29.3 References: https://www.suse.com/security/cve/CVE-2019-14553.html https://www.suse.com/security/cve/CVE-2019-14559.html https://www.suse.com/security/cve/CVE-2019-14563.html https://www.suse.com/security/cve/CVE-2019-14575.html https://bugzilla.suse.com/1153072 https://bugzilla.suse.com/1163927 https://bugzilla.suse.com/1163959 https://bugzilla.suse.com/1163969 From sle-security-updates at lists.suse.com Tue Mar 3 10:23:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Mar 2020 18:23:17 +0100 (CET) Subject: SUSE-SU-2020:0576-1: moderate: Security update for compat-openssl098 Message-ID: <20200303172317.C2FADF79E@maintenance.suse.de> SUSE Security Update: Security update for compat-openssl098 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0576-1 Rating: moderate References: #1117951 #1160163 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for compat-openssl098 fixes the following issues: - Add missing commits for fixes of the "The 9 Lives of Bleichenbacher's CAT" attack (bsc#1117951) - Fixed missing BN_copy() (bsc#1160163) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2020-576=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-576=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-576=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-576=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-576=1 - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2020-576=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (x86_64): compat-openssl098-debugsource-0.9.8j-106.18.1 libopenssl0_9_8-0.9.8j-106.18.1 libopenssl0_9_8-debuginfo-0.9.8j-106.18.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): compat-openssl098-debugsource-0.9.8j-106.18.1 libopenssl0_9_8-0.9.8j-106.18.1 libopenssl0_9_8-debuginfo-0.9.8j-106.18.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): compat-openssl098-debugsource-0.9.8j-106.18.1 libopenssl0_9_8-0.9.8j-106.18.1 libopenssl0_9_8-debuginfo-0.9.8j-106.18.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): compat-openssl098-debugsource-0.9.8j-106.18.1 libopenssl0_9_8-0.9.8j-106.18.1 libopenssl0_9_8-debuginfo-0.9.8j-106.18.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): compat-openssl098-debugsource-0.9.8j-106.18.1 libopenssl0_9_8-0.9.8j-106.18.1 libopenssl0_9_8-debuginfo-0.9.8j-106.18.1 - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): compat-openssl098-debugsource-0.9.8j-106.18.1 libopenssl0_9_8-0.9.8j-106.18.1 libopenssl0_9_8-32bit-0.9.8j-106.18.1 libopenssl0_9_8-debuginfo-0.9.8j-106.18.1 libopenssl0_9_8-debuginfo-32bit-0.9.8j-106.18.1 References: https://bugzilla.suse.com/1117951 https://bugzilla.suse.com/1160163 From sle-security-updates at lists.suse.com Tue Mar 3 10:29:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Mar 2020 18:29:02 +0100 (CET) Subject: SUSE-SU-2020:14306-1: moderate: Security update for python Message-ID: <20200303172902.52769F79E@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14306-1 Rating: moderate References: #1162367 Cross-References: CVE-2020-8492 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python fixes the following security issue: - CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-python-14306=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-python-14306=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-python-14306=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-python-14306=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): libpython2_6-1_0-2.6.9-40.35.1 python-2.6.9-40.35.2 python-base-2.6.9-40.35.1 python-curses-2.6.9-40.35.2 python-demo-2.6.9-40.35.2 python-gdbm-2.6.9-40.35.2 python-idle-2.6.9-40.35.2 python-tk-2.6.9-40.35.2 python-xml-2.6.9-40.35.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libpython2_6-1_0-32bit-2.6.9-40.35.1 python-32bit-2.6.9-40.35.2 python-base-32bit-2.6.9-40.35.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (noarch): python-doc-2.6-8.40.35.1 python-doc-pdf-2.6-8.40.35.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): python-doc-2.6-8.40.35.1 python-doc-pdf-2.6-8.40.35.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libpython2_6-1_0-2.6.9-40.35.1 python-2.6.9-40.35.2 python-base-2.6.9-40.35.1 python-curses-2.6.9-40.35.2 python-demo-2.6.9-40.35.2 python-gdbm-2.6.9-40.35.2 python-idle-2.6.9-40.35.2 python-tk-2.6.9-40.35.2 python-xml-2.6.9-40.35.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): python-base-debuginfo-2.6.9-40.35.1 python-base-debugsource-2.6.9-40.35.1 python-debuginfo-2.6.9-40.35.2 python-debugsource-2.6.9-40.35.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): python-base-debuginfo-32bit-2.6.9-40.35.1 python-debuginfo-32bit-2.6.9-40.35.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): python-base-debuginfo-2.6.9-40.35.1 python-base-debugsource-2.6.9-40.35.1 python-debuginfo-2.6.9-40.35.2 python-debugsource-2.6.9-40.35.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x x86_64): python-base-debuginfo-32bit-2.6.9-40.35.1 python-debuginfo-32bit-2.6.9-40.35.2 References: https://www.suse.com/security/cve/CVE-2020-8492.html https://bugzilla.suse.com/1162367 From sle-security-updates at lists.suse.com Tue Mar 3 10:34:53 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Mar 2020 18:34:53 +0100 (CET) Subject: SUSE-SU-2020:0578-1: moderate: Security update for yast2-rmt Message-ID: <20200303173453.7BF3CF79E@maintenance.suse.de> SUSE Security Update: Security update for yast2-rmt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0578-1 Rating: moderate References: #1119835 #1146403 Cross-References: CVE-2018-20105 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for yast2-rmt to version 1.3.0 fixes the following issues: Security issue fixed: - CVE-2018-20105: Fixed an exposure of the CA private key passphrase in the log file (bsc#1119835). Non-security issue fixed: - Add support for forwarding registration data from RMT to SCC Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-578=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): yast2-rmt-1.3.0-3.5.1 References: https://www.suse.com/security/cve/CVE-2018-20105.html https://bugzilla.suse.com/1119835 https://bugzilla.suse.com/1146403 From sle-security-updates at lists.suse.com Wed Mar 4 07:14:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Mar 2020 15:14:07 +0100 (CET) Subject: SUSE-SU-2020:0584-1: important: Security update for the Linux Kernel Message-ID: <20200304141407.04C43F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0584-1 Rating: important References: #1046303 #1050244 #1051510 #1051858 #1061840 #1065600 #1065729 #1071995 #1083647 #1085030 #1086301 #1086313 #1086314 #1088810 #1090888 #1104427 #1105392 #1111666 #1112178 #1112504 #1114279 #1115026 #1118338 #1120853 #1123328 #1127371 #1133021 #1133147 #1134973 #1140025 #1141054 #1142095 #1143959 #1144333 #1146519 #1146544 #1151548 #1151910 #1151927 #1152631 #1153917 #1154243 #1155331 #1155334 #1155689 #1156259 #1156286 #1156462 #1157155 #1157157 #1157169 #1157303 #1157424 #1157692 #1157853 #1157908 #1157966 #1158013 #1158021 #1158026 #1158094 #1158132 #1158381 #1158394 #1158398 #1158407 #1158410 #1158413 #1158417 #1158427 #1158445 #1158533 #1158637 #1158638 #1158639 #1158640 #1158641 #1158643 #1158644 #1158645 #1158646 #1158647 #1158649 #1158651 #1158652 #1158819 #1158823 #1158824 #1158827 #1158834 #1158893 #1158900 #1158903 #1158904 #1158954 #1159024 #1159028 #1159271 #1159297 #1159394 #1159483 #1159484 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160476 #1160560 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1160979 #1161087 #1161360 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161702 #1161875 #1161907 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 #1162109 #1162139 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1163971 #1164069 #1164098 #1164115 #1164314 #1164315 #1164388 #1164471 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 Cross-References: CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-15213 CVE-2019-16994 CVE-2019-18808 CVE-2019-19036 CVE-2019-19045 CVE-2019-19051 CVE-2019-19054 CVE-2019-19066 CVE-2019-19318 CVE-2019-19319 CVE-2019-19332 CVE-2019-19338 CVE-2019-19447 CVE-2019-19523 CVE-2019-19524 CVE-2019-19525 CVE-2019-19526 CVE-2019-19527 CVE-2019-19528 CVE-2019-19529 CVE-2019-19530 CVE-2019-19531 CVE-2019-19532 CVE-2019-19533 CVE-2019-19534 CVE-2019-19535 CVE-2019-19536 CVE-2019-19537 CVE-2019-19543 CVE-2019-19767 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2020-2732 CVE-2020-7053 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that solves 43 vulnerabilities and has 163 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). - CVE-2019-19338: There was an incomplete fix for an issue with Transactional Synchronisation Extensions in the KVM code (bsc#1158954). - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-14896: A heap overflow was found in the add_ie_rates() function of the Marvell Wifi Driver (bsc#1157157). - CVE-2019-14897: A stack overflow was found in the lbs_ibss_join_existing() function of the Marvell Wifi Driver (bsc#1157155). - CVE-2019-15213: A use-after-free bug caused by a malicious USB device was found in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523). - CVE-2019-18808: A memory leak in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption), aka CID-128c66429247 (bnc#1156259). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522). - CVE-2019-19051: A memory leak in drivers/net/wimax/i2400m/op-rfkill.c allowed attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7 (bnc#1159024). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518). - CVE-2019-19066: A memory leak in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption), aka CID-0e62395da2bd (bnc#1157303). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19319: A slab-out-of-bounds write access could have occured when setxattr was called after mounting of a specially crafted ext4 image (bnc#1158021). - CVE-2019-19332: An out-of-bounds memory write issue was found in the way the KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could have used this flaw to crash the system (bnc#1158827). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819). - CVE-2019-19523: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79 (bsc#1158823). - CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9 (bsc#1158413). - CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035 (bsc#1158417). - CVE-2019-19526: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098 (bsc#1158893). - CVE-2019-19527: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e (bsc#1158900). - CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d (bsc#1158407). - CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41 (bnc#1158381). - CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef (bsc#1158410). - CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca (bsc#1158445). - CVE-2019-19532: There were multiple out-of-bounds write bugs that can be caused by a malicious USB HID device, aka CID-d9d4b1e46d95 (bsc#1158824). - CVE-2019-19533: There was an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464 (bsc#1158834). - CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29 (bsc#1158398). - CVE-2019-19535: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042 (bsc#1158903). - CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0 (bsc#1158394). - CVE-2019-19537: There was a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9 (bsc#1158904). - CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427). - CVE-2019-19767: There were multiple use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163 (bnc#1159297). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911). - CVE-2019-19966: There was a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that could have caused a denial of service, aka CID-dea37a972655 (bnc#1159841). - CVE-2019-20054: There was a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e (bnc#1159910). - CVE-2019-20095: Several memory leaks were found in drivers/net/wireless/marvell/mwifiex/cfg80211.c, aka CID-003b686ace82 (bnc#1159909). - CVE-2019-20096: There was a memory leak in __feat_register_sp() in net/dccp/feat.c, aka CID-1d3ff0950e2b (bnc#1159908). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2020-8992: An issue was discovered in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bnc#1164069). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Do not wait to serialise with oops messages when panic()ing (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI / LPSS: Ignore acpi_device_fix_up_power() return value (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: OSL: only free map once in osl.c (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: echoaudio: simplify get_audio_levels (bsc#1051510). - ALSA: fireface: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda/hdmi - Add new pci ids for AMD GPU display audio (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/hdmi - Fix duplicate unref of pci_dev (bsc#1051510). - ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD (git-fixes). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 (git-fixes). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda/realtek - Line-out jack does not work on a Dell AIO (bsc#1051510). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: oxfw: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: pcm: oss: Avoid potential buffer overflows (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: compress: fix unsigned integer overflow check (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ASoC: wm8962: fix lambda value (git-fixes). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath6kl: Fix off by one error in scan completion (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - atl1e: checking the status of atl1e_write_phy_reg (bsc#1051510). - audit: Allow auditd to set pid to 0 to end auditing (bsc#1158094). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading (bsc#1051510). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - bpf: Make use of probe_user_write in probe write helper (bsc#1083647). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can: peak_usb: report bus recovery as well (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors (bsc#1051510). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - cdrom: respect device capabilities during opening action (boo#1164632). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cgroup,writeback: do not switch wbs immediately on dead wbs if the memcg is dead (bsc#1158645). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: add support for flock (bsc#1144333). - cifs: Close cached root handle only if it had a lease (bsc#1144333). - cifs: Close open handle after interrupted close (bsc#1144333). - cifs: close the shared root handle on tree disconnect (bsc#1144333). - cifs: Do not miss cancelled OPEN responses (bsc#1144333). - cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mount option display for sec=krb5i (bsc#1161907). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: Fix NULL pointer dereference in mid callback (bsc#1144333). - cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - cifs: Properly process SMB3 lease breaks (bsc#1144333). - cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - compat_ioctl: handle SIOCOUTQNSD (bsc#1051510). - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - Cover up kABI breakage due to DH key verification (bsc#1155331). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: mxc-scc - fix build warnings on ARM64 (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - dma-buf: Fix memory leak in sync_file_merge() (git-fixes). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drivers/base/platform.c: kmemleak ignore a known leak (bsc#1051510). - drivers/regulator: fix a missing check of return value (bsc#1051510). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1114279) - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/rockchip: Round up _before_ giving to the clock framework (bsc#1114279) - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm: panel-lvds: Potential Oops in probe error handling (bsc#1114279) - e1000e: Add support for Comet Lake (bsc#1158533). - e1000e: Add support for Tiger Lake (bsc#1158533). - e1000e: Increase pause and refresh time (bsc#1158533). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable (bsc#1158646). - ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either (bsc#1158647). - EDAC/ghes: Fix locking and memory barrier issues (bsc#1114279). EDAC/ghes: Do not warn when incrementing refcount on 0 (bsc#1114279). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext2: check err when partial != NULL (bsc#1163859). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: fix punch hole for inline_data file systems (bsc#1158640). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - ext4: update direct I/O read lock pattern for IOCB_NOWAIT (bsc#1158639). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - Fix partial checked out tree build ... so that bisection does not break. - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fscrypt: do not set policy for a dead directory (bsc#1163846). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Introduce PERMANENT ftrace_ops flag (bsc#1120853). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - HID: doc: fix wrong data structure reference for UHID_OUTPUT (bsc#1051510). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: intel-ish-hid: fixes incorrect error handling (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - hwrng: stm32 - fix unbalanced pm_runtime_enable (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - idr: Fix idr_alloc_u32 on 32-bit systems (bsc#1051510). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11179). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - iomap: Fix pipe page leakage during splicing (bsc#1158651). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iommu: Remove device link to group on failure (bsc#1160755). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: protect struct sctp_ep_common (kabi). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - kexec: bail out upon SIGKILL when allocating memory (git-fixes). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: SVM: Guard against DEACTIVATE when performing WBINVD/DF_FLUSH (bsc#1114279). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - KVM: SVM: Serialize access to the SEV ASID bitmap (bsc#1114279). - KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - KVM: x86: Remove a spurious export of a static function (bsc#1158954). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - lib: crc64: include for 'crc64_be' (bsc#1163762). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - livepatch: Allow to distinguish different version of system state changes (bsc#1071995). - livepatch: Basic API to track system state changes (bsc#1071995 ). - livepatch: Keep replaced patches until post_patch callback is called (bsc#1071995). - livepatch: Selftests of the API for tracking system state changes (bsc#1071995). - livepatch: Simplify stack trace retrieval (jsc#SLE-11179). - loop: fix no-unmap write-zeroes request behavior (bsc#1158637). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix station inactive_time shortly after boot (bsc#1051510). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - mailbox: mailbox-test: fix null pointer if no mmio (bsc#1051510). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix control handler not freed on init error (git-fixes). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media: uvcvideo: Fix error path in control parsing failure (git-fixes). - media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mei: bus: prefix device names on bus with the bus name (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mlx5: add parameter to disable enhanced IPoIB (bsc#1142095) - mm, memory_hotplug: do not clear numa_node association after hot_remove (bnc#1115026). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - moduleparam: fix parameter description mismatch (bsc#1051510). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - mwifiex: debugfs: correct histogram spacing, formatting (bsc#1051510). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: fix potential NULL dereference and use after free (bsc#1051510). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - nbd: prevent memory leak (bsc#1158638). - net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: phy: at803x: Change error to EINVAL for invalid MAC (bsc#1051510). - net: phy: broadcom: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: Check against net_device being NULL (bsc#1051510). - net: phy: dp83867: Set up RGMII TX delay (bsc#1051510). - net: phy: Fix not to call phy_resume() if PHY is not attached (bsc#1051510). - net: phy: Fix the register offsets in Broadcom iProc mdio mux driver (bsc#1051510). - net: phy: fixed_phy: Fix fixed_phy not checking GPIO (bsc#1051510). - net: phy: marvell: clear wol event before setting it (bsc#1051510). - net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: meson-gxl: check phy_write return value (bsc#1051510). - net: phy: micrel: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 (bsc#1051510). - net: phy: mscc: read 'vsc8531,vddmac' as an u32 (bsc#1051510). - net: phy: xgene: disable clk on error paths (bsc#1051510). - net: phy: xgmiitorgmii: Check phy_driver ready before accessing (bsc#1051510). - net: phy: xgmiitorgmii: Check read_status results (bsc#1051510). - net: phy: xgmiitorgmii: Support generic PHY status read (bsc#1051510). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net: sched: correct flower port blocking (git-fixes). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: fdp: fix incorrect free object (networking-stable-19_11_10). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - NFC: st21nfca: fix double free (networking-stable-19_11_10). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - ocfs2: fix panic due to ocfs2_wq is null (bsc#1158644). - ocfs2: fix passing zero to 'PTR_ERR' warning (bsc#1158649). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI/MSI: Fix incorrect MSI-X masking on resume (bsc#1051510). - PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity() (bsc#1051510). - PCI/PTM: Remove spurious "d" from granularity message (bsc#1051510). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Apply Cavium ACS quirk to ThunderX2 and ThunderX3 (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI: dwc: Fix find_next_bit() usage (bsc#1051510). - PCI: Fix Intel ACS quirk UPDCR register address (bsc#1051510). - PCI: rcar: Fix missing MACCTLR register setting in initialization sequence (bsc#1051510). - PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 (git-fixes). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - pinctrl: xway: fix gpio-hog related boot issues (bsc#1051510). - pktcdvd: remove warning on attempting to register non-passthrough dev (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - PM / AVS: SmartReflex: NULL check before some freeing functions is not needed (bsc#1051510). - PM / Domains: Deal with multiple states but no governor in genpd (bsc#1051510). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (bsc#1071995 bsc#1161875). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries/mobility: notify network peers after migration (bsc#1152631 ltc#181798). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - printk: Export console_printk (bsc#1071995). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: Clear chip_data in pwm_put() (bsc#1051510). - pwm: clps711x: Fix period calculation (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: add missing endpoint sanity check (bsc#1051510). - r8152: get default setting of WOL before initializing (bsc#1051510). - random: move FIPS continuous test to output functions (bsc#1155334). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - regulator: tps65910: fix a missing check of return value (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - reset: fix reset_control_ops kerneldoc comment (bsc#1051510). - resource: fix locking in find_next_iomem_res() (bsc#1114279). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/modules.fips: update module list (bsc#1157853) - rsi_91x_usb: fix interface sanity check (git-fixes). - rt2800: remove errornous duplicate condition (git-fixes). - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl818x: fix potential use after free (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - s390/ftrace: generate traced function stack frame (jsc#SLE-11178 jsc#SLE-11179). - s390/ftrace: save traced function caller (jsc#SLE-11179). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11179). - s390/head64: correct init_task stack setup (jsc#SLE-11179). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11179). - s390/kasan: avoid report in get_wchan (jsc#SLE-11179). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11179). - s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported (bsc#1051510). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11179). - s390/qeth: clean up page frag creation (git-fixes). - s390/qeth: consolidate skb allocation (git-fixes). - s390/qeth: ensure linear access to packet headers (git-fixes). - s390/qeth: guard against runt packets (git-fixes). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11179). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11179). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11179). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11179). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11179). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11179). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11179). - s390/unwind: correct stack switching during unwind (jsc#SLE-11179). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11179). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11179). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11179). - s390/unwind: fix mixing regs and sp (jsc#SLE-11179). - s390/unwind: introduce stack unwind API (jsc#SLE-11179). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11179). - s390/unwind: remove stack recursion warning (jsc#SLE-11179). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11179). - s390/unwind: start unwinding from reliable state (jsc#SLE-11179). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11179). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11179). - s390/unwind: unify task is current checks (jsc#SLE-11179). - s390: add stack switch helper (jsc#SLE-11179). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11179). - s390: always inline current_stack_pointer() (jsc#SLE-11179). - s390: always inline disabled_wait (jsc#SLE-11179). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11179). - s390: clean up stacks setup (jsc#SLE-11179). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11179). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11179). - s390: fine-tune stack switch helper (jsc#SLE-11179). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11179). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11179). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11179). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11179). - s390: preserve kabi for stack unwind API (jsc#SLE-11179). - s390: unify stack size definitions (jsc#SLE-11179). - sched/fair: Add tmp_alone_branch assertion (bnc#1156462). - sched/fair: Fix insertion in rq->leaf_cfs_rq_list (bnc#1156462). - sched/fair: Fix O(nr_cgroups) in the load balancing path (bnc#1156462). - sched/fair: Optimize update_blocked_averages() (bnc#1156462). - sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Added support for MPI and PEP regions for ISP28XX (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Correctly retrieve and interpret active flash region (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix incorrect SFUB length used for Secure Flash Update MB Cmd (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - scsi: zfcp: trace channel log even for FCP command responses (git-fixes). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: max310x: Fix tx_empty() callback (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch (bsc#1051510). - spi: omap2-mcspi: Set FIFO DMA trigger level to word length (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11179). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11179). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11179). - stacktrace: Provide common infrastructure (jsc#SLE-11179). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11179). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11179). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11179). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: rtl8192e: fix potential use after free (bsc#1051510). - staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids (bsc#1051510). - staging: rtl8723bs: Drop ACPI device ids (bsc#1051510). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stm class: Fix a double free of stm_source_device (bsc#1051510). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - supported.conf: - synclink_gt(): fix compat_ioctl() (bsc#1051510). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - tcp_nv: fix potential integer overflow in tcpnv_acked (bsc#1051510). - thermal: Fix deadlock in thermal thermal_zone_device_check (bsc#1051510). - tipc: Avoid copying bytes beyond the supplied data (bsc#1051510). - tipc: check bearer name with right length in tipc_nl_compat_bearer_enable (bsc#1051510). - tipc: check link name with right length in tipc_nl_compat_link_set (bsc#1051510). - tipc: check msg->req data len in tipc_nl_compat_bearer_disable (bsc#1051510). - tipc: compat: allow tipc commands without arguments (bsc#1051510). - tipc: fix a missing check of genlmsg_put (bsc#1051510). - tipc: fix link name length check (bsc#1051510). - tipc: fix memory leak in tipc_nl_compat_publ_dump (bsc#1051510). - tipc: fix skb may be leaky in tipc_link_input (bsc#1051510). - tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path (bsc#1051510). - tipc: fix wrong timeout input for tipc_wait_for_cond() (bsc#1051510). - tipc: handle the err returned from cmd header function (bsc#1051510). - tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb (bsc#1051510). - tipc: tipc clang warning (bsc#1051510). - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Cleanup stack trace code (jsc#SLE-11179). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty: serial: fsl_lpuart: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: imx: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: msm_serial: Fix flow control (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: serial: pch_uart: correct usage of dma_unmap_sg (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - uaccess: Add non-pagefault user-space write function (bsc#1083647). - ubifs: Correctly initialize c->min_log_bytes (bsc#1158641). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Limit the number of pages in shrink_liability (bsc#1158643). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - usb: adutux: fix interface sanity check (bsc#1051510). - usb: Allow USB device to be warm reset in suspended state (bsc#1051510). - usb: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - usb: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - usb: core: fix check for duplicate endpoints (git-fixes). - usb: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - usb: core: urb: fix URB structure initialization function (bsc#1051510). - usb: documentation: flags on usb-storage versus UAS (bsc#1051510). - usb: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - usb: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - usb: dwc3: ep0: Clear started flag on completion (bsc#1051510). - usb: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - usb: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - usb: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: legacy: set max_speed to super-speed (bsc#1051510). - usb: gadget: pch_udc: fix use after free (bsc#1051510). - usb: gadget: u_serial: add missing port entry locking (bsc#1051510). - usb: gadget: Zero ffs_io_data (bsc#1051510). - usb: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usb: idmouse: fix interface sanity checks (bsc#1051510). - usb: misc: appledisplay: fix backlight update_status return code (bsc#1051510). - usb: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - usb: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - usb: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - usb: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for U-Blox C099-F9P (bsc#1051510). - usb: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - usb: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - usb: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - usb: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - usb: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - usb: serial: ir-usb: fix IrLAP framing (bsc#1051510). - usb: serial: ir-usb: fix link-speed handling (bsc#1051510). - usb: serial: keyspan: handle unbound ports (bsc#1051510). - usb: serial: opticon: fix control-message timeouts (bsc#1051510). - usb: serial: option: Add support for Quectel RM500Q (bsc#1051510). - usb: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - usb: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - usb: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - usb: serial: quatech2: handle unbound ports (bsc#1051510). - usb: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - usb: serial: suppress driver bind attributes (bsc#1051510). - usb: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - usb: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - usb: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - usb: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - usb: xhci: only set D3hot for pci device (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - video: backlight: Add devres versions of of_find_backlight (bsc#1090888) Taken for 6010831dde5. - video: backlight: Add of_find_backlight helper in backlight.c (bsc#1090888) Taken for 6010831dde5. - vsock/virtio: fix sock refcnt holding during the shutdown (git-fixes). - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: sama5d4: fix WDD value to be always set to max (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - x86/speculation: Fix incorrect MDS/TAA mitigation status (bsc#1114279). - x86/speculation: Fix redundant MDS mitigation message (bsc#1114279). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xfs: Sanity check flags of Q_XQUOTARM call (bsc#1158652). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-584=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kernel-default-kgraft-4.12.14-95.48.1 kernel-default-kgraft-devel-4.12.14-95.48.1 kgraft-patch-4_12_14-95_48-default-1-6.3.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-15213.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19051.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19332.html https://www.suse.com/security/cve/CVE-2019-19338.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19523.html https://www.suse.com/security/cve/CVE-2019-19524.html https://www.suse.com/security/cve/CVE-2019-19525.html https://www.suse.com/security/cve/CVE-2019-19526.html https://www.suse.com/security/cve/CVE-2019-19527.html https://www.suse.com/security/cve/CVE-2019-19528.html https://www.suse.com/security/cve/CVE-2019-19529.html https://www.suse.com/security/cve/CVE-2019-19530.html https://www.suse.com/security/cve/CVE-2019-19531.html https://www.suse.com/security/cve/CVE-2019-19532.html https://www.suse.com/security/cve/CVE-2019-19533.html https://www.suse.com/security/cve/CVE-2019-19534.html https://www.suse.com/security/cve/CVE-2019-19535.html https://www.suse.com/security/cve/CVE-2019-19536.html https://www.suse.com/security/cve/CVE-2019-19537.html https://www.suse.com/security/cve/CVE-2019-19543.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1115026 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120853 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1141054 https://bugzilla.suse.com/1142095 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146544 https://bugzilla.suse.com/1151548 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1152631 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1155689 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156462 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157908 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158094 https://bugzilla.suse.com/1158132 https://bugzilla.suse.com/1158381 https://bugzilla.suse.com/1158394 https://bugzilla.suse.com/1158398 https://bugzilla.suse.com/1158407 https://bugzilla.suse.com/1158410 https://bugzilla.suse.com/1158413 https://bugzilla.suse.com/1158417 https://bugzilla.suse.com/1158427 https://bugzilla.suse.com/1158445 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1158637 https://bugzilla.suse.com/1158638 https://bugzilla.suse.com/1158639 https://bugzilla.suse.com/1158640 https://bugzilla.suse.com/1158641 https://bugzilla.suse.com/1158643 https://bugzilla.suse.com/1158644 https://bugzilla.suse.com/1158645 https://bugzilla.suse.com/1158646 https://bugzilla.suse.com/1158647 https://bugzilla.suse.com/1158649 https://bugzilla.suse.com/1158651 https://bugzilla.suse.com/1158652 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1158823 https://bugzilla.suse.com/1158824 https://bugzilla.suse.com/1158827 https://bugzilla.suse.com/1158834 https://bugzilla.suse.com/1158893 https://bugzilla.suse.com/1158900 https://bugzilla.suse.com/1158903 https://bugzilla.suse.com/1158904 https://bugzilla.suse.com/1158954 https://bugzilla.suse.com/1159024 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161875 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 From sle-security-updates at lists.suse.com Wed Mar 4 07:40:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Mar 2020 15:40:08 +0100 (CET) Subject: SUSE-SU-2020:0586-1: Security update for postgresql96 Message-ID: <20200304144008.9C22BF798@maintenance.suse.de> SUSE Security Update: Security update for postgresql96 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0586-1 Rating: low References: #1163985 Cross-References: CVE-2020-1720 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for postgresql96 fixes the following issues: PostgreSQL was updated to version 9.6.17. Security issue fixed: - CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-586=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-586=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-586=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-586=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-586=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-586=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-586=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-586=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-586=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-586=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-586=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-586=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-586=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE OpenStack Cloud 8 (x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE OpenStack Cloud 8 (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE OpenStack Cloud 7 (s390x x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE OpenStack Cloud 7 (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): postgresql96-docs-9.6.17-3.33.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - SUSE Enterprise Storage 5 (noarch): postgresql96-docs-9.6.17-3.33.1 - HPE Helion Openstack 8 (x86_64): postgresql96-9.6.17-3.33.1 postgresql96-contrib-9.6.17-3.33.1 postgresql96-contrib-debuginfo-9.6.17-3.33.1 postgresql96-debuginfo-9.6.17-3.33.1 postgresql96-debugsource-9.6.17-3.33.1 postgresql96-libs-debugsource-9.6.17-3.33.1 postgresql96-plperl-9.6.17-3.33.1 postgresql96-plperl-debuginfo-9.6.17-3.33.1 postgresql96-plpython-9.6.17-3.33.1 postgresql96-plpython-debuginfo-9.6.17-3.33.1 postgresql96-pltcl-9.6.17-3.33.1 postgresql96-pltcl-debuginfo-9.6.17-3.33.1 postgresql96-server-9.6.17-3.33.1 postgresql96-server-debuginfo-9.6.17-3.33.1 - HPE Helion Openstack 8 (noarch): postgresql96-docs-9.6.17-3.33.1 References: https://www.suse.com/security/cve/CVE-2020-1720.html https://bugzilla.suse.com/1163985 From sle-security-updates at lists.suse.com Wed Mar 4 07:43:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Mar 2020 15:43:00 +0100 (CET) Subject: SUSE-SU-2020:0585-1: moderate: Security update for cloud-init Message-ID: <20200304144300.439FCF798@maintenance.suse.de> SUSE Security Update: Security update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0585-1 Rating: moderate References: #1162936 #1162937 #1163178 Cross-References: CVE-2020-8631 CVE-2020-8632 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for cloud-init fixes the following security issues: - CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG (bsc#1162937). - CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2020-585=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-585=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (aarch64 ppc64le s390x x86_64): cloud-init-19.4-5.24.1 cloud-init-config-suse-19.4-5.24.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): cloud-init-doc-19.4-5.24.1 References: https://www.suse.com/security/cve/CVE-2020-8631.html https://www.suse.com/security/cve/CVE-2020-8632.html https://bugzilla.suse.com/1162936 https://bugzilla.suse.com/1162937 https://bugzilla.suse.com/1163178 From sle-security-updates at lists.suse.com Wed Mar 4 07:50:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Mar 2020 15:50:17 +0100 (CET) Subject: SUSE-SU-2020:0584-1: important: Security update for the Linux Kernel Message-ID: <20200304145017.2328FFC56@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0584-1 Rating: important References: #1046303 #1050244 #1051510 #1051858 #1061840 #1065600 #1065729 #1071995 #1083647 #1085030 #1086301 #1086313 #1086314 #1088810 #1090888 #1104427 #1105392 #1111666 #1112178 #1112504 #1114279 #1115026 #1118338 #1120853 #1123328 #1127371 #1133021 #1133147 #1134973 #1140025 #1141054 #1142095 #1143959 #1144333 #1146519 #1146544 #1151548 #1151910 #1151927 #1152631 #1153917 #1154243 #1155331 #1155334 #1155689 #1156259 #1156286 #1156462 #1157155 #1157157 #1157169 #1157303 #1157424 #1157692 #1157853 #1157908 #1157966 #1158013 #1158021 #1158026 #1158094 #1158132 #1158381 #1158394 #1158398 #1158407 #1158410 #1158413 #1158417 #1158427 #1158445 #1158533 #1158637 #1158638 #1158639 #1158640 #1158641 #1158643 #1158644 #1158645 #1158646 #1158647 #1158649 #1158651 #1158652 #1158819 #1158823 #1158824 #1158827 #1158834 #1158893 #1158900 #1158903 #1158904 #1158954 #1159024 #1159028 #1159271 #1159297 #1159394 #1159483 #1159484 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160476 #1160560 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1160979 #1161087 #1161360 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161702 #1161875 #1161907 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 #1162109 #1162139 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1163971 #1164069 #1164098 #1164115 #1164314 #1164315 #1164388 #1164471 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 Cross-References: CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-15213 CVE-2019-16994 CVE-2019-18808 CVE-2019-19036 CVE-2019-19045 CVE-2019-19051 CVE-2019-19054 CVE-2019-19066 CVE-2019-19318 CVE-2019-19319 CVE-2019-19332 CVE-2019-19338 CVE-2019-19447 CVE-2019-19523 CVE-2019-19524 CVE-2019-19525 CVE-2019-19526 CVE-2019-19527 CVE-2019-19528 CVE-2019-19529 CVE-2019-19530 CVE-2019-19531 CVE-2019-19532 CVE-2019-19533 CVE-2019-19534 CVE-2019-19535 CVE-2019-19536 CVE-2019-19537 CVE-2019-19543 CVE-2019-19767 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2020-2732 CVE-2020-7053 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves 43 vulnerabilities and has 163 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). - CVE-2019-19338: There was an incomplete fix for an issue with Transactional Synchronisation Extensions in the KVM code (bsc#1158954). - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-14896: A heap overflow was found in the add_ie_rates() function of the Marvell Wifi Driver (bsc#1157157). - CVE-2019-14897: A stack overflow was found in the lbs_ibss_join_existing() function of the Marvell Wifi Driver (bsc#1157155). - CVE-2019-15213: A use-after-free bug caused by a malicious USB device was found in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523). - CVE-2019-18808: A memory leak in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption), aka CID-128c66429247 (bnc#1156259). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522). - CVE-2019-19051: A memory leak in drivers/net/wimax/i2400m/op-rfkill.c allowed attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7 (bnc#1159024). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518). - CVE-2019-19066: A memory leak in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption), aka CID-0e62395da2bd (bnc#1157303). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19319: A slab-out-of-bounds write access could have occured when setxattr was called after mounting of a specially crafted ext4 image (bnc#1158021). - CVE-2019-19332: An out-of-bounds memory write issue was found in the way the KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could have used this flaw to crash the system (bnc#1158827). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819). - CVE-2019-19523: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79 (bsc#1158823). - CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9 (bsc#1158413). - CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035 (bsc#1158417). - CVE-2019-19526: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098 (bsc#1158893). - CVE-2019-19527: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e (bsc#1158900). - CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d (bsc#1158407). - CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41 (bnc#1158381). - CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef (bsc#1158410). - CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca (bsc#1158445). - CVE-2019-19532: There were multiple out-of-bounds write bugs that can be caused by a malicious USB HID device, aka CID-d9d4b1e46d95 (bsc#1158824). - CVE-2019-19533: There was an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464 (bsc#1158834). - CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29 (bsc#1158398). - CVE-2019-19535: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042 (bsc#1158903). - CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0 (bsc#1158394). - CVE-2019-19537: There was a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9 (bsc#1158904). - CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427). - CVE-2019-19767: There were multiple use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163 (bnc#1159297). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911). - CVE-2019-19966: There was a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that could have caused a denial of service, aka CID-dea37a972655 (bnc#1159841). - CVE-2019-20054: There was a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e (bnc#1159910). - CVE-2019-20095: Several memory leaks were found in drivers/net/wireless/marvell/mwifiex/cfg80211.c, aka CID-003b686ace82 (bnc#1159909). - CVE-2019-20096: There was a memory leak in __feat_register_sp() in net/dccp/feat.c, aka CID-1d3ff0950e2b (bnc#1159908). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2020-8992: An issue was discovered in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bnc#1164069). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Do not wait to serialise with oops messages when panic()ing (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI / LPSS: Ignore acpi_device_fix_up_power() return value (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: OSL: only free map once in osl.c (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: echoaudio: simplify get_audio_levels (bsc#1051510). - ALSA: fireface: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda/hdmi - Add new pci ids for AMD GPU display audio (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/hdmi - Fix duplicate unref of pci_dev (bsc#1051510). - ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD (git-fixes). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 (git-fixes). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda/realtek - Line-out jack does not work on a Dell AIO (bsc#1051510). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: oxfw: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: pcm: oss: Avoid potential buffer overflows (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: compress: fix unsigned integer overflow check (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ASoC: wm8962: fix lambda value (git-fixes). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath6kl: Fix off by one error in scan completion (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - atl1e: checking the status of atl1e_write_phy_reg (bsc#1051510). - audit: Allow auditd to set pid to 0 to end auditing (bsc#1158094). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading (bsc#1051510). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - bpf: Make use of probe_user_write in probe write helper (bsc#1083647). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can: peak_usb: report bus recovery as well (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors (bsc#1051510). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - cdrom: respect device capabilities during opening action (boo#1164632). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cgroup,writeback: do not switch wbs immediately on dead wbs if the memcg is dead (bsc#1158645). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: add support for flock (bsc#1144333). - cifs: Close cached root handle only if it had a lease (bsc#1144333). - cifs: Close open handle after interrupted close (bsc#1144333). - cifs: close the shared root handle on tree disconnect (bsc#1144333). - cifs: Do not miss cancelled OPEN responses (bsc#1144333). - cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mount option display for sec=krb5i (bsc#1161907). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: Fix NULL pointer dereference in mid callback (bsc#1144333). - cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - cifs: Properly process SMB3 lease breaks (bsc#1144333). - cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - compat_ioctl: handle SIOCOUTQNSD (bsc#1051510). - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - Cover up kABI breakage due to DH key verification (bsc#1155331). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: mxc-scc - fix build warnings on ARM64 (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - dma-buf: Fix memory leak in sync_file_merge() (git-fixes). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drivers/base/platform.c: kmemleak ignore a known leak (bsc#1051510). - drivers/regulator: fix a missing check of return value (bsc#1051510). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1114279) - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/rockchip: Round up _before_ giving to the clock framework (bsc#1114279) - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm: panel-lvds: Potential Oops in probe error handling (bsc#1114279) - e1000e: Add support for Comet Lake (bsc#1158533). - e1000e: Add support for Tiger Lake (bsc#1158533). - e1000e: Increase pause and refresh time (bsc#1158533). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable (bsc#1158646). - ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either (bsc#1158647). - EDAC/ghes: Fix locking and memory barrier issues (bsc#1114279). EDAC/ghes: Do not warn when incrementing refcount on 0 (bsc#1114279). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext2: check err when partial != NULL (bsc#1163859). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: fix punch hole for inline_data file systems (bsc#1158640). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - ext4: update direct I/O read lock pattern for IOCB_NOWAIT (bsc#1158639). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - Fix partial checked out tree build ... so that bisection does not break. - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fscrypt: do not set policy for a dead directory (bsc#1163846). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Introduce PERMANENT ftrace_ops flag (bsc#1120853). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - HID: doc: fix wrong data structure reference for UHID_OUTPUT (bsc#1051510). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: intel-ish-hid: fixes incorrect error handling (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - hwrng: stm32 - fix unbalanced pm_runtime_enable (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - idr: Fix idr_alloc_u32 on 32-bit systems (bsc#1051510). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11179). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - iomap: Fix pipe page leakage during splicing (bsc#1158651). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iommu: Remove device link to group on failure (bsc#1160755). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: protect struct sctp_ep_common (kabi). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - kexec: bail out upon SIGKILL when allocating memory (git-fixes). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: SVM: Guard against DEACTIVATE when performing WBINVD/DF_FLUSH (bsc#1114279). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - KVM: SVM: Serialize access to the SEV ASID bitmap (bsc#1114279). - KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - KVM: x86: Remove a spurious export of a static function (bsc#1158954). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - lib: crc64: include for 'crc64_be' (bsc#1163762). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - livepatch: Allow to distinguish different version of system state changes (bsc#1071995). - livepatch: Basic API to track system state changes (bsc#1071995 ). - livepatch: Keep replaced patches until post_patch callback is called (bsc#1071995). - livepatch: Selftests of the API for tracking system state changes (bsc#1071995). - livepatch: Simplify stack trace retrieval (jsc#SLE-11179). - loop: fix no-unmap write-zeroes request behavior (bsc#1158637). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix station inactive_time shortly after boot (bsc#1051510). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - mailbox: mailbox-test: fix null pointer if no mmio (bsc#1051510). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix control handler not freed on init error (git-fixes). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media: uvcvideo: Fix error path in control parsing failure (git-fixes). - media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mei: bus: prefix device names on bus with the bus name (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mlx5: add parameter to disable enhanced IPoIB (bsc#1142095) - mm, memory_hotplug: do not clear numa_node association after hot_remove (bnc#1115026). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - moduleparam: fix parameter description mismatch (bsc#1051510). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - mwifiex: debugfs: correct histogram spacing, formatting (bsc#1051510). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: fix potential NULL dereference and use after free (bsc#1051510). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - nbd: prevent memory leak (bsc#1158638). - net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: phy: at803x: Change error to EINVAL for invalid MAC (bsc#1051510). - net: phy: broadcom: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: Check against net_device being NULL (bsc#1051510). - net: phy: dp83867: Set up RGMII TX delay (bsc#1051510). - net: phy: Fix not to call phy_resume() if PHY is not attached (bsc#1051510). - net: phy: Fix the register offsets in Broadcom iProc mdio mux driver (bsc#1051510). - net: phy: fixed_phy: Fix fixed_phy not checking GPIO (bsc#1051510). - net: phy: marvell: clear wol event before setting it (bsc#1051510). - net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: meson-gxl: check phy_write return value (bsc#1051510). - net: phy: micrel: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 (bsc#1051510). - net: phy: mscc: read 'vsc8531,vddmac' as an u32 (bsc#1051510). - net: phy: xgene: disable clk on error paths (bsc#1051510). - net: phy: xgmiitorgmii: Check phy_driver ready before accessing (bsc#1051510). - net: phy: xgmiitorgmii: Check read_status results (bsc#1051510). - net: phy: xgmiitorgmii: Support generic PHY status read (bsc#1051510). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net: sched: correct flower port blocking (git-fixes). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: fdp: fix incorrect free object (networking-stable-19_11_10). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - NFC: st21nfca: fix double free (networking-stable-19_11_10). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - ocfs2: fix panic due to ocfs2_wq is null (bsc#1158644). - ocfs2: fix passing zero to 'PTR_ERR' warning (bsc#1158649). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI/MSI: Fix incorrect MSI-X masking on resume (bsc#1051510). - PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity() (bsc#1051510). - PCI/PTM: Remove spurious "d" from granularity message (bsc#1051510). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Apply Cavium ACS quirk to ThunderX2 and ThunderX3 (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI: dwc: Fix find_next_bit() usage (bsc#1051510). - PCI: Fix Intel ACS quirk UPDCR register address (bsc#1051510). - PCI: rcar: Fix missing MACCTLR register setting in initialization sequence (bsc#1051510). - PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 (git-fixes). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - pinctrl: xway: fix gpio-hog related boot issues (bsc#1051510). - pktcdvd: remove warning on attempting to register non-passthrough dev (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - PM / AVS: SmartReflex: NULL check before some freeing functions is not needed (bsc#1051510). - PM / Domains: Deal with multiple states but no governor in genpd (bsc#1051510). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (bsc#1071995 bsc#1161875). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries/mobility: notify network peers after migration (bsc#1152631 ltc#181798). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - printk: Export console_printk (bsc#1071995). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: Clear chip_data in pwm_put() (bsc#1051510). - pwm: clps711x: Fix period calculation (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: add missing endpoint sanity check (bsc#1051510). - r8152: get default setting of WOL before initializing (bsc#1051510). - random: move FIPS continuous test to output functions (bsc#1155334). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - regulator: tps65910: fix a missing check of return value (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - reset: fix reset_control_ops kerneldoc comment (bsc#1051510). - resource: fix locking in find_next_iomem_res() (bsc#1114279). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/modules.fips: update module list (bsc#1157853) - rsi_91x_usb: fix interface sanity check (git-fixes). - rt2800: remove errornous duplicate condition (git-fixes). - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl818x: fix potential use after free (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - s390/ftrace: generate traced function stack frame (jsc#SLE-11178 jsc#SLE-11179). - s390/ftrace: save traced function caller (jsc#SLE-11179). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11179). - s390/head64: correct init_task stack setup (jsc#SLE-11179). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11179). - s390/kasan: avoid report in get_wchan (jsc#SLE-11179). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11179). - s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported (bsc#1051510). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11179). - s390/qeth: clean up page frag creation (git-fixes). - s390/qeth: consolidate skb allocation (git-fixes). - s390/qeth: ensure linear access to packet headers (git-fixes). - s390/qeth: guard against runt packets (git-fixes). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11179). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11179). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11179). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11179). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11179). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11179). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11179). - s390/unwind: correct stack switching during unwind (jsc#SLE-11179). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11179). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11179). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11179). - s390/unwind: fix mixing regs and sp (jsc#SLE-11179). - s390/unwind: introduce stack unwind API (jsc#SLE-11179). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11179). - s390/unwind: remove stack recursion warning (jsc#SLE-11179). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11179). - s390/unwind: start unwinding from reliable state (jsc#SLE-11179). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11179). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11179). - s390/unwind: unify task is current checks (jsc#SLE-11179). - s390: add stack switch helper (jsc#SLE-11179). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11179). - s390: always inline current_stack_pointer() (jsc#SLE-11179). - s390: always inline disabled_wait (jsc#SLE-11179). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11179). - s390: clean up stacks setup (jsc#SLE-11179). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11179). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11179). - s390: fine-tune stack switch helper (jsc#SLE-11179). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11179). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11179). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11179). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11179). - s390: preserve kabi for stack unwind API (jsc#SLE-11179). - s390: unify stack size definitions (jsc#SLE-11179). - sched/fair: Add tmp_alone_branch assertion (bnc#1156462). - sched/fair: Fix insertion in rq->leaf_cfs_rq_list (bnc#1156462). - sched/fair: Fix O(nr_cgroups) in the load balancing path (bnc#1156462). - sched/fair: Optimize update_blocked_averages() (bnc#1156462). - sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Added support for MPI and PEP regions for ISP28XX (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Correctly retrieve and interpret active flash region (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix incorrect SFUB length used for Secure Flash Update MB Cmd (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - scsi: zfcp: trace channel log even for FCP command responses (git-fixes). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: max310x: Fix tx_empty() callback (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch (bsc#1051510). - spi: omap2-mcspi: Set FIFO DMA trigger level to word length (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11179). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11179). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11179). - stacktrace: Provide common infrastructure (jsc#SLE-11179). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11179). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11179). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11179). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: rtl8192e: fix potential use after free (bsc#1051510). - staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids (bsc#1051510). - staging: rtl8723bs: Drop ACPI device ids (bsc#1051510). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stm class: Fix a double free of stm_source_device (bsc#1051510). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - supported.conf: - synclink_gt(): fix compat_ioctl() (bsc#1051510). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - tcp_nv: fix potential integer overflow in tcpnv_acked (bsc#1051510). - thermal: Fix deadlock in thermal thermal_zone_device_check (bsc#1051510). - tipc: Avoid copying bytes beyond the supplied data (bsc#1051510). - tipc: check bearer name with right length in tipc_nl_compat_bearer_enable (bsc#1051510). - tipc: check link name with right length in tipc_nl_compat_link_set (bsc#1051510). - tipc: check msg->req data len in tipc_nl_compat_bearer_disable (bsc#1051510). - tipc: compat: allow tipc commands without arguments (bsc#1051510). - tipc: fix a missing check of genlmsg_put (bsc#1051510). - tipc: fix link name length check (bsc#1051510). - tipc: fix memory leak in tipc_nl_compat_publ_dump (bsc#1051510). - tipc: fix skb may be leaky in tipc_link_input (bsc#1051510). - tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path (bsc#1051510). - tipc: fix wrong timeout input for tipc_wait_for_cond() (bsc#1051510). - tipc: handle the err returned from cmd header function (bsc#1051510). - tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb (bsc#1051510). - tipc: tipc clang warning (bsc#1051510). - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Cleanup stack trace code (jsc#SLE-11179). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty: serial: fsl_lpuart: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: imx: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: msm_serial: Fix flow control (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: serial: pch_uart: correct usage of dma_unmap_sg (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - uaccess: Add non-pagefault user-space write function (bsc#1083647). - ubifs: Correctly initialize c->min_log_bytes (bsc#1158641). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Limit the number of pages in shrink_liability (bsc#1158643). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - usb: adutux: fix interface sanity check (bsc#1051510). - usb: Allow USB device to be warm reset in suspended state (bsc#1051510). - usb: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - usb: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - usb: core: fix check for duplicate endpoints (git-fixes). - usb: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - usb: core: urb: fix URB structure initialization function (bsc#1051510). - usb: documentation: flags on usb-storage versus UAS (bsc#1051510). - usb: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - usb: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - usb: dwc3: ep0: Clear started flag on completion (bsc#1051510). - usb: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - usb: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - usb: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: legacy: set max_speed to super-speed (bsc#1051510). - usb: gadget: pch_udc: fix use after free (bsc#1051510). - usb: gadget: u_serial: add missing port entry locking (bsc#1051510). - usb: gadget: Zero ffs_io_data (bsc#1051510). - usb: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usb: idmouse: fix interface sanity checks (bsc#1051510). - usb: misc: appledisplay: fix backlight update_status return code (bsc#1051510). - usb: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - usb: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - usb: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - usb: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for U-Blox C099-F9P (bsc#1051510). - usb: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - usb: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - usb: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - usb: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - usb: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - usb: serial: ir-usb: fix IrLAP framing (bsc#1051510). - usb: serial: ir-usb: fix link-speed handling (bsc#1051510). - usb: serial: keyspan: handle unbound ports (bsc#1051510). - usb: serial: opticon: fix control-message timeouts (bsc#1051510). - usb: serial: option: Add support for Quectel RM500Q (bsc#1051510). - usb: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - usb: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - usb: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - usb: serial: quatech2: handle unbound ports (bsc#1051510). - usb: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - usb: serial: suppress driver bind attributes (bsc#1051510). - usb: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - usb: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - usb: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - usb: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - usb: xhci: only set D3hot for pci device (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - video: backlight: Add devres versions of of_find_backlight (bsc#1090888) Taken for 6010831dde5. - video: backlight: Add of_find_backlight helper in backlight.c (bsc#1090888) Taken for 6010831dde5. - vsock/virtio: fix sock refcnt holding during the shutdown (git-fixes). - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: sama5d4: fix WDD value to be always set to max (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - x86/speculation: Fix incorrect MDS/TAA mitigation status (bsc#1114279). - x86/speculation: Fix redundant MDS mitigation message (bsc#1114279). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xfs: Sanity check flags of Q_XQUOTARM call (bsc#1158652). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-584=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-584=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-584=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-584=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-584=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): kernel-default-debuginfo-4.12.14-95.48.1 kernel-default-debugsource-4.12.14-95.48.1 kernel-default-extra-4.12.14-95.48.1 kernel-default-extra-debuginfo-4.12.14-95.48.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-95.48.1 kernel-obs-build-debugsource-4.12.14-95.48.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): kernel-docs-4.12.14-95.48.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-95.48.1 kernel-default-base-4.12.14-95.48.1 kernel-default-base-debuginfo-4.12.14-95.48.1 kernel-default-debuginfo-4.12.14-95.48.1 kernel-default-debugsource-4.12.14-95.48.1 kernel-default-devel-4.12.14-95.48.1 kernel-syms-4.12.14-95.48.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): kernel-default-devel-debuginfo-4.12.14-95.48.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): kernel-devel-4.12.14-95.48.1 kernel-macros-4.12.14-95.48.1 kernel-source-4.12.14-95.48.1 - SUSE Linux Enterprise Server 12-SP4 (s390x): kernel-default-man-4.12.14-95.48.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kernel-default-kgraft-4.12.14-95.48.1 kernel-default-kgraft-devel-4.12.14-95.48.1 kgraft-patch-4_12_14-95_48-default-1-6.3.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-95.48.1 cluster-md-kmp-default-debuginfo-4.12.14-95.48.1 dlm-kmp-default-4.12.14-95.48.1 dlm-kmp-default-debuginfo-4.12.14-95.48.1 gfs2-kmp-default-4.12.14-95.48.1 gfs2-kmp-default-debuginfo-4.12.14-95.48.1 kernel-default-debuginfo-4.12.14-95.48.1 kernel-default-debugsource-4.12.14-95.48.1 ocfs2-kmp-default-4.12.14-95.48.1 ocfs2-kmp-default-debuginfo-4.12.14-95.48.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-15213.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19051.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19332.html https://www.suse.com/security/cve/CVE-2019-19338.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19523.html https://www.suse.com/security/cve/CVE-2019-19524.html https://www.suse.com/security/cve/CVE-2019-19525.html https://www.suse.com/security/cve/CVE-2019-19526.html https://www.suse.com/security/cve/CVE-2019-19527.html https://www.suse.com/security/cve/CVE-2019-19528.html https://www.suse.com/security/cve/CVE-2019-19529.html https://www.suse.com/security/cve/CVE-2019-19530.html https://www.suse.com/security/cve/CVE-2019-19531.html https://www.suse.com/security/cve/CVE-2019-19532.html https://www.suse.com/security/cve/CVE-2019-19533.html https://www.suse.com/security/cve/CVE-2019-19534.html https://www.suse.com/security/cve/CVE-2019-19535.html https://www.suse.com/security/cve/CVE-2019-19536.html https://www.suse.com/security/cve/CVE-2019-19537.html https://www.suse.com/security/cve/CVE-2019-19543.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1115026 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120853 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1141054 https://bugzilla.suse.com/1142095 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146544 https://bugzilla.suse.com/1151548 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1152631 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1155689 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156462 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157908 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158094 https://bugzilla.suse.com/1158132 https://bugzilla.suse.com/1158381 https://bugzilla.suse.com/1158394 https://bugzilla.suse.com/1158398 https://bugzilla.suse.com/1158407 https://bugzilla.suse.com/1158410 https://bugzilla.suse.com/1158413 https://bugzilla.suse.com/1158417 https://bugzilla.suse.com/1158427 https://bugzilla.suse.com/1158445 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1158637 https://bugzilla.suse.com/1158638 https://bugzilla.suse.com/1158639 https://bugzilla.suse.com/1158640 https://bugzilla.suse.com/1158641 https://bugzilla.suse.com/1158643 https://bugzilla.suse.com/1158644 https://bugzilla.suse.com/1158645 https://bugzilla.suse.com/1158646 https://bugzilla.suse.com/1158647 https://bugzilla.suse.com/1158649 https://bugzilla.suse.com/1158651 https://bugzilla.suse.com/1158652 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1158823 https://bugzilla.suse.com/1158824 https://bugzilla.suse.com/1158827 https://bugzilla.suse.com/1158834 https://bugzilla.suse.com/1158893 https://bugzilla.suse.com/1158900 https://bugzilla.suse.com/1158903 https://bugzilla.suse.com/1158904 https://bugzilla.suse.com/1158954 https://bugzilla.suse.com/1159024 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161875 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 From sle-security-updates at lists.suse.com Wed Mar 4 08:16:39 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Mar 2020 16:16:39 +0100 (CET) Subject: SUSE-SU-2020:0580-1: important: Security update for the Linux Kernel Message-ID: <20200304151639.05C15FC56@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0580-1 Rating: important References: #1046303 #1050244 #1051510 #1051858 #1061840 #1065600 #1065729 #1071995 #1083647 #1085030 #1086301 #1086313 #1086314 #1088810 #1103989 #1103990 #1103991 #1104353 #1104427 #1104745 #1105392 #1109837 #1111666 #1112178 #1112374 #1112504 #1113956 #1114279 #1114648 #1114685 #1118661 #1123328 #1126206 #1127371 #1127611 #1127682 #1129551 #1133021 #1133147 #1134973 #1140025 #1142685 #1143959 #1144333 #1151910 #1151927 #1153535 #1153917 #1154243 #1154601 #1155331 #1155334 #1156259 #1156286 #1156609 #1157155 #1157157 #1157424 #1157480 #1157692 #1157853 #1157966 #1158013 #1158021 #1158026 #1158071 #1158819 #1159028 #1159096 #1159271 #1159297 #1159377 #1159394 #1159483 #1159484 #1159500 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160147 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160469 #1160470 #1160476 #1160560 #1160618 #1160678 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1160979 #1161087 #1161243 #1161360 #1161472 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161702 #1161875 #1161907 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 #1162109 #1162139 #1162171 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163206 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1164069 #1164098 #1164314 #1164315 #1164471 Cross-References: CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-16994 CVE-2019-18808 CVE-2019-19036 CVE-2019-19045 CVE-2019-19054 CVE-2019-19318 CVE-2019-19319 CVE-2019-19447 CVE-2019-19767 CVE-2019-19927 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2020-7053 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 22 vulnerabilities and has 152 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157). - CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523). - CVE-2019-18808: A memory leak in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption), aka CID-128c66429247 (bnc#1156259). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19319: A slab-out-of-bounds write access could have occured when setxattr was called after mounting of a specially crafted ext4 image (bnc#1158021). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819). - CVE-2019-19767: There were multiple use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163 (bnc#1159297). - CVE-2019-19927: A slab-out-of-bounds read access occured when mounting a crafted f2fs filesystem image and performing some operations on it (bnc#1160147). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911). - CVE-2019-19966: There was a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that could have caused a denial of service, aka CID-dea37a972655 (bnc#1159841). - CVE-2019-20054: There was a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e (bnc#1159910). - CVE-2019-20095: Several memory leaks were found in drivers/net/wireless/marvell/mwifiex/cfg80211.c, aka CID-003b686ace82 (bnc#1159909). - CVE-2019-20096: There was a memory leak in __feat_register_sp() in net/dccp/feat.c, aka CID-1d3ff0950e2b (bnc#1159908). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2020-8992: An issue was discovered in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bnc#1164069). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda - Apply sync-write workaround to old Intel platforms, too (bsc#1111666). - ALSA: hda - constify and cleanup static NodeID tables (bsc#1111666). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - Clean up Intel platform-specific fixup checks (bsc#1111666). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker (bsc#1111666). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Add Headset Mic supported for HP cPC (bsc#1111666). - ALSA: hda/realtek - Add new codec supported for ALCS1200A (bsc#1111666). - ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen (bsc#1111666). - ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too (bsc#1111666). - ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC (bsc#1111666). - ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - More constifications (bsc#1111666). - ALSA: hda/realtek - Set EAPD control to default for ALC222 (bsc#1111666). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda: Add JasperLake PCI ID and codec vid (bsc#1111666). - ALSA: hda: Clear RIRB status before reading WP (bsc#1111666). - ALSA: hda: constify copied structure (bsc#1111666). - ALSA: hda: Constify snd_kcontrol_new items (bsc#1111666). - ALSA: hda: Constify snd_pci_quirk tables (bsc#1111666). - ALSA: hda: correct kernel-doc parameter descriptions (bsc#1111666). - ALSA: hda: hdmi - add Tigerlake support (bsc#1111666). - ALSA: hda: hdmi - fix pin setup on Tigerlake (bsc#1111666). - ALSA: hda: More constifications (bsc#1111666). - ALSA: hda: patch_hdmi: remove warnings with empty body (bsc#1111666). - ALSA: hda: patch_realtek: fix empty macro usage in if block (bsc#1111666). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: sh: Fix unused variable warnings (bsc#1111666). - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 (bsc#1111666). - ALSA: usb-audio: Fix endianess in descriptor validation (bsc#1111666). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI (bsc#1111666). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ASoC: wm8962: fix lambda value (git-fixes). - ath10k: Correct the DMA direction for management tx buffers (bsc#1111666). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath10k: pci: Fix comment on ath10k_pci_dump_memory_sram (bsc#1111666). - ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe (bsc#1111666). - ath9k: fix storage endpoint lookup (git-fixes). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1159377). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1159377). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - bnxt: apply computed clamp value for coalece parameter (bsc#1104745). - bnxt_en: Fix MSIX request logic for RDMA driver (bsc#1104745 ). - bnxt_en: Return error if FW returns more data than dump length (bsc#1104745). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - bpf, offload: Unlock on error in bpf_offload_dev_create() (bsc#1109837). - bpf/sockmap: Read psock ingress_msg before sk_receive_queue (bsc#1083647). - bpf: add self-check logic to liveness analysis (bsc#1160618). - bpf: add verifier stats and log_level bit 2 (bsc#1160618). - bpf: Fix incorrect verifier simulation of ARSH under ALU32 (bsc#1083647). - bpf: improve stacksafe state comparison (bco#1160618). - bpf: improve verification speed by droping states (bsc#1160618). - bpf: improve verification speed by not remarking live_read (bsc#1160618). - bpf: improve verifier branch analysis (bsc#1160618). - bpf: increase complexity limit and maximum program size (bsc#1160618). - bpf: increase verifier log limit (bsc#1160618). - bpf: Reject indirect var_off stack access in raw mode (bsc#1160618). - bpf: Reject indirect var_off stack access in unpriv mode (bco#1160618). - bpf: Sanity check max value for var_off stack access (bco#1160618). - bpf: skmsg, fix potential psock NULL pointer dereference (bsc#1109837). - bpf: speed up stacksafe check (bco#1160618). - bpf: Support variable offset stack access from helpers (bco#1160618). - bpf: verifier: teach the verifier to reason about the BPF_JSET instruction (bco#1160618). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() (bsc#1111666). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 (bsc#1111666). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix deadlocks in autodisconnect work (bsc#1111666). - cfg80211: fix memory leak in cfg80211_cqm_rssi_update (bsc#1111666). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: add support for flock (bsc#1144333). - cifs: Close cached root handle only if it had a lease (bsc#1144333). - cifs: Close open handle after interrupted close (bsc#1144333). - cifs: close the shared root handle on tree disconnect (bsc#1144333). - cifs: Do not miss cancelled OPEN responses (bsc#1144333). - cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mount option display for sec=krb5i (bsc#1161907). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: Fix NULL pointer dereference in mid callback (bsc#1144333). - cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - cifs: Properly process SMB3 lease breaks (bsc#1144333). - cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: imx: clk-composite-8m: add lock to gate/mux (git-fixes). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - Cover up kABI breakage due to DH key verification (bsc#1155331). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: caam/qi2 - fix typo in algorithm's driver name (bsc#1111666). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero (bsc#1111666). - drm/amd/powerplay: remove set but not used variable 'us_mvdd' (bsc#1111666). - drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_device_set_cg_state' (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) (bsc#1111666). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'invalid' (bsc#1111666). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915/gvt: Pin vgpu dma address before using (bsc#1112178) - drm/i915/gvt: set guest display buffer as readonly (bsc#1112178) - drm/i915/gvt: use vgpu lock for active state setting (bsc#1112178) - drm/i915/perf: add missing delay for OA muxes configuration (bsc#1111666). - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() (bsc#1111666). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set (bsc#1111666). - drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV (bsc#1111666). - drm/i915: Sanity check mmap length against object size (bsc#1111666). - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau/bar/gf100: ensure BAR is mapped (bsc#1111666). - drm/nouveau/bar/nv50: check bar1 vmm return value (bsc#1111666). - drm/nouveau/mmu: qualify vmm during dtor (bsc#1111666). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rect: Avoid division by zero (bsc#1111666). - drm/rect: update kerneldoc for drm_rect_clip_scaled() (bsc#1111666). - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/sun4i: hdmi: Remove duplicate cleanup calls (bsc#1113956) - drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 (bsc#1111666). - drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model (bsc#1111666). - drm/ttm: ttm_tt_init_fields() can be static (bsc#1111666). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1111666). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext2: check err when partial != NULL (bsc#1163859). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: fix mount failure with quota configured as module (bsc#1164471). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - Fix partial checked out tree build ... so that bisection does not break. - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fscrypt: do not set policy for a dead directory (bsc#1163846). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - hotplug/drc-info: Add code to search ibm,drc-info property (bsc#1157480 ltc#181028). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs (bsc#1163206). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - IB/hfi1: Do not cancel unused work item (bsc#1114685 ). - IB/mlx5: Fix steering rule of drop and count (bsc#1103991 ). - IB/mlx5: Remove dead code (bsc#1103991). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ice: fix stack leakage (bsc#1118661). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11178). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11179). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/iova: Init the struct iova to fix the possible memleak (bsc#1160469). - iommu/mediatek: Correct the flush_iotlb_all callback (bsc#1160470). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iommu: Remove device link to group on failure (bsc#1160755). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: change monitor DMA to be coherent (bsc#1161243). - iwlwifi: clear persistence bit according to device family (bsc#1111666). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - iwlwifi: trans: Clear persistence bit when starting the FW (bsc#1111666). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kABI fixup for alloc_dax_region (bsc#1158071,bsc#1160678). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kABI/severities: Whitelist rpaphp_get_drc_props (bsc#1157480 ltc#181028). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: protect struct sctp_ep_common (kabi). - kABI: Protest new fields in BPF structs (bsc#1160618). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - kvm: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - lib: crc64: include for 'crc64_be' (bsc#1163762). - lib: crc64: include for 'crc64_be' (bsc#1163762). - libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (bsc#1153535). - libnvdimm/pfn: Account for PAGE_SIZE > info-block-size in nd_pfn_init() (bsc#1127682 bsc#1153535 ltc#175033 ltc#181834). - libnvdimm: Fix devm_nsio_enable() kabi (bsc#1153535). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - livepatch: Simplify stack trace retrieval (jsc#SLE-11178). - livepatch: Simplify stack trace retrieval (jsc#SLE-11179). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix ieee80211_txq_setup_flows() failure path (bsc#1111666). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO (bsc#1112374). - mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel (bsc#1112374). - mm, debug_pagealloc: do not rely on static keys too early (VM debuging functionality, bsc#1159096). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: sdhci: Add a quirk for broken command queuing (git-fixes). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci: Workaround broken command queuing on Intel GLK (git-fixes). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mqprio: Fix out-of-bounds access in mqprio_dump (bsc#1109837). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - mwifiex: delete unused mwifiex_get_intf_num() (bsc#1111666). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: update set_mac_address logic (bsc#1111666). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - net, sysctl: Fix compiler warning when only cBPF is present (bsc#1109837). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx4_en: Fix wrong limitation for number of TX rings (bsc#1103989). - net/mlx5: Accumulate levels for chains prio namespaces (bsc#1103990). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlx5e: Query global pause state before setting prio2buffer (bsc#1103990). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net: hns3: fix ETS bandwidth validation bug (bsc#1104353 ). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key (bsc#1109837). - net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues (bsc#1109837). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: fdp: fix incorrect free object (networking-stable-19_11_10). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - NFC: st21nfca: fix double free (networking-stable-19_11_10). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI: rpaphp: Add drc-info support for hotplug slot registration (bsc#1157480 ltc#181028). - PCI: rpaphp: Annotate and correctly byte swap DRC properties (bsc#1157480 ltc#181028). - PCI: rpaphp: Avoid a sometimes-uninitialized warning (bsc#1157480 ltc#181028). - PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info (bsc#1157480 ltc#181028). - PCI: rpaphp: Do not rely on firmware feature to imply drc-info support (bsc#1157480 ltc#181028). - PCI: rpaphp: Fix up pointer to first drc-info entry (bsc#1157480 ltc#181028). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: cherryview: Fix irq_valid_mask calculation (bsc#1111666). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (bsc#1071995 bsc#1161875). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/papr_scm: Do not enable direct map for a region by default (bsc#1129551). - powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths (bsc#1142685 ltc#179509). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc/pseries: Add cpu DLPAR support for drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/pseries: Enable support for ibm,drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Fix bad drc_index_start value parsing of drc-info entry (bsc#1157480 ltc#181028). - powerpc/pseries: Fix drc-info mappings of logical cpus to drc-index (bsc#1157480 ltc#181028). - powerpc/pseries: Fix vector5 in ibm architecture vector table (bsc#1157480 ltc#181028). - powerpc/pseries: Revert support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Enable support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - pseries/drc-info: Search DRC properties for CPU indexes (bsc#1157480 ltc#181028). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: add missing endpoint sanity check (bsc#1051510). - r8152: get default setting of WOL before initializing (bsc#1051510). - random: move FIPS continuous test to output functions (bsc#1155334). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - RDMA/hns: Bugfix for qpc/cqc timer configuration (bsc#1104427 bsc#1126206). - RDMA/hns: Correct the value of srq_desc_size (bsc#1104427 ). - RDMA/hns: Fix to support 64K page for srq (bsc#1104427 ). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - README.BRANCH: Update the branch name to cve/linux-4.12 - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Conflict with too old powerpc-utils (jsc#ECO-920, jsc#SLE-11054, jsc#SLE-11322). - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/modules.fips: update module list (bsc#1157853) - rsi_91x_usb: fix interface sanity check (git-fixes). - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - s390/ftrace: generate traced function stack frame (jsc#SLE-11178 jsc#SLE-11179). - s390/ftrace: save traced function caller (jsc#SLE-11178). - s390/ftrace: save traced function caller (jsc#SLE-11179). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11178). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11179). - s390/head64: correct init_task stack setup (jsc#SLE-11178). - s390/head64: correct init_task stack setup (jsc#SLE-11179). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11178). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11179). - s390/kasan: avoid report in get_wchan (jsc#SLE-11178). - s390/kasan: avoid report in get_wchan (jsc#SLE-11179). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11178). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11179). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11178). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11179). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11178). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11179). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11178). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11179). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11178). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11179). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11178). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11179). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11178). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11179). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11178). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11179). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11178). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11179). - s390/unwind: correct stack switching during unwind (jsc#SLE-11178). - s390/unwind: correct stack switching during unwind (jsc#SLE-11179). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11178). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11179). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11178). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11179). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11178). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11179). - s390/unwind: fix mixing regs and sp (jsc#SLE-11178). - s390/unwind: fix mixing regs and sp (jsc#SLE-11179). - s390/unwind: introduce stack unwind API (jsc#SLE-11178). - s390/unwind: introduce stack unwind API (jsc#SLE-11179). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11178). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11179). - s390/unwind: remove stack recursion warning (jsc#SLE-11178). - s390/unwind: remove stack recursion warning (jsc#SLE-11179). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11178). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11179). - s390/unwind: start unwinding from reliable state (jsc#SLE-11178). - s390/unwind: start unwinding from reliable state (jsc#SLE-11179). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11178). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11179). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11178). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11179). - s390/unwind: unify task is current checks (jsc#SLE-11178). - s390/unwind: unify task is current checks (jsc#SLE-11179). - s390: add stack switch helper (jsc#SLE-11178). - s390: add stack switch helper (jsc#SLE-11179). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11178). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11179). - s390: always inline current_stack_pointer() (jsc#SLE-11178). - s390: always inline current_stack_pointer() (jsc#SLE-11179). - s390: always inline disabled_wait (jsc#SLE-11178). - s390: always inline disabled_wait (jsc#SLE-11179). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11178). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11179). - s390: clean up stacks setup (jsc#SLE-11178). - s390: clean up stacks setup (jsc#SLE-11179). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11178). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11179). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11178). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11179). - s390: fine-tune stack switch helper (jsc#SLE-11178). - s390: fine-tune stack switch helper (jsc#SLE-11179). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11178). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11179). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11178). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11179). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11178). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11179). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11178). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11179). - s390: preserve kabi for stack unwind API (jsc#SLE-11178). - s390: preserve kabi for stack unwind API (jsc#SLE-11179). - s390: unify stack size definitions (jsc#SLE-11178). - s390: unify stack size definitions (jsc#SLE-11179). - scsi: lpfc: fix build failure with DEBUGFS disabled (bsc#1154601). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sfc: Remove 'PCIE error reporting unavailable' (bsc#1161472). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11178). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11179). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11178). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11179). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11178). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11179). - stacktrace: Provide common infrastructure (jsc#SLE-11178). - stacktrace: Provide common infrastructure (jsc#SLE-11179). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11178). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11179). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11178). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11179). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11178). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11179). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - Temporary workaround for bsc#1159096 should no longer be needed. - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Cleanup stack trace code (jsc#SLE-11178). - tracing: Cleanup stack trace code (jsc#SLE-11179). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - usb: adutux: fix interface sanity check (bsc#1051510). - usb: Allow USB device to be warm reset in suspended state (bsc#1051510). - usb: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - usb: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - usb: core: fix check for duplicate endpoints (git-fixes). - usb: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - usb: core: urb: fix URB structure initialization function (bsc#1051510). - usb: documentation: flags on usb-storage versus UAS (bsc#1051510). - usb: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - usb: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - usb: dwc3: ep0: Clear started flag on completion (bsc#1051510). - usb: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - usb: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - usb: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: legacy: set max_speed to super-speed (bsc#1051510). - usb: gadget: pch_udc: fix use after free (bsc#1051510). - usb: gadget: u_serial: add missing port entry locking (bsc#1051510). - usb: gadget: Zero ffs_io_data (bsc#1051510). - usb: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usb: idmouse: fix interface sanity checks (bsc#1051510). - usb: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - usb: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - usb: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - usb: roles: fix a potential use after free (git-fixes). - usb: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - usb: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - usb: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - usb: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - usb: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - usb: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - usb: serial: ir-usb: fix IrLAP framing (bsc#1051510). - usb: serial: ir-usb: fix link-speed handling (bsc#1051510). - usb: serial: keyspan: handle unbound ports (bsc#1051510). - usb: serial: opticon: fix control-message timeouts (bsc#1051510). - usb: serial: option: Add support for Quectel RM500Q (bsc#1051510). - usb: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - usb: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - usb: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - usb: serial: quatech2: handle unbound ports (bsc#1051510). - usb: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - usb: serial: suppress driver bind attributes (bsc#1051510). - usb: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - usb: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - usb: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - usb: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - usb: xhci: only set D3hot for pci device (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/amd_nb: Add PCI device IDs for family 17h, model 70h (bsc#1163206). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - x86/resctrl: Prevent possible overrun during bitmap operations (bsc#1114648). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfrm: Fix sa selector validation (bsc#1156609). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-580=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-580=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-580=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-580=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.17.1 kernel-default-debugsource-4.12.14-122.17.1 kernel-default-extra-4.12.14-122.17.1 kernel-default-extra-debuginfo-4.12.14-122.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.17.1 kernel-obs-build-debugsource-4.12.14-122.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.17.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.17.1 kernel-default-base-4.12.14-122.17.1 kernel-default-base-debuginfo-4.12.14-122.17.1 kernel-default-debuginfo-4.12.14-122.17.1 kernel-default-debugsource-4.12.14-122.17.1 kernel-default-devel-4.12.14-122.17.1 kernel-syms-4.12.14-122.17.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.17.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.17.1 kernel-macros-4.12.14-122.17.1 kernel-source-4.12.14-122.17.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.17.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.17.1 cluster-md-kmp-default-debuginfo-4.12.14-122.17.1 dlm-kmp-default-4.12.14-122.17.1 dlm-kmp-default-debuginfo-4.12.14-122.17.1 gfs2-kmp-default-4.12.14-122.17.1 gfs2-kmp-default-debuginfo-4.12.14-122.17.1 kernel-default-debuginfo-4.12.14-122.17.1 kernel-default-debugsource-4.12.14-122.17.1 ocfs2-kmp-default-4.12.14-122.17.1 ocfs2-kmp-default-debuginfo-4.12.14-122.17.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19927.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1103989 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1126206 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1127682 https://bugzilla.suse.com/1129551 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1153535 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1154601 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156609 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157480 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158071 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159096 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159377 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159500 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160147 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160469 https://bugzilla.suse.com/1160470 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160618 https://bugzilla.suse.com/1160678 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161243 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161472 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161875 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163206 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164471 From sle-security-updates at lists.suse.com Wed Mar 4 08:39:01 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Mar 2020 16:39:01 +0100 (CET) Subject: SUSE-SU-2020:0580-1: important: Security update for the Linux Kernel Message-ID: <20200304153901.BE60BF79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0580-1 Rating: important References: #1046303 #1050244 #1051510 #1051858 #1061840 #1065600 #1065729 #1071995 #1083647 #1085030 #1086301 #1086313 #1086314 #1088810 #1103989 #1103990 #1103991 #1104353 #1104427 #1104745 #1105392 #1109837 #1111666 #1112178 #1112374 #1112504 #1113956 #1114279 #1114648 #1114685 #1118661 #1123328 #1126206 #1127371 #1127611 #1127682 #1129551 #1133021 #1133147 #1134973 #1140025 #1142685 #1143959 #1144333 #1151910 #1151927 #1153535 #1153917 #1154243 #1154601 #1155331 #1155334 #1156259 #1156286 #1156609 #1157155 #1157157 #1157424 #1157480 #1157692 #1157853 #1157966 #1158013 #1158021 #1158026 #1158071 #1158819 #1159028 #1159096 #1159271 #1159297 #1159377 #1159394 #1159483 #1159484 #1159500 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160147 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160469 #1160470 #1160476 #1160560 #1160618 #1160678 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1160979 #1161087 #1161243 #1161360 #1161472 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161702 #1161875 #1161907 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 #1162109 #1162139 #1162171 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163206 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1164069 #1164098 #1164314 #1164315 #1164471 Cross-References: CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-16994 CVE-2019-18808 CVE-2019-19036 CVE-2019-19045 CVE-2019-19054 CVE-2019-19318 CVE-2019-19319 CVE-2019-19447 CVE-2019-19767 CVE-2019-19927 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2020-7053 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 22 vulnerabilities and has 152 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157). - CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523). - CVE-2019-18808: A memory leak in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption), aka CID-128c66429247 (bnc#1156259). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19319: A slab-out-of-bounds write access could have occured when setxattr was called after mounting of a specially crafted ext4 image (bnc#1158021). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819). - CVE-2019-19767: There were multiple use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163 (bnc#1159297). - CVE-2019-19927: A slab-out-of-bounds read access occured when mounting a crafted f2fs filesystem image and performing some operations on it (bnc#1160147). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911). - CVE-2019-19966: There was a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that could have caused a denial of service, aka CID-dea37a972655 (bnc#1159841). - CVE-2019-20054: There was a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e (bnc#1159910). - CVE-2019-20095: Several memory leaks were found in drivers/net/wireless/marvell/mwifiex/cfg80211.c, aka CID-003b686ace82 (bnc#1159909). - CVE-2019-20096: There was a memory leak in __feat_register_sp() in net/dccp/feat.c, aka CID-1d3ff0950e2b (bnc#1159908). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928). - CVE-2020-8992: An issue was discovered in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bnc#1164069). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda - Apply sync-write workaround to old Intel platforms, too (bsc#1111666). - ALSA: hda - constify and cleanup static NodeID tables (bsc#1111666). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - Clean up Intel platform-specific fixup checks (bsc#1111666). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker (bsc#1111666). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Add Headset Mic supported for HP cPC (bsc#1111666). - ALSA: hda/realtek - Add new codec supported for ALCS1200A (bsc#1111666). - ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen (bsc#1111666). - ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too (bsc#1111666). - ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC (bsc#1111666). - ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - More constifications (bsc#1111666). - ALSA: hda/realtek - Set EAPD control to default for ALC222 (bsc#1111666). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda: Add JasperLake PCI ID and codec vid (bsc#1111666). - ALSA: hda: Clear RIRB status before reading WP (bsc#1111666). - ALSA: hda: constify copied structure (bsc#1111666). - ALSA: hda: Constify snd_kcontrol_new items (bsc#1111666). - ALSA: hda: Constify snd_pci_quirk tables (bsc#1111666). - ALSA: hda: correct kernel-doc parameter descriptions (bsc#1111666). - ALSA: hda: hdmi - add Tigerlake support (bsc#1111666). - ALSA: hda: hdmi - fix pin setup on Tigerlake (bsc#1111666). - ALSA: hda: More constifications (bsc#1111666). - ALSA: hda: patch_hdmi: remove warnings with empty body (bsc#1111666). - ALSA: hda: patch_realtek: fix empty macro usage in if block (bsc#1111666). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: sh: Fix unused variable warnings (bsc#1111666). - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 (bsc#1111666). - ALSA: usb-audio: Fix endianess in descriptor validation (bsc#1111666). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI (bsc#1111666). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ASoC: wm8962: fix lambda value (git-fixes). - ath10k: Correct the DMA direction for management tx buffers (bsc#1111666). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath10k: pci: Fix comment on ath10k_pci_dump_memory_sram (bsc#1111666). - ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe (bsc#1111666). - ath9k: fix storage endpoint lookup (git-fixes). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1159377). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1159377). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - bnxt: apply computed clamp value for coalece parameter (bsc#1104745). - bnxt_en: Fix MSIX request logic for RDMA driver (bsc#1104745 ). - bnxt_en: Return error if FW returns more data than dump length (bsc#1104745). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - bpf, offload: Unlock on error in bpf_offload_dev_create() (bsc#1109837). - bpf/sockmap: Read psock ingress_msg before sk_receive_queue (bsc#1083647). - bpf: add self-check logic to liveness analysis (bsc#1160618). - bpf: add verifier stats and log_level bit 2 (bsc#1160618). - bpf: Fix incorrect verifier simulation of ARSH under ALU32 (bsc#1083647). - bpf: improve stacksafe state comparison (bco#1160618). - bpf: improve verification speed by droping states (bsc#1160618). - bpf: improve verification speed by not remarking live_read (bsc#1160618). - bpf: improve verifier branch analysis (bsc#1160618). - bpf: increase complexity limit and maximum program size (bsc#1160618). - bpf: increase verifier log limit (bsc#1160618). - bpf: Reject indirect var_off stack access in raw mode (bsc#1160618). - bpf: Reject indirect var_off stack access in unpriv mode (bco#1160618). - bpf: Sanity check max value for var_off stack access (bco#1160618). - bpf: skmsg, fix potential psock NULL pointer dereference (bsc#1109837). - bpf: speed up stacksafe check (bco#1160618). - bpf: Support variable offset stack access from helpers (bco#1160618). - bpf: verifier: teach the verifier to reason about the BPF_JSET instruction (bco#1160618). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() (bsc#1111666). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 (bsc#1111666). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix deadlocks in autodisconnect work (bsc#1111666). - cfg80211: fix memory leak in cfg80211_cqm_rssi_update (bsc#1111666). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: add support for flock (bsc#1144333). - cifs: Close cached root handle only if it had a lease (bsc#1144333). - cifs: Close open handle after interrupted close (bsc#1144333). - cifs: close the shared root handle on tree disconnect (bsc#1144333). - cifs: Do not miss cancelled OPEN responses (bsc#1144333). - cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mount option display for sec=krb5i (bsc#1161907). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: Fix NULL pointer dereference in mid callback (bsc#1144333). - cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - cifs: Properly process SMB3 lease breaks (bsc#1144333). - cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: imx: clk-composite-8m: add lock to gate/mux (git-fixes). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - Cover up kABI breakage due to DH key verification (bsc#1155331). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: caam/qi2 - fix typo in algorithm's driver name (bsc#1111666). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero (bsc#1111666). - drm/amd/powerplay: remove set but not used variable 'us_mvdd' (bsc#1111666). - drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_device_set_cg_state' (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) (bsc#1111666). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'invalid' (bsc#1111666). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915/gvt: Pin vgpu dma address before using (bsc#1112178) - drm/i915/gvt: set guest display buffer as readonly (bsc#1112178) - drm/i915/gvt: use vgpu lock for active state setting (bsc#1112178) - drm/i915/perf: add missing delay for OA muxes configuration (bsc#1111666). - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() (bsc#1111666). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set (bsc#1111666). - drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV (bsc#1111666). - drm/i915: Sanity check mmap length against object size (bsc#1111666). - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau/bar/gf100: ensure BAR is mapped (bsc#1111666). - drm/nouveau/bar/nv50: check bar1 vmm return value (bsc#1111666). - drm/nouveau/mmu: qualify vmm during dtor (bsc#1111666). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rect: Avoid division by zero (bsc#1111666). - drm/rect: update kerneldoc for drm_rect_clip_scaled() (bsc#1111666). - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/sun4i: hdmi: Remove duplicate cleanup calls (bsc#1113956) - drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 (bsc#1111666). - drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model (bsc#1111666). - drm/ttm: ttm_tt_init_fields() can be static (bsc#1111666). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1111666). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext2: check err when partial != NULL (bsc#1163859). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: fix mount failure with quota configured as module (bsc#1164471). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - Fix partial checked out tree build ... so that bisection does not break. - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fscrypt: do not set policy for a dead directory (bsc#1163846). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - hotplug/drc-info: Add code to search ibm,drc-info property (bsc#1157480 ltc#181028). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs (bsc#1163206). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - IB/hfi1: Do not cancel unused work item (bsc#1114685 ). - IB/mlx5: Fix steering rule of drop and count (bsc#1103991 ). - IB/mlx5: Remove dead code (bsc#1103991). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ice: fix stack leakage (bsc#1118661). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11178). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11179). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/iova: Init the struct iova to fix the possible memleak (bsc#1160469). - iommu/mediatek: Correct the flush_iotlb_all callback (bsc#1160470). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iommu: Remove device link to group on failure (bsc#1160755). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: change monitor DMA to be coherent (bsc#1161243). - iwlwifi: clear persistence bit according to device family (bsc#1111666). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - iwlwifi: trans: Clear persistence bit when starting the FW (bsc#1111666). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kABI fixup for alloc_dax_region (bsc#1158071,bsc#1160678). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kABI/severities: Whitelist rpaphp_get_drc_props (bsc#1157480 ltc#181028). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: protect struct sctp_ep_common (kabi). - kABI: Protest new fields in BPF structs (bsc#1160618). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - kvm: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - lib: crc64: include for 'crc64_be' (bsc#1163762). - lib: crc64: include for 'crc64_be' (bsc#1163762). - libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (bsc#1153535). - libnvdimm/pfn: Account for PAGE_SIZE > info-block-size in nd_pfn_init() (bsc#1127682 bsc#1153535 ltc#175033 ltc#181834). - libnvdimm: Fix devm_nsio_enable() kabi (bsc#1153535). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - livepatch: Simplify stack trace retrieval (jsc#SLE-11178). - livepatch: Simplify stack trace retrieval (jsc#SLE-11179). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix ieee80211_txq_setup_flows() failure path (bsc#1111666). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO (bsc#1112374). - mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel (bsc#1112374). - mm, debug_pagealloc: do not rely on static keys too early (VM debuging functionality, bsc#1159096). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: sdhci: Add a quirk for broken command queuing (git-fixes). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci: Workaround broken command queuing on Intel GLK (git-fixes). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mqprio: Fix out-of-bounds access in mqprio_dump (bsc#1109837). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - mwifiex: delete unused mwifiex_get_intf_num() (bsc#1111666). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: update set_mac_address logic (bsc#1111666). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - net, sysctl: Fix compiler warning when only cBPF is present (bsc#1109837). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx4_en: Fix wrong limitation for number of TX rings (bsc#1103989). - net/mlx5: Accumulate levels for chains prio namespaces (bsc#1103990). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlx5e: Query global pause state before setting prio2buffer (bsc#1103990). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net: hns3: fix ETS bandwidth validation bug (bsc#1104353 ). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key (bsc#1109837). - net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues (bsc#1109837). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: fdp: fix incorrect free object (networking-stable-19_11_10). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - NFC: st21nfca: fix double free (networking-stable-19_11_10). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI: rpaphp: Add drc-info support for hotplug slot registration (bsc#1157480 ltc#181028). - PCI: rpaphp: Annotate and correctly byte swap DRC properties (bsc#1157480 ltc#181028). - PCI: rpaphp: Avoid a sometimes-uninitialized warning (bsc#1157480 ltc#181028). - PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info (bsc#1157480 ltc#181028). - PCI: rpaphp: Do not rely on firmware feature to imply drc-info support (bsc#1157480 ltc#181028). - PCI: rpaphp: Fix up pointer to first drc-info entry (bsc#1157480 ltc#181028). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: cherryview: Fix irq_valid_mask calculation (bsc#1111666). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (bsc#1071995 bsc#1161875). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/papr_scm: Do not enable direct map for a region by default (bsc#1129551). - powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths (bsc#1142685 ltc#179509). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc/pseries: Add cpu DLPAR support for drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/pseries: Enable support for ibm,drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Fix bad drc_index_start value parsing of drc-info entry (bsc#1157480 ltc#181028). - powerpc/pseries: Fix drc-info mappings of logical cpus to drc-index (bsc#1157480 ltc#181028). - powerpc/pseries: Fix vector5 in ibm architecture vector table (bsc#1157480 ltc#181028). - powerpc/pseries: Revert support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Enable support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - pseries/drc-info: Search DRC properties for CPU indexes (bsc#1157480 ltc#181028). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: add missing endpoint sanity check (bsc#1051510). - r8152: get default setting of WOL before initializing (bsc#1051510). - random: move FIPS continuous test to output functions (bsc#1155334). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - RDMA/hns: Bugfix for qpc/cqc timer configuration (bsc#1104427 bsc#1126206). - RDMA/hns: Correct the value of srq_desc_size (bsc#1104427 ). - RDMA/hns: Fix to support 64K page for srq (bsc#1104427 ). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - README.BRANCH: Update the branch name to cve/linux-4.12 - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Conflict with too old powerpc-utils (jsc#ECO-920, jsc#SLE-11054, jsc#SLE-11322). - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/modules.fips: update module list (bsc#1157853) - rsi_91x_usb: fix interface sanity check (git-fixes). - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - s390/ftrace: generate traced function stack frame (jsc#SLE-11178 jsc#SLE-11179). - s390/ftrace: save traced function caller (jsc#SLE-11178). - s390/ftrace: save traced function caller (jsc#SLE-11179). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11178). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11179). - s390/head64: correct init_task stack setup (jsc#SLE-11178). - s390/head64: correct init_task stack setup (jsc#SLE-11179). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11178). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11179). - s390/kasan: avoid report in get_wchan (jsc#SLE-11178). - s390/kasan: avoid report in get_wchan (jsc#SLE-11179). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11178). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11179). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11178). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11179). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11178). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11179). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11178). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11179). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11178). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11179). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11178). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11179). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11178). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11179). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11178). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11179). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11178). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11179). - s390/unwind: correct stack switching during unwind (jsc#SLE-11178). - s390/unwind: correct stack switching during unwind (jsc#SLE-11179). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11178). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11179). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11178). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11179). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11178). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11179). - s390/unwind: fix mixing regs and sp (jsc#SLE-11178). - s390/unwind: fix mixing regs and sp (jsc#SLE-11179). - s390/unwind: introduce stack unwind API (jsc#SLE-11178). - s390/unwind: introduce stack unwind API (jsc#SLE-11179). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11178). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11179). - s390/unwind: remove stack recursion warning (jsc#SLE-11178). - s390/unwind: remove stack recursion warning (jsc#SLE-11179). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11178). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11179). - s390/unwind: start unwinding from reliable state (jsc#SLE-11178). - s390/unwind: start unwinding from reliable state (jsc#SLE-11179). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11178). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11179). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11178). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11179). - s390/unwind: unify task is current checks (jsc#SLE-11178). - s390/unwind: unify task is current checks (jsc#SLE-11179). - s390: add stack switch helper (jsc#SLE-11178). - s390: add stack switch helper (jsc#SLE-11179). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11178). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11179). - s390: always inline current_stack_pointer() (jsc#SLE-11178). - s390: always inline current_stack_pointer() (jsc#SLE-11179). - s390: always inline disabled_wait (jsc#SLE-11178). - s390: always inline disabled_wait (jsc#SLE-11179). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11178). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11179). - s390: clean up stacks setup (jsc#SLE-11178). - s390: clean up stacks setup (jsc#SLE-11179). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11178). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11179). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11178). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11179). - s390: fine-tune stack switch helper (jsc#SLE-11178). - s390: fine-tune stack switch helper (jsc#SLE-11179). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11178). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11179). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11178). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11179). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11178). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11179). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11178). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11179). - s390: preserve kabi for stack unwind API (jsc#SLE-11178). - s390: preserve kabi for stack unwind API (jsc#SLE-11179). - s390: unify stack size definitions (jsc#SLE-11178). - s390: unify stack size definitions (jsc#SLE-11179). - scsi: lpfc: fix build failure with DEBUGFS disabled (bsc#1154601). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sfc: Remove 'PCIE error reporting unavailable' (bsc#1161472). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11178). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11179). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11178). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11179). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11178). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11179). - stacktrace: Provide common infrastructure (jsc#SLE-11178). - stacktrace: Provide common infrastructure (jsc#SLE-11179). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11178). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11179). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11178). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11179). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11178). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11179). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - Temporary workaround for bsc#1159096 should no longer be needed. - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Cleanup stack trace code (jsc#SLE-11178). - tracing: Cleanup stack trace code (jsc#SLE-11179). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - usb: adutux: fix interface sanity check (bsc#1051510). - usb: Allow USB device to be warm reset in suspended state (bsc#1051510). - usb: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - usb: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - usb: core: fix check for duplicate endpoints (git-fixes). - usb: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - usb: core: urb: fix URB structure initialization function (bsc#1051510). - usb: documentation: flags on usb-storage versus UAS (bsc#1051510). - usb: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - usb: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - usb: dwc3: ep0: Clear started flag on completion (bsc#1051510). - usb: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - usb: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - usb: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: legacy: set max_speed to super-speed (bsc#1051510). - usb: gadget: pch_udc: fix use after free (bsc#1051510). - usb: gadget: u_serial: add missing port entry locking (bsc#1051510). - usb: gadget: Zero ffs_io_data (bsc#1051510). - usb: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usb: idmouse: fix interface sanity checks (bsc#1051510). - usb: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - usb: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - usb: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - usb: roles: fix a potential use after free (git-fixes). - usb: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - usb: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - usb: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - usb: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - usb: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - usb: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - usb: serial: ir-usb: fix IrLAP framing (bsc#1051510). - usb: serial: ir-usb: fix link-speed handling (bsc#1051510). - usb: serial: keyspan: handle unbound ports (bsc#1051510). - usb: serial: opticon: fix control-message timeouts (bsc#1051510). - usb: serial: option: Add support for Quectel RM500Q (bsc#1051510). - usb: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - usb: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - usb: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - usb: serial: quatech2: handle unbound ports (bsc#1051510). - usb: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - usb: serial: suppress driver bind attributes (bsc#1051510). - usb: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - usb: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - usb: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - usb: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - usb: xhci: only set D3hot for pci device (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/amd_nb: Add PCI device IDs for family 17h, model 70h (bsc#1163206). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - x86/resctrl: Prevent possible overrun during bitmap operations (bsc#1114648). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfrm: Fix sa selector validation (bsc#1156609). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-580=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-580=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-580=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-580=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-580=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.17.1 kernel-default-debugsource-4.12.14-122.17.1 kernel-default-extra-4.12.14-122.17.1 kernel-default-extra-debuginfo-4.12.14-122.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.17.1 kernel-obs-build-debugsource-4.12.14-122.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.17.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.17.1 kernel-default-base-4.12.14-122.17.1 kernel-default-base-debuginfo-4.12.14-122.17.1 kernel-default-debuginfo-4.12.14-122.17.1 kernel-default-debugsource-4.12.14-122.17.1 kernel-default-devel-4.12.14-122.17.1 kernel-syms-4.12.14-122.17.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.17.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.17.1 kernel-macros-4.12.14-122.17.1 kernel-source-4.12.14-122.17.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.17.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-122.17.1 kernel-default-debugsource-4.12.14-122.17.1 kernel-default-kgraft-4.12.14-122.17.1 kernel-default-kgraft-devel-4.12.14-122.17.1 kgraft-patch-4_12_14-122_17-default-1-8.5.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.17.1 cluster-md-kmp-default-debuginfo-4.12.14-122.17.1 dlm-kmp-default-4.12.14-122.17.1 dlm-kmp-default-debuginfo-4.12.14-122.17.1 gfs2-kmp-default-4.12.14-122.17.1 gfs2-kmp-default-debuginfo-4.12.14-122.17.1 kernel-default-debuginfo-4.12.14-122.17.1 kernel-default-debugsource-4.12.14-122.17.1 ocfs2-kmp-default-4.12.14-122.17.1 ocfs2-kmp-default-debuginfo-4.12.14-122.17.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19927.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1103989 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1126206 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1127682 https://bugzilla.suse.com/1129551 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1153535 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1154601 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156609 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157480 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158071 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159096 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159377 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159500 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160147 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160469 https://bugzilla.suse.com/1160470 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160618 https://bugzilla.suse.com/1160678 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161243 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161472 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161875 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163206 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164471 From sle-security-updates at lists.suse.com Thu Mar 5 07:14:24 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Mar 2020 15:14:24 +0100 (CET) Subject: SUSE-SU-2020:0589-1: Security update for postgresql10 Message-ID: <20200305141424.1B89DF79E@maintenance.suse.de> SUSE Security Update: Security update for postgresql10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0589-1 Rating: low References: #1163985 Cross-References: CVE-2020-1720 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for postgresql10 fixes the following issues: PostgreSQL was updated to version 10.12. Security issue fixed: - CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-589=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-589=1 - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2020-589=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2020-589=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-589=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-589=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-589=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-589=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libecpg6-10.12-4.19.1 libecpg6-debuginfo-10.12-4.19.1 libpq5-10.12-4.19.1 libpq5-debuginfo-10.12-4.19.1 postgresql10-10.12-4.19.1 postgresql10-contrib-10.12-4.19.1 postgresql10-contrib-debuginfo-10.12-4.19.1 postgresql10-debuginfo-10.12-4.19.1 postgresql10-debugsource-10.12-4.19.1 postgresql10-devel-10.12-4.19.1 postgresql10-devel-debuginfo-10.12-4.19.1 postgresql10-plperl-10.12-4.19.1 postgresql10-plperl-debuginfo-10.12-4.19.1 postgresql10-plpython-10.12-4.19.1 postgresql10-plpython-debuginfo-10.12-4.19.1 postgresql10-pltcl-10.12-4.19.1 postgresql10-pltcl-debuginfo-10.12-4.19.1 postgresql10-server-10.12-4.19.1 postgresql10-server-debuginfo-10.12-4.19.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): postgresql10-docs-10.12-4.19.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libecpg6-10.12-4.19.1 libecpg6-debuginfo-10.12-4.19.1 libpq5-10.12-4.19.1 libpq5-debuginfo-10.12-4.19.1 postgresql10-10.12-4.19.1 postgresql10-contrib-10.12-4.19.1 postgresql10-contrib-debuginfo-10.12-4.19.1 postgresql10-debuginfo-10.12-4.19.1 postgresql10-debugsource-10.12-4.19.1 postgresql10-devel-10.12-4.19.1 postgresql10-devel-debuginfo-10.12-4.19.1 postgresql10-plperl-10.12-4.19.1 postgresql10-plperl-debuginfo-10.12-4.19.1 postgresql10-plpython-10.12-4.19.1 postgresql10-plpython-debuginfo-10.12-4.19.1 postgresql10-pltcl-10.12-4.19.1 postgresql10-pltcl-debuginfo-10.12-4.19.1 postgresql10-server-10.12-4.19.1 postgresql10-server-debuginfo-10.12-4.19.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): postgresql10-docs-10.12-4.19.1 - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): libecpg6-10.12-4.19.1 libecpg6-debuginfo-10.12-4.19.1 postgresql10-contrib-10.12-4.19.1 postgresql10-contrib-debuginfo-10.12-4.19.1 postgresql10-debuginfo-10.12-4.19.1 postgresql10-debugsource-10.12-4.19.1 postgresql10-devel-10.12-4.19.1 postgresql10-devel-debuginfo-10.12-4.19.1 postgresql10-plperl-10.12-4.19.1 postgresql10-plperl-debuginfo-10.12-4.19.1 postgresql10-plpython-10.12-4.19.1 postgresql10-plpython-debuginfo-10.12-4.19.1 postgresql10-pltcl-10.12-4.19.1 postgresql10-pltcl-debuginfo-10.12-4.19.1 postgresql10-server-10.12-4.19.1 postgresql10-server-debuginfo-10.12-4.19.1 - SUSE Linux Enterprise Module for Server Applications 15 (noarch): postgresql10-docs-10.12-4.19.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (aarch64 ppc64le s390x x86_64): postgresql10-debuginfo-10.12-4.19.1 postgresql10-debugsource-10.12-4.19.1 postgresql10-test-10.12-4.19.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): postgresql10-debuginfo-10.12-4.19.1 postgresql10-debugsource-10.12-4.19.1 postgresql10-test-10.12-4.19.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (x86_64): libpq5-32bit-10.12-4.19.1 libpq5-32bit-debuginfo-10.12-4.19.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libpq5-10.12-4.19.1 libpq5-debuginfo-10.12-4.19.1 postgresql10-10.12-4.19.1 postgresql10-debuginfo-10.12-4.19.1 postgresql10-debugsource-10.12-4.19.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libecpg6-10.12-4.19.1 libecpg6-debuginfo-10.12-4.19.1 libpq5-10.12-4.19.1 libpq5-debuginfo-10.12-4.19.1 postgresql10-10.12-4.19.1 postgresql10-contrib-10.12-4.19.1 postgresql10-contrib-debuginfo-10.12-4.19.1 postgresql10-debuginfo-10.12-4.19.1 postgresql10-debugsource-10.12-4.19.1 postgresql10-devel-10.12-4.19.1 postgresql10-devel-debuginfo-10.12-4.19.1 postgresql10-plperl-10.12-4.19.1 postgresql10-plperl-debuginfo-10.12-4.19.1 postgresql10-plpython-10.12-4.19.1 postgresql10-plpython-debuginfo-10.12-4.19.1 postgresql10-pltcl-10.12-4.19.1 postgresql10-pltcl-debuginfo-10.12-4.19.1 postgresql10-server-10.12-4.19.1 postgresql10-server-debuginfo-10.12-4.19.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): postgresql10-docs-10.12-4.19.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libecpg6-10.12-4.19.1 libecpg6-debuginfo-10.12-4.19.1 libpq5-10.12-4.19.1 libpq5-debuginfo-10.12-4.19.1 postgresql10-10.12-4.19.1 postgresql10-contrib-10.12-4.19.1 postgresql10-contrib-debuginfo-10.12-4.19.1 postgresql10-debuginfo-10.12-4.19.1 postgresql10-debugsource-10.12-4.19.1 postgresql10-devel-10.12-4.19.1 postgresql10-devel-debuginfo-10.12-4.19.1 postgresql10-plperl-10.12-4.19.1 postgresql10-plperl-debuginfo-10.12-4.19.1 postgresql10-plpython-10.12-4.19.1 postgresql10-plpython-debuginfo-10.12-4.19.1 postgresql10-pltcl-10.12-4.19.1 postgresql10-pltcl-debuginfo-10.12-4.19.1 postgresql10-server-10.12-4.19.1 postgresql10-server-debuginfo-10.12-4.19.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): postgresql10-docs-10.12-4.19.1 References: https://www.suse.com/security/cve/CVE-2020-1720.html https://bugzilla.suse.com/1163985 From sle-security-updates at lists.suse.com Thu Mar 5 10:20:14 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Mar 2020 18:20:14 +0100 (CET) Subject: SUSE-SU-2020:0594-1: moderate: Security update for gd Message-ID: <20200305172014.B9003F79E@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0594-1 Rating: moderate References: #1140120 #1165471 Cross-References: CVE-2018-14553 CVE-2019-11038 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for gd fixes the following issues: Security issue fixed: - CVE-2018-14553: Fixed a null pointer dereference in gdImageClone (bsc#1165471). - CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-594=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-594=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-594=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): gd-debugsource-2.2.5-4.14.1 libgd3-32bit-2.2.5-4.14.1 libgd3-32bit-debuginfo-2.2.5-4.14.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): gd-2.2.5-4.14.1 gd-debuginfo-2.2.5-4.14.1 gd-debugsource-2.2.5-4.14.1 gd-devel-2.2.5-4.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): gd-debuginfo-2.2.5-4.14.1 gd-debugsource-2.2.5-4.14.1 libgd3-2.2.5-4.14.1 libgd3-debuginfo-2.2.5-4.14.1 References: https://www.suse.com/security/cve/CVE-2018-14553.html https://www.suse.com/security/cve/CVE-2019-11038.html https://bugzilla.suse.com/1140120 https://bugzilla.suse.com/1165471 From sle-security-updates at lists.suse.com Thu Mar 5 13:16:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Mar 2020 21:16:40 +0100 (CET) Subject: SUSE-SU-2020:0599-1: moderate: Security update for the Linux Kernel Message-ID: <20200305201640.49CE1FC56@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0599-1 Rating: moderate References: #1046303 #1050244 #1051510 #1051858 #1065600 #1065729 #1071995 #1078248 #1083647 #1085030 #1086301 #1086313 #1086314 #1089644 #1090888 #1104427 #1108043 #1113722 #1114279 #1115026 #1117169 #1120853 #1127371 #1134973 #1138039 #1140948 #1141054 #1142095 #1143959 #1144333 #1146519 #1146544 #1151548 #1151900 #1151910 #1151927 #1152631 #1153811 #1153917 #1154043 #1154058 #1154355 #1155331 #1155334 #1155689 #1155897 #1155921 #1156258 #1156259 #1156286 #1156462 #1156471 #1157038 #1157042 #1157070 #1157143 #1157145 #1157155 #1157157 #1157158 #1157162 #1157169 #1157171 #1157173 #1157178 #1157180 #1157182 #1157183 #1157184 #1157191 #1157193 #1157197 #1157298 #1157303 #1157307 #1157324 #1157333 #1157424 #1157463 #1157499 #1157678 #1157692 #1157698 #1157778 #1157853 #1157908 #1158013 #1158021 #1158026 #1158049 #1158063 #1158064 #1158065 #1158066 #1158067 #1158068 #1158082 #1158094 #1158132 #1158381 #1158394 #1158398 #1158407 #1158410 #1158413 #1158417 #1158427 #1158445 #1158533 #1158637 #1158638 #1158639 #1158640 #1158641 #1158643 #1158644 #1158645 #1158646 #1158647 #1158649 #1158651 #1158652 #1158819 #1158823 #1158824 #1158827 #1158834 #1158893 #1158900 #1158903 #1158904 #1158954 #1159024 #1159028 #1159297 #1159394 #1159483 #1159484 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160195 #1160210 #1160211 #1160433 #1160442 #1160476 #1160560 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1161087 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161875 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 Cross-References: CVE-2019-14615 CVE-2019-14895 CVE-2019-14896 CVE-2019-14897 CVE-2019-14901 CVE-2019-15213 CVE-2019-16994 CVE-2019-18660 CVE-2019-18683 CVE-2019-18808 CVE-2019-18809 CVE-2019-19036 CVE-2019-19045 CVE-2019-19049 CVE-2019-19051 CVE-2019-19052 CVE-2019-19054 CVE-2019-19056 CVE-2019-19057 CVE-2019-19058 CVE-2019-19060 CVE-2019-19062 CVE-2019-19063 CVE-2019-19065 CVE-2019-19066 CVE-2019-19067 CVE-2019-19068 CVE-2019-19073 CVE-2019-19074 CVE-2019-19075 CVE-2019-19077 CVE-2019-19227 CVE-2019-19318 CVE-2019-19319 CVE-2019-19332 CVE-2019-19338 CVE-2019-19447 CVE-2019-19523 CVE-2019-19524 CVE-2019-19525 CVE-2019-19526 CVE-2019-19527 CVE-2019-19528 CVE-2019-19529 CVE-2019-19530 CVE-2019-19531 CVE-2019-19532 CVE-2019-19533 CVE-2019-19534 CVE-2019-19535 CVE-2019-19536 CVE-2019-19537 CVE-2019-19543 CVE-2019-19767 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2020-7053 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP4 ______________________________________________________________________________ An update that solves 60 vulnerabilities and has 119 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 real-time kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-14895: A heap-based buffer overflow was discovered in the Marvell WiFi driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service or possibly execute arbitrary code (bnc#1157158). - CVE-2019-14896: A heap overflow was found in the add_ie_rates() function of the Marvell Wifi Driver (bsc#1157157). - CVE-2019-14897: A stack overflow was found in the lbs_ibss_join_existing() function of the Marvell Wifi Driver (bsc#1157155). - CVE-2019-14901: A heap overflow flaw was found in the Marvell WiFi driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code (bnc#1157042). - CVE-2019-15213: A use-after-free bug caused by a malicious USB device was found in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523). - CVE-2019-18660: An information disclosure bug occured because the Spectre-RSB mitigation were not in place for all applicable CPUs, aka CID-39e72bf96f58 (bnc#1157038). - CVE-2019-18683: Multiple race conditions were discovered in drivers/media/platform/vivid. It was exploitable for privilege escalation if local users had access to /dev/video0, but only if the driver happened to be loaded. At least one of these race conditions led to a use-after-free (bnc#1155897). - CVE-2019-18808: A memory leak in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption), aka CID-128c66429247 (bnc#1156259). - CVE-2019-18809: A memory leak in drivers/media/usb/dvb-usb/af9005.c allowed attackers to cause a denial of service (memory consumption), aka CID-2289adbfa559 (bnc#1156258). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522). - CVE-2019-19051: A memory leak in drivers/net/wimax/i2400m/op-rfkill.c allowed attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7 (bnc#1159024). - CVE-2019-19052: A memory leak in drivers/net/can/usb/gs_usb.c allowed attackers to cause a denial of service (memory consumption), aka CID-fb5be6a7b486 (bnc#1157324). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518). - CVE-2019-19056: A memory leak in drivers/net/wireless/marvell/mwifiex/pcie.c allowed attackers to cause a denial of service (memory consumption), aka CID-db8fd2cde932 (bnc#1157197). - CVE-2019-19057: Two memory leaks in drivers/net/wireless/marvell/mwifiex/pcie.c allowed attackers to cause a denial of service (memory consumption), aka CID-d10dcb615c8e (bnc#1157193 bsc#1157197). - CVE-2019-19058: A memory leak in drivers/net/wireless/intel/iwlwifi/fw/dbg.c allowed attackers to cause a denial of service (memory consumption), aka CID-b4b814fec1a5 (bnc#1157145). - CVE-2019-19060: A memory leak in drivers/iio/imu/adis_buffer.c allowed attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41 (bnc#1157178). - CVE-2019-19062: A memory leak in crypto/crypto_user_base.c allowed attackers to cause a denial of service (memory consumption), aka CID-ffdde5932042 (bnc#1157333). - CVE-2019-19063: Two memory leaks in drivers/net/wireless/realtek/rtlwifi/usb.c allowed attackers to cause a denial of service (memory consumption), aka CID-3f9361695113 (bnc#1157298). - CVE-2019-19065: A memory leak in drivers/infiniband/hw/hfi1/sdma.c allowed attackers to cause a denial of service (memory consumption), aka CID-34b3be18a04e (bnc#1157191). - CVE-2019-19066: A memory leak in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption), aka CID-0e62395da2bd (bnc#1157303). - CVE-2019-19067: There were four unlikely memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c (bnc#1157180). - CVE-2019-19068: A memory leak in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c allowed attackers to cause a denial of service (memory consumption), aka CID-a2cdd07488e6 (bnc#1157307). - CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c allowed attackers to cause a denial of service (memory consumption), aka CID-853acf7caf10 (bnc#1157070). - CVE-2019-19074: A memory leak in drivers/net/wireless/ath/ath9k/wmi.c allowed attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4 (bnc#1157143). - CVE-2019-19075: A memory leak in drivers/net/ieee802154/ca8210.c allowed attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e (bnc#1157162). - CVE-2019-19077: A memory leak in drivers/infiniband/hw/bnxt_re/ib_verbs.c allowed attackers to cause a denial of service (memory consumption), aka CID-4a9d46a9fe14 (bnc#1157171). - CVE-2019-19227: In the AppleTalk subsystem there was a potential NULL pointer dereference because register_snap_client may return NULL. This could have led to denial of service, aka CID-9804501fa122 (bnc#1157678). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19319: A slab-out-of-bounds write access could have occured when setxattr was called after mounting of a specially crafted ext4 image (bnc#1158021). - CVE-2019-19332: An out-of-bounds memory write issue was found in the way the KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could have used this flaw to crash the system (bnc#1158827). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819). - CVE-2019-19523: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79 (bsc#1158823). - CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9 (bsc#1158413). - CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035 (bsc#1158417). - CVE-2019-19526: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098 (bsc#1158893). - CVE-2019-19527: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e (bsc#1158900). - CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d (bsc#1158407). - CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41 (bnc#1158381). - CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef (bsc#1158410). - CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca (bsc#1158445). - CVE-2019-19532: There were multiple out-of-bounds write bugs that can be caused by a malicious USB HID device, aka CID-d9d4b1e46d95 (bsc#1158824). - CVE-2019-19533: There was an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464 (bsc#1158834). - CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29 (bsc#1158398). - CVE-2019-19535: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042 (bsc#1158903). - CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0 (bsc#1158394). - CVE-2019-19537: There was a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9 (bsc#1158904). - CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427). - CVE-2019-19767: There were multiple use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163 (bnc#1159297). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911). - CVE-2019-19966: There was a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that could have caused a denial of service, aka CID-dea37a972655 (bnc#1159841). - CVE-2019-20054: There was a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e (bnc#1159910). - CVE-2019-20095: Several memory leaks were found in drivers/net/wireless/marvell/mwifiex/cfg80211.c, aka CID-003b686ace82 (bnc#1159909). - CVE-2019-20096: There was a memory leak in __feat_register_sp() in net/dccp/feat.c, aka CID-1d3ff0950e2b (bnc#1159908). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966). - CVE-2019-19338: There was an incomplete fix for an issue with Transactional Synchronisation Extensions in the KVM code (bsc#1158954). - CVE-2019-19049: There was an unlikely memory leak in unittest_data_add (bsc#1157173). The following non-security bugs were fixed: - ACPI / APEI: Do not wait to serialise with oops messages when panic()ing (bsc#1051510). - ACPI / LPSS: Exclude I2C busses shared with PUNIT from pmc_atom_d3_mask (bsc#1051510). - ACPI / LPSS: Ignore acpi_device_fix_up_power() return value (bsc#1051510). - ACPI / SBS: Fix rare oops when removing modules (bsc#1051510). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: OSL: only free map once in osl.c (bsc#1051510). - ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 (bsc#1051510). - ACPICA: Never run _REG on system_memory and system_IO (bsc#1051510). - ACPICA: Use %d for signed int print formatting instead of %u (bsc#1051510). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: 6fire: Drop the dead code (git-fixes). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: cs4236: fix error return comparison of an unsigned integer (git-fixes). - ALSA: echoaudio: simplify get_audio_levels (bsc#1051510). - ALSA: fireface: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: firewire-motu: Correct a typo in the clock proc string (git-fixes). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda - Add mute led support for HP ProBook 645 G4 (git-fixes). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda - Fix pending unsol events at shutdown (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda/hdmi - Add new pci ids for AMD GPU display audio (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/hdmi - Fix duplicate unref of pci_dev (bsc#1051510). - ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD (git-fixes). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 (git-fixes). - ALSA: hda/realtek - Line-out jack does not work on a Dell AIO (bsc#1051510). - ALSA: hda/realtek - Move some alc236 pintbls to fallback table (git-fixes). - ALSA: hda/realtek - Move some alc256 pintbls to fallback table (git-fixes). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: i2c/cs8427: Fix int to char conversion (bsc#1051510). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: intel8x0m: Register irq handler after register initializations (bsc#1051510). - ALSA: oxfw: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: pcm: oss: Avoid potential buffer overflows (git-fixes). - ALSA: pcm: signedness bug in snd_pcm_plug_alloc() (bsc#1051510). - ALSA: seq: Do error checks at creating system ports (bsc#1051510). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: usb-audio: Fix Focusrite Scarlett 6i6 gen1 - input handling (git-fixes). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - appledisplay: fix error handling in the scheduled work (git-fixes). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: compress: fix unsigned integer overflow check (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: davinci-mcasp: Handle return value of devm_kasprintf (stable 4.14.y). - ASoC: davinci: Kill BUG_ON() usage (stable 4.14.y). - ASoC: dpcm: Properly initialise hw->rate_max (bsc#1051510). - ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: kirkwood: fix external clock probe defer (git-fixes). - ASoC: msm8916-wcd-analog: Fix RX1 selection in RDAC2 MUX (git-fixes). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: sgtl5000: avoid division by zero if lo_vag is zero (bsc#1051510). - ASoC: tegra_sgtl5000: fix device_node refcounting (bsc#1051510). - ASoC: tlv320aic31xx: Handle inverted BCLK in non-DSP modes (stable 4.14.y). - ASoC: tlv320dac31xx: mark expected switch fall-through (stable 4.14.y). - ASoC: wm8962: fix lambda value (git-fixes). - ata: ep93xx: Use proper enums for directions (bsc#1051510). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath10k: fix kernel panic by moving pci flush after napi_disable (bsc#1051510). - ath10k: fix vdev-start timeout on error (bsc#1051510). - ath10k: limit available channels via DT ieee80211-freq-limit (bsc#1051510). - ath10k: wmi: disable softirq's while calling ieee80211_rx (bsc#1051510). - ath6kl: Fix off by one error in scan completion (bsc#1051510). - ath9k: add back support for using active monitor interfaces for tx99 (bsc#1051510). - ath9k: Fix a locking bug in ath9k_add_interface() (bsc#1051510). - ath9k: fix reporting calculated new FFT upper max (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - ath9k: fix tx99 with monitor mode interface (bsc#1051510). - ath9k_hw: fix uninitialized variable data (bsc#1051510). - atl1e: checking the status of atl1e_write_phy_reg (bsc#1051510). - audit: Allow auditd to set pid to 0 to end auditing (bsc#1158094). - ax88172a: fix information leak on short answers (bsc#1051510). - backlight: lm3639: Unconditionally call led_classdev_unregister (bsc#1051510). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcma: remove set but not used variable 'sizel' (git-fixes). - Bluetooth: btusb: fix PM leak in error case of setup (bsc#1051510). - Bluetooth: delete a stray unlock (bsc#1051510). - Bluetooth: Fix invalid-free in bcsp_close() (git-fixes). - Bluetooth: Fix memory leak in hci_connect_le_scan (bsc#1051510). - Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading (bsc#1051510). - Bluetooth: hci_core: fix init for HCI_USER_CHANNEL (bsc#1051510). - Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS (bsc#1051510). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bpf: Make use of probe_user_write in probe write helper (bsc#1083647). - brcmfmac: fix full timeout waiting for action frame on-channel tx (bsc#1051510). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - brcmfmac: reduce timeout for action frame scan (bsc#1051510). - brcmsmac: AP mode: update beacon when TIM changes (bsc#1051510). - brcmsmac: never log "tid x is not agg'able" by default (bsc#1051510). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: c_can: c_can_poll(): only read status register after status IRQ (git-fixes). - can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mcba_usb: fix use-after-free on disconnect (git-fixes). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can: peak_usb: fix a potential out-of-sync while decoding packets (git-fixes). - can: peak_usb: fix slab info leak (git-fixes). - can: peak_usb: report bus recovery as well (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): do not increase the skb_queue beyond skb_queue_len_max (git-fixes). - can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors (bsc#1051510). - can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak (git-fixes). - can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak (git-fixes). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - can: usb_8dev: fix use-after-free on disconnect (git-fixes). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - ceph: add missing check in d_revalidate snapdir handling (bsc#1157183). - ceph: do not try to handle hashed dentries in non-O_CREAT atomic_open (bsc#1157184). - ceph: fix use-after-free in __ceph_remove_cap() (bsc#1154058). - ceph: just skip unrecognized info in ceph_reply_info_extra (bsc#1157182). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set (bsc#1051510). - cfg80211: call disconnect_wk when AP stops (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces (bsc#1051510). - cgroup,writeback: do not switch wbs immediately on dead wbs if the memcg is dead (bsc#1158645). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - cifs: add a helper to find an existing readable handle to a file (bsc#1144333, bsc#1154355). - cifs: add support for flock (bsc#1144333). - cifs: avoid using MID 0xFFFF (bsc#1144333, bsc#1154355). - cifs: Close cached root handle only if it had a lease (bsc#1144333). - cifs: Close open handle after interrupted close (bsc#1144333). - cifs: close the shared root handle on tree disconnect (bsc#1144333). - cifs: create a helper to find a writeable handle by path name (bsc#1144333, bsc#1154355). - cifs: Do not miss cancelled OPEN responses (bsc#1144333). - cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs (bsc#1144333, bsc#1154355). - cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333). - cifs: fix max ea value size (bsc#1144333, bsc#1154355). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: Fix missed free operations (bsc#1144333, bsc#1154355). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: Fix NULL pointer dereference in mid callback (bsc#1144333). - cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - cifs: Fix oplock handling for SMB 2.1+ protocols (bsc#1144333, bsc#1154355). - cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - cifs: Fix retry mid list corruption on reconnects (bsc#1144333, bsc#1154355). - cifs: Fix SMB2 oplock break processing (bsc#1144333, bsc#1154355). - cifs: Fix use after free of file info structures (bsc#1144333, bsc#1154355). - cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - cifs: Force reval dentry if LOOKUP_REVAL flag is set (bsc#1144333, bsc#1154355). - cifs: Force revalidate inode when dentry is stale (bsc#1144333, bsc#1154355). - cifs: Gracefully handle QueryInfo errors during open (bsc#1144333, bsc#1154355). - cifs: move cifsFileInfo_put logic into a work-queue (bsc#1144333, bsc#1154355). - cifs: prepare SMB2_Flush to be usable in compounds (bsc#1144333, bsc#1154355). - cifs: Properly process SMB3 lease breaks (bsc#1144333). - cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - cifs: set domainName when a domain-key is used in multiuser (bsc#1144333, bsc#1154355). - cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic (bsc#1144333, bsc#1154355). - cifs: use existing handle for compound_op(OP_SET_INFO) when possible (bsc#1144333, bsc#1154355). - cifs: Use kzfree() to zero out the password (bsc#1144333, bsc#1154355). - clk: at91: avoid sleeping early (git-fixes). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: pxa: fix one of the pxa RTC clocks (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume (bsc#1051510). - clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume (git-fixes). - clk: samsung: Use clk_hw API for calling clk framework from clk notifiers (bsc#1051510). - clk: sunxi-ng: a80: fix the zero'ing of bits 16 and 18 (git-fixes). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines (bsc#1051510). - clocksource/drivers/sh_cmt: Fixup for 64-bit machines (bsc#1051510). - compat_ioctl: handle SIOCOUTQNSD (bsc#1051510). - component: fix loop condition to call unbind() if bind() fails (bsc#1051510). - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - Cover up kABI breakage due to DH key verification (bsc#1155331). - cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() (bsc#1051510). - cpufreq: intel_pstate: Register when ACPI PCCH is present (bsc#1051510). - cpufreq: powernv: fix stack bloat and hard limit on number of CPUs (bsc#1051510). - cpufreq: Skip cpufreq resume if it's not suspended (bsc#1051510). - cpufreq: ti-cpufreq: add missing of_node_put() (bsc#1051510). - cpupower : Fix cpupower working when cpu0 is offline (bsc#1051510). - cpupower : frequency-set -r option misses the last cpu in related cpu list (bsc#1051510). - cpupower: Fix coredump on VMWare (bsc#1051510). - crypto: af_alg - cast ki_complete ternary op to int (bsc#1051510). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix big endian bug in ECC library (bsc#1051510). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: fix a memory leak in rsa-kcs1pad's encryption mode (bsc#1051510). - crypto: geode-aes - switch to skcipher for cbc(aes) fallback (bsc#1051510). - crypto: mxc-scc - fix build warnings on ARM64 (bsc#1051510). - crypto: mxs-dcp - Fix AES issues (bsc#1051510). - crypto: mxs-dcp - Fix SHA null hashes and output length (bsc#1051510). - crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: s5p-sss: Fix Fix argument list alignment (bsc#1051510). - crypto: tgr192 - remove unneeded semicolon (bsc#1051510). - cw1200: Fix a signedness bug in cw1200_load_firmware() (bsc#1051510). - cxgb4: fix panic when attaching to ULD fail (networking-stable-19_11_05). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - dccp: do not leak jiffies on the wire (networking-stable-19_11_05). - dlm: do not leak kernel pointer to userspace (bsc#1051510). - dlm: fix invalid free (bsc#1051510). - dma-buf: Fix memory leak in sync_file_merge() (git-fixes). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: dma-jz4780: Do not depend on MACH_JZ4780 (bsc#1051510). - dmaengine: dma-jz4780: Further residue status fix (bsc#1051510). - dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - dmaengine: imx-sdma: fix use-after-free on probe error path (bsc#1051510). - dmaengine: rcar-dmac: set scatter/gather max segment size (bsc#1051510). - dmaengine: timb_dma: Use proper enum in td_prep_slave_sg (bsc#1051510). - docs: move protection-keys.rst to the core-api book (bsc#1078248). - Documentation: debugfs: Document debugfs helper for unsigned long values (git-fixes). - Documentation: x86: convert protection-keys.txt to reST (bsc#1078248). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/platform.c: kmemleak ignore a known leak (bsc#1051510). - drivers/regulator: fix a missing check of return value (bsc#1051510). - drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1114279) - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1113722) - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/omap: fix max fclk divider for omap36xx (bsc#1113722) - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix bad DMA from INTERRUPT_CNTL2 (git-fixes). - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/radeon: fix si_enable_smc_cac() failed issue (bsc#1113722) - drm/rockchip: Round up _before_ giving to the clock framework (bsc#1114279) - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm: panel-lvds: Potential Oops in probe error handling (bsc#1114279) - e1000e: Add support for Comet Lake (bsc#1158533). - e1000e: Add support for Tiger Lake (bsc#1158533). - e1000e: Drop unnecessary __E1000_DOWN bit twiddling (bsc#1158049). - e1000e: Increase pause and refresh time (bsc#1158533). - e1000e: Use dev_get_drvdata where possible (bsc#1158049). - e1000e: Use rtnl_lock to prevent race conditions between net and pci/pm (bsc#1158049). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable (bsc#1158646). - ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either (bsc#1158647). - EDAC/ghes: Fix locking and memory barrier issues (bsc#1114279). EDAC/ghes: Do not warn when incrementing refcount on 0 (bsc#1114279). - EDAC/ghes: Fix Use after free in ghes_edac remove path (bsc#1114279). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext4: fix punch hole for inline_data file systems (bsc#1158640). - ext4: update direct I/O read lock pattern for IOCB_NOWAIT (bsc#1158639). - extcon: cht-wc: Return from default case to avoid warnings (bsc#1051510). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() (bsc#1051510). - fbdev: sbuslib: use checked version of put_user() (bsc#1051510). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Introduce PERMANENT ftrace_ops flag (bsc#1120853). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gpio: mpc8xxx: Do not overwrite default irq_set_type callback (bsc#1051510). - gpio: syscon: Fix possible NULL ptr usage (bsc#1051510). - gpiolib: acpi: Add Terra Pad 1061 to the run_edge_events_on_boot_blacklist (bsc#1051510). - gsmi: Fix bug in append_to_eventlog sysfs handler (bsc#1051510). - HID: Add ASUS T100CHI keyboard dock battery quirks (bsc#1051510). - HID: Add quirk for Microsoft PIXART OEM mouse (bsc#1051510). - HID: asus: Add T100CHI bluetooth keyboard dock special keys mapping (bsc#1051510). - HID: doc: fix wrong data structure reference for UHID_OUTPUT (bsc#1051510). - HID: Fix assumption that devices have inputs (git-fixes). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: intel-ish-hid: fixes incorrect error handling (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - HID: wacom: generic: Treat serial number and related fields as unsigned (git-fixes). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros (bsc#1051510). - hwmon: (pwm-fan) Silence error on probe deferral (bsc#1051510). - hwrng: omap - Fix RNG wait loop timeout (bsc#1051510). - hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled (bsc#1051510). - hwrng: stm32 - fix unbalanced pm_runtime_enable (bsc#1051510). - hypfs: Fix error number left in struct pointer member (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - idr: Fix idr_alloc_u32 on 32-bit systems (bsc#1051510). - iio: adc: max9611: explicitly cast gain_selectors (bsc#1051510). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: adc: stm32-adc: fix stopping dma (git-fixes). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - iio: dac: mcp4922: fix error handling in mcp4922_write_raw (bsc#1051510). - iio: imu: adis16480: assign bias value only if operation succeeded (git-fixes). - iio: imu: adis16480: make sure provided frequency is positive (git-fixes). - iio: imu: adis: assign read val in debugfs hook only if op successful (git-fixes). - iio: imu: adis: assign value only if return code zero in read funcs (git-fixes). - include/linux/bitrev.h: fix constant bitrev (bsc#1114279). - inet: protect against too small mtu values (networking-stable-19_12_16). - inet: stop leaking jiffies on the wire (networking-stable-19_11_05). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11179). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: ff-memless - kill timer in destroy() (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: silead - try firmware reload after unsuccessful resume (bsc#1051510). - Input: st1232 - set INPUT_PROP_DIRECT property (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - Input: synaptics-rmi4 - clear IRQ enables for F54 (bsc#1051510). - Input: synaptics-rmi4 - destroy F54 poller workqueue when removing (bsc#1051510). - Input: synaptics-rmi4 - disable the relative position IRQ in the F12 driver (bsc#1051510). - Input: synaptics-rmi4 - do not consume more data than we have (F11, F12) (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - fix video buffer size (git-fixes). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - intel_th: Fix a double put_device() in error path (git-fixes). - iomap: Fix pipe page leakage during splicing (bsc#1158651). - iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros (bsc#1158063). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iommu: Remove device link to group on failure (bsc#1160755). - ipmi:dmi: Ignore IPMI SMBIOS entries with a zero base address (bsc#1051510). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - ipv4: Return -ENETUNREACH if we can't create route but saddr is valid (networking-stable-19_10_24). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: api: annotate compressed BA notif array sizes (bsc#1051510). - iwlwifi: check kasprintf() return value (bsc#1051510). - iwlwifi: mvm: avoid sending too many BARs (bsc#1051510). - iwlwifi: mvm: do not send keys when entering D3 (bsc#1051510). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - kABI workaround for ath10k last_wmi_vdev_start_status field (bsc#1051510). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kABI workaround for struct mwifiex_power_cfg change (bsc#1051510). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: Fix for "KVM: x86: Introduce vcpu->arch.xsaves_enabled" (bsc#1158066). - kABI: protect struct sctp_ep_common (kabi). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - kexec: bail out upon SIGKILL when allocating memory (git-fixes). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: SVM: Guard against DEACTIVATE when performing WBINVD/DF_FLUSH (bsc#1114279). - KVM: SVM: Serialize access to the SEV ASID bitmap (bsc#1114279). - KVM: VMX: Consider PID.PIR to determine if vCPU has pending interrupts (bsc#1158064). - KVM: VMX: Fix conditions for guest IA32_XSS support (bsc#1158065). - KVM: x86/mmu: Take slots_lock when using kvm_mmu_zap_all_fast() (bsc#1158067). - KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Introduce vcpu->arch.xsaves_enabled (bsc#1158066). - KVM: x86: Remove a spurious export of a static function (bsc#1158954). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - liquidio: fix race condition in instruction completion processing (bsc#1051510). - livepatch: Allow to distinguish different version of system state changes (bsc#1071995). - livepatch: Basic API to track system state changes (bsc#1071995 ). - livepatch: Keep replaced patches until post_patch callback is called (bsc#1071995). - livepatch: Selftests of the API for tracking system state changes (bsc#1071995). - livepatch: Simplify stack trace retrieval (jsc#SLE-11179). - loop: add ioctl for changing logical block size (bsc#1108043). - loop: fix no-unmap write-zeroes request behavior (bsc#1158637). - mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED (bsc#1051510). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix station inactive_time shortly after boot (bsc#1051510). - mac80211: minstrel: fix CCK rate group streams value (bsc#1051510). - mac80211: minstrel: fix sampling/reporting of CCK rates in HT mode (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: schedule bc_work even if error (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - mailbox: mailbox-test: fix null pointer if no mmio (bsc#1051510). - mailbox: reset txdone_method TXDONE_BY_POLL if client knows_txdone (git-fixes). - media: au0828: Fix incorrect error messages (bsc#1051510). - media: bdisp: fix memleak on release (git-fixes). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: cxusb: detect cxusb_ctrl_msg error in query (bsc#1051510). - media: davinci: Fix implicit enum conversion warning (bsc#1051510). - media: exynos4-is: Fix recursive locking in isp_video_release() (git-fixes). - media: fix: media: pci: meye: validate offset to avoid arbitrary access (bsc#1051510). - media: flexcop-usb: ensure -EIO is returned on error condition (git-fixes). - media: imon: invalid dereference in imon_touch_event (bsc#1051510). - media: isif: fix a NULL pointer dereference bug (bsc#1051510). - media: ov6650: Fix control handler not freed on init error (git-fixes). - media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init() (bsc#1051510). - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: pxa_camera: Fix check for pdev->dev.of_node (bsc#1051510). - media: radio: wl1273: fix interrupt masking on release (git-fixes). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: ti-vpe: vpe: Fix Motion Vector vpdma stride (git-fixes). - media: usbvision: Fix races among open, close, and disconnect (bsc#1051510). - media: uvcvideo: Fix error path in control parsing failure (git-fixes). - media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE (bsc#1051510). - media: vim2m: Fix abort issue (git-fixes). - media: vivid: Set vid_cap_streaming and vid_out_streaming to true (bsc#1051510). - mei: bus: prefix device names on bus with the bus name (bsc#1051510). - mei: fix modalias documentation (git-fixes). - mei: samples: fix a signedness bug in amt_host_if_call() (bsc#1051510). - mfd: intel-lpss: Add default I2C device properties for Gemini Lake (bsc#1051510). - mfd: max8997: Enale irq-wakeup unconditionally (bsc#1051510). - mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values (bsc#1051510). - mfd: palmas: Assign the right powerhold mask for tps65917 (git-fixes). - mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable (bsc#1051510). - mISDN: Fix type of switch control variable in ctrl_teimanager (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mlx5: add parameter to disable enhanced IPoIB (bsc#1142095) - mm, memory_hotplug: do not clear numa_node association after hot_remove (bnc#1115026). - mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() (git fixes (mm/gup)). - mm/compaction.c: clear total_{migrate,free}_scanned before scanning a new zone (git fixes (mm/compaction)). - mm/debug.c: PageAnon() is true for PageKsm() pages (git fixes (mm/debug)). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mmc: core: fix wl1251 sdio quirks (git-fixes). - mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card (git-fixes). - mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail (bsc#1051510). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci-of-at91: fix quirk2 overwrite (git-fixes). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdio: fix wl1251 vendor id (git-fixes). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - moduleparam: fix parameter description mismatch (bsc#1051510). - mt7601u: fix bbp version check in mt7601u_wait_bbp_ready (bsc#1051510). - mtd: spear_smi: Fix Write Burst mode (bsc#1051510). - mtd: spi-nor: fix silent truncation in spi_nor_read() (bsc#1051510). - mwifiex: debugfs: correct histogram spacing, formatting (bsc#1051510). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: Fix NL80211_TX_POWER_LIMITED (bsc#1051510). - mwifiex: fix potential NULL dereference and use after free (bsc#1051510). - nbd: prevent memory leak (bsc#1158638). - net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047). - net/ibmvnic: Ignore H_FUNCTION return from H_EOI to tolerate XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/mlx4_core: Dynamically set guaranteed amount of counters per VF (networking-stable-19_11_05). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget (networking-stable-19_11_05). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net/smc: avoid fallback in case of non-blocking connect (git-fixes). - net/smc: fix closing of fallback SMC sockets (git-fixes). - net/smc: Fix error path in smc_init (git-fixes). - net/smc: fix ethernet interface refcounting (git-fixes). - net/smc: fix refcounting for non-blocking connect() (git-fixes). - net/smc: keep vlan_id for SMC-R in smc_listen_work() (git-fixes). - net: add READ_ONCE() annotation in __skb_wait_for_more_packets() (networking-stable-19_11_05). - net: add skb_queue_empty_lockless() (networking-stable-19_11_05). - net: annotate accesses to sk->sk_incoming_cpu (networking-stable-19_11_05). - net: annotate lockless accesses to sk->sk_napi_id (networking-stable-19_11_05). - net: avoid potential infinite loop in tc_ctl_action() (networking-stable-19_10_24). - net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 (networking-stable-19_10_24). - net: bcmgenet: reset 40nm EPHY on energy detect (networking-stable-19_11_05). - net: bcmgenet: Set phydev->dev_flags only for internal PHYs (networking-stable-19_10_24). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dsa: b53: Do not clear existing mirrored port mask (networking-stable-19_11_05). - net: dsa: bcm_sf2: Fix IMP setup for port different than 8 (networking-stable-19_11_05). - net: dsa: fix switch tree list (networking-stable-19_11_05). - net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum (networking-stable-19_11_05). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: fix sk_page_frag() recursion from memory reclaim (networking-stable-19_11_05). - net: hisilicon: Fix ping latency when deal with high throughput (networking-stable-19_11_05). - net: phy: at803x: Change error to EINVAL for invalid MAC (bsc#1051510). - net: phy: broadcom: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: Check against net_device being NULL (bsc#1051510). - net: phy: dp83867: Set up RGMII TX delay (bsc#1051510). - net: phy: Fix not to call phy_resume() if PHY is not attached (bsc#1051510). - net: phy: Fix the register offsets in Broadcom iProc mdio mux driver (bsc#1051510). - net: phy: fixed_phy: Fix fixed_phy not checking GPIO (bsc#1051510). - net: phy: marvell: clear wol event before setting it (bsc#1051510). - net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: meson-gxl: check phy_write return value (bsc#1051510). - net: phy: micrel: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 (bsc#1051510). - net: phy: mscc: read 'vsc8531,vddmac' as an u32 (bsc#1051510). - net: phy: xgene: disable clk on error paths (bsc#1051510). - net: phy: xgmiitorgmii: Check phy_driver ready before accessing (bsc#1051510). - net: phy: xgmiitorgmii: Check read_status results (bsc#1051510). - net: phy: xgmiitorgmii: Support generic PHY status read (bsc#1051510). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow (networking-stable-19_10_24). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - net: use skb_queue_empty_lockless() in busy poll contexts (networking-stable-19_11_05). - net: use skb_queue_empty_lockless() in poll() handlers (networking-stable-19_11_05). - net: wireless: ti: remove local VENDOR_ID and DEVICE_ID definitions (git-fixes). - net: wireless: ti: wl1251 use new SDIO_VENDOR_ID_TI_WL1251 definition (git-fixes). - net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() (networking-stable-19_11_05). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - netns: fix GFP flags in rtnl_net_notifyid() (networking-stable-19_11_05). - nfc: fdp: fix incorrect free object (networking-stable-19_11_10). - nfc: netlink: fix double device reference drop (git-fixes). - nfc: nxp-nci: Fix NULL pointer dereference after I2C communication error (git-fixes). - nfc: pn533: fix bulk-message timeout (bsc#1051510). - nfc: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - nfc: port100: handle command failure cleanly (git-fixes). - nfc: st21nfca: fix double free (networking-stable-19_11_10). - nl80211: Fix a GET_KEY reply attribute (bsc#1051510). - ocfs2: fix panic due to ocfs2_wq is null (bsc#1158644). - ocfs2: fix passing zero to 'PTR_ERR' warning (bsc#1158649). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: fix flow command message size (git-fixes). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - padata: use smp_mb in padata_reorder to avoid orphaned padata jobs (git-fixes). - PCI/ACPI: Correct error message for ASPM disabling (bsc#1051510). - PCI/MSI: Fix incorrect MSI-X masking on resume (bsc#1051510). - PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity() (bsc#1051510). - PCI/PME: Fix possible use-after-free on remove (git-fixes). - PCI/PTM: Remove spurious "d" from granularity message (bsc#1051510). - PCI: Apply Cavium ACS quirk to ThunderX2 and ThunderX3 (bsc#1051510). - PCI: dwc: Fix find_next_bit() usage (bsc#1051510). - PCI: Fix Intel ACS quirk UPDCR register address (bsc#1051510). - PCI: rcar: Fix missing MACCTLR register setting in initialization sequence (bsc#1051510). - PCI: sysfs: Ignore lockdep for remove attribute (git-fixes). - PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 (git-fixes). - phy: phy-twl4030-usb: fix denied runtime access (git-fixes). - pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call (git-fixes). - pinctrl: at91: do not use the same irqchip with multiple gpiochips (git-fixes). - pinctrl: cherryview: Allocate IRQ chip dynamic (git-fixes). - pinctrl: lewisburg: Update pin list according to v1.1v6 (bsc#1051510). - pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT (bsc#1051510). - pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: samsung: Fix device node refcount leaks in init code (bsc#1051510). - pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init (bsc#1051510). - pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init (bsc#1051510). - pinctrl: sunxi: Fix a memory leak in 'sunxi_pinctrl_build_state()' (bsc#1051510). - pinctrl: xway: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD (bsc#1051510). - pktcdvd: remove warning on attempting to register non-passthrough dev (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - PM / AVS: SmartReflex: NULL check before some freeing functions is not needed (bsc#1051510). - PM / devfreq: Check NULL governor in available_governors_show (git-fixes). - PM / devfreq: exynos-bus: Correct clock enable sequence (bsc#1051510). - PM / devfreq: Lock devfreq in trans_stat_show (git-fixes). - PM / devfreq: passive: fix compiler warning (bsc#1051510). - PM / devfreq: passive: Use non-devm notifiers (bsc#1051510). - PM / Domains: Deal with multiple states but no governor in genpd (bsc#1051510). - PM / hibernate: Check the success of generating md5 digest before hibernation (bsc#1051510). - power: reset: at91-poweroff: do not procede if at91_shdwc is allocated (bsc#1051510). - power: supply: ab8500_fg: silence uninitialized variable warnings (bsc#1051510). - power: supply: twl4030_charger: disable eoc interrupt on linear charge (bsc#1051510). - power: supply: twl4030_charger: fix charging current out-of-bounds (bsc#1051510). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc/book3s64/hash: Use secondary hash for bolted mapping if the primary is full (bsc#1157778 ltc#182520). - powerpc/bpf: Fix tail call implementation (bsc#1157698). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (bsc#1071995 bsc#1161875). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries/mobility: notify network peers after migration (bsc#1152631 ltc#181798). - powerpc/pseries: Do not fail hash page table insert for bolted mapping (bsc#1157778 ltc#182520). - powerpc/pseries: Do not opencode HPTE_V_BOLTED (bsc#1157778 ltc#182520). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - ppdev: fix PPGETTIME/PPSETTIME ioctls (bsc#1051510). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - printk: Export console_printk (bsc#1071995). - pwm: bcm-iproc: Prevent unloading the driver module while in use (git-fixes). - pwm: Clear chip_data in pwm_put() (bsc#1051510). - pwm: clps711x: Fix period calculation (bsc#1051510). - pwm: lpss: Only set update bit if we are actually changing the settings (bsc#1051510). - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2 (networking-stable-19_11_05). - r8152: add missing endpoint sanity check (bsc#1051510). - random: move FIPS continuous test to output functions (bsc#1155334). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - README.BRANCH: removing myself from the maintainer list - regulator: ab8500: Remove AB8505 USB regulator (bsc#1051510). - regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - regulator: tps65910: fix a missing check of return value (bsc#1051510). - remoteproc: Check for NULL firmwares in sysfs interface (git-fixes). - reset: fix of_reset_simple_xlate kerneldoc comment (bsc#1051510). - reset: Fix potential use-after-free in __of_reset_control_get() (bsc#1051510). - reset: fix reset_control_get_exclusive kerneldoc comment (bsc#1051510). - reset: fix reset_control_ops kerneldoc comment (bsc#1051510). - resource: fix locking in find_next_iomem_res() (bsc#1114279). - Revert "ath10k: fix DMA related firmware crashes on multiple devices" (git-fixes). - Revert "Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers" (bsc#1051510). - Revert "mmc: sdhci: Fix incorrect switch to HS mode" (bsc#1051510). - rpm/kernel-binary.spec.in: add COMPRESS_VMLINUX (bnc#1155921) Let COMPRESS_VMLINUX determine the compression used for vmlinux. By default (historically), it is gz. - rpm/kernel-source.spec.in: Fix dependency of kernel-devel (bsc#1154043) - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/modules.fips: update module list (bsc#1157853) - rsi_91x_usb: fix interface sanity check (git-fixes). - rt2800: remove errornous duplicate condition (git-fixes). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument (bsc#1051510). - rtl818x: fix potential use after free (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - rtlwifi: Remove unnecessary NULL check in rtl_regd_init (bsc#1051510). - rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information (bsc#1051510). - rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address (bsc#1051510). - rtlwifi: rtl8192de: Fix missing enable interrupt flag (bsc#1051510). - s390/bpf: fix lcgr instruction encoding (bsc#1051510). - s390/bpf: use 32-bit index for tail calls (bsc#1051510). - s390/cio: avoid calling strlen on null pointer (bsc#1051510). - s390/cio: exclude subchannels with no parent from pseudo check (bsc#1051510). - s390/cmm: fix information leak in cmm_timeout_handler() (bsc#1051510). - s390/ftrace: generate traced function stack frame (jsc#SLE-11178 jsc#SLE-11179). - s390/ftrace: save traced function caller (jsc#SLE-11179). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11179). - s390/head64: correct init_task stack setup (jsc#SLE-11179). - s390/idle: fix cpu idle time calculation (bsc#1051510). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11179). - s390/kasan: avoid report in get_wchan (jsc#SLE-11179). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11179). - s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported (bsc#1051510). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11179). - s390/process: avoid potential reading of freed stack (bsc#1051510). - s390/qdio: (re-)initialize tiqdio list entries (bsc#1051510). - s390/qdio: do not touch the dsci in tiqdio_add_input_queues() (bsc#1051510). - s390/qeth: clean up page frag creation (git-fixes). - s390/qeth: consolidate skb allocation (git-fixes). - s390/qeth: ensure linear access to packet headers (git-fixes). - s390/qeth: guard against runt packets (git-fixes). - s390/qeth: return proper errno on IO error (bsc#1051510). - s390/setup: fix boot crash for machine without EDAT-1 (bsc#1051510 bsc#1140948). - s390/setup: fix early warning messages (bsc#1051510 bsc#1140948). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11179). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11179). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11179). - s390/topology: avoid firing events before kobjs are created (bsc#1051510). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11179). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11179). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11179). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11179). - s390/unwind: correct stack switching during unwind (jsc#SLE-11179). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11179). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11179). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11179). - s390/unwind: fix mixing regs and sp (jsc#SLE-11179). - s390/unwind: introduce stack unwind API (jsc#SLE-11179). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11179). - s390/unwind: remove stack recursion warning (jsc#SLE-11179). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11179). - s390/unwind: start unwinding from reliable state (jsc#SLE-11179). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11179). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11179). - s390/unwind: unify task is current checks (jsc#SLE-11179). - s390: add stack switch helper (jsc#SLE-11179). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11179). - s390: always inline current_stack_pointer() (jsc#SLE-11179). - s390: always inline disabled_wait (jsc#SLE-11179). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11179). - s390: clean up stacks setup (jsc#SLE-11179). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11179). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11179). - s390: fine-tune stack switch helper (jsc#SLE-11179). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11179). - s390: fix stfle zero padding (bsc#1051510). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11179). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11179). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11179). - s390: preserve kabi for stack unwind API (jsc#SLE-11179). - s390: unify stack size definitions (jsc#SLE-11179). - sched/fair: Add tmp_alone_branch assertion (bnc#1156462). - sched/fair: Fix insertion in rq->leaf_cfs_rq_list (bnc#1156462). - sched/fair: Fix O(nr_cgroups) in the load balancing path (bnc#1156462). - sched/fair: Optimize update_blocked_averages() (bnc#1156462). - sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132). - scsi: lpfc: Fix Oops in nvme_register with target logout/login (bsc#1151900). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Add debug dump of LOGO payload and ELS IOCB (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Added support for MPI and PEP regions for ISP28XX (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Allow PLOGI in target mode (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Change discovery state before PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Configure local loop for N2N target (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Correctly retrieve and interpret active flash region (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Do not call qlt_async_event twice (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Do not defer relogin unconditonally (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Drop superfluous INIT_WORK of del_work (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix incorrect SFUB length used for Secure Flash Update MB Cmd (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan (bsc#1138039). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Ignore NULL pointer in tcm_qla2xxx_free_mcmd (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Initialize free_work before flushing it (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Send Notify ACK after N2N PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: unregister ports after GPN_FT failure (bsc#1138039). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use explicit LOGO in target mode (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - scsi: zfcp: fix request object use-after-free in send path causing wrong traces (bsc#1051510). - scsi: zfcp: trace channel log even for FCP command responses (git-fixes). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: change sctp_prot .no_autobind with true (networking-stable-19_10_24). - selftests: net: reuseport_dualstack: fix uninitalized parameter (networking-stable-19_11_05). - serial: max310x: Fix tx_empty() callback (bsc#1051510). - serial: mxs-auart: Fix potential infinite loop (bsc#1051510). - serial: samsung: Enable baud clock for UART reset procedure in resume (bsc#1051510). - serial: uartps: Fix suspend functionality (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - signal: Properly set TRACE_SIGNAL_LOSE_INFO in __send_signal (bsc#1157463). - slcan: Fix memory leak in error path (bsc#1051510). - slip: Fix memory leak in slip_open error path (bsc#1051510). - slip: Fix use-after-free Read in slip_open (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: fix leak in "open on server" perf counter (bsc#1144333, bsc#1154355). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: fix signing verification of large reads (bsc#1144333, bsc#1154355). - smb3: fix unmount hang in open_shroot (bsc#1144333, bsc#1154355). - smb3: improve handling of share deleted (and share recreated) (bsc#1144333, bsc#1154355). - smb3: Incorrect size for netname negotiate context (bsc#1144333, bsc#1154355). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc: imx: gpc: fix PDN delay (bsc#1051510). - soc: qcom: wcnss_ctrl: Avoid string overflow (bsc#1051510). - spi: atmel: Fix CS high support (bsc#1051510). - spi: atmel: fix handling of cs_change set on non-last xfer (bsc#1051510). - spi: fsl-lpspi: Prevent FIFO under/overrun by default (bsc#1051510). - spi: mediatek: Do not modify spi_transfer when transfer (bsc#1051510). - spi: mediatek: use correct mata->xfer_len when in fifo transfer (bsc#1051510). - spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch (bsc#1051510). - spi: omap2-mcspi: Set FIFO DMA trigger level to word length (bsc#1051510). - spi: pic32: Use proper enum in dmaengine_prep_slave_rg (bsc#1051510). - spi: rockchip: initialize dma_slave_config properly (bsc#1051510). - spi: spidev: Fix OF tree warning logic (bsc#1051510). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11179). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11179). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11179). - stacktrace: Provide common infrastructure (jsc#SLE-11179). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11179). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11179). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11179). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: rtl8192e: fix potential use after free (bsc#1051510). - staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids (bsc#1051510). - staging: rtl8723bs: Drop ACPI device ids (bsc#1051510). - stm class: Fix a double free of stm_source_device (bsc#1051510). - supported.conf: - synclink_gt(): fix compat_ioctl() (bsc#1051510). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - tcp_nv: fix potential integer overflow in tcpnv_acked (bsc#1051510). - thermal: Fix deadlock in thermal thermal_zone_device_check (bsc#1051510). - thunderbolt: Fix lockdep circular locking depedency warning (git-fixes). - tipc: Avoid copying bytes beyond the supplied data (bsc#1051510). - tipc: check bearer name with right length in tipc_nl_compat_bearer_enable (bsc#1051510). - tipc: check link name with right length in tipc_nl_compat_link_set (bsc#1051510). - tipc: check msg->req data len in tipc_nl_compat_bearer_disable (bsc#1051510). - tipc: compat: allow tipc commands without arguments (bsc#1051510). - tipc: fix a missing check of genlmsg_put (bsc#1051510). - tipc: fix link name length check (bsc#1051510). - tipc: fix memory leak in tipc_nl_compat_publ_dump (bsc#1051510). - tipc: fix skb may be leaky in tipc_link_input (bsc#1051510). - tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path (bsc#1051510). - tipc: fix wrong timeout input for tipc_wait_for_cond() (bsc#1051510). - tipc: handle the err returned from cmd header function (bsc#1051510). - tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb (bsc#1051510). - tipc: tipc clang warning (bsc#1051510). - tpm: add check after commands attribs tab allocation (bsc#1051510). - tracing: Cleanup stack trace code (jsc#SLE-11179). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty: serial: fsl_lpuart: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: imx: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: msm_serial: Fix flow control (bsc#1051510). - tty: serial: pch_uart: correct usage of dma_unmap_sg (bsc#1051510). - uaccess: Add non-pagefault user-space write function (bsc#1083647). - ubifs: Correctly initialize c->min_log_bytes (bsc#1158641). - ubifs: Limit the number of pages in shrink_liability (bsc#1158643). - udp: use skb_queue_empty_lockless() (networking-stable-19_11_05). - usb-serial: cp201x: support Mark-10 digital force gauge (bsc#1051510). - usb: adutux: fix interface sanity check (bsc#1051510). - usb: Allow USB device to be warm reset in suspended state (bsc#1051510). - usb: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - usb: chaoskey: fix error case of a timeout (git-fixes). - usb: chipidea: Fix otg event handler (bsc#1051510). - usb: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - usb: chipidea: imx: enable OTG overcurrent in case USB subsystem is already started (bsc#1051510). - usb: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - usb: core: urb: fix URB structure initialization function (bsc#1051510). - usb: documentation: flags on usb-storage versus UAS (bsc#1051510). - usb: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - usb: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - usb: dwc3: ep0: Clear started flag on completion (bsc#1051510). - usb: dwc3: gadget: Check ENBLSLPM before sending ep command (bsc#1051510). - usb: gadget: pch_udc: fix use after free (bsc#1051510). - usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status() (bsc#1051510). - usb: gadget: uvc: configfs: Drop leaked references to config items (bsc#1051510). - usb: gadget: uvc: configfs: Prevent format changes after linking header (bsc#1051510). - usb: gadget: uvc: Factor out video USB request queueing (bsc#1051510). - usb: gadget: uvc: Only halt video streaming endpoint in bulk mode (bsc#1051510). - usb: gadget: u_serial: add missing port entry locking (bsc#1051510). - usb: idmouse: fix interface sanity checks (bsc#1051510). - usb: misc: appledisplay: fix backlight update_status return code (bsc#1051510). - usb: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - usb: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - usb: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - usb: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for U-Blox C099-F9P (bsc#1051510). - usb: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - usb: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - usb: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - usb: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - usb: serial: keyspan: handle unbound ports (bsc#1051510). - usb: serial: mos7720: fix remote wakeup (git-fixes). - usb: serial: mos7840: add USB ID to support Moxa UPort 2210 (bsc#1051510). - usb: serial: mos7840: fix remote wakeup (git-fixes). - usb: serial: opticon: fix control-message timeouts (bsc#1051510). - usb: serial: option: add support for DW5821e with eSIM support (bsc#1051510). - usb: serial: option: add support for Foxconn T77W968 LTE modules (bsc#1051510). - usb: serial: option: Add support for Quectel RM500Q (bsc#1051510). - usb: serial: quatech2: handle unbound ports (bsc#1051510). - usb: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - usb: serial: suppress driver bind attributes (bsc#1051510). - usb: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - usb: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - usb: xhci-mtk: fix ISOC error when interval is zero (bsc#1051510). - usb: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - usb: xhci: only set D3hot for pci device (bsc#1051510). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - usbip: tools: fix fd leakage in the function of read_attr_usbip_status (git-fixes). - vfio-ccw: Fix misleading comment when setting orb.cmd.c64 (bsc#1051510). - vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn (bsc#1051510). - vfio: ccw: push down unsupported IDA check (bsc#1156471 LTC#182362). - vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 (bsc#1051510). - video/hdmi: Fix AVI bar unpack (git-fixes). - video: backlight: Add devres versions of of_find_backlight (bsc#1090888) Taken for 6010831dde5. - video: backlight: Add of_find_backlight helper in backlight.c (bsc#1090888) Taken for 6010831dde5. - virtio/s390: fix race on airq_areas (bsc#1051510). - virtio_console: allocate inbufs in add_port() only if it is needed (git-fixes). - virtio_ring: fix return code on DMA mapping fails (git-fixes). - vmxnet3: turn off lro when rxcsum is disabled (bsc#1157499). - vsock/virtio: fix sock refcnt holding during the shutdown (git-fixes). - watchdog: meson: Fix the wrong value of left time (bsc#1051510). - watchdog: sama5d4: fix WDD value to be always set to max (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811). - x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/mm/pkeys: Fix typo in Documentation/x86/protection-keys.txt (bsc#1078248). - x86/pkeys: Update documentation about availability (bsc#1078248). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential lockdep warning (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Prevent NULL pointer dereference when reading mondata (bsc#1114279). - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs (bsc#1158068). - x86/speculation: Fix incorrect MDS/TAA mitigation status (bsc#1114279). - x86/speculation: Fix redundant MDS mitigation message (bsc#1114279). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xfs: Sanity check flags of Q_XQUOTARM call (bsc#1158652). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP4: zypper in -t patch SUSE-SLE-RT-12-SP4-2020-599=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP4 (noarch): kernel-devel-rt-4.12.14-8.12.1 kernel-source-rt-4.12.14-8.12.1 - SUSE Linux Enterprise Real Time Extension 12-SP4 (x86_64): cluster-md-kmp-rt-4.12.14-8.12.1 dlm-kmp-rt-4.12.14-8.12.1 gfs2-kmp-rt-4.12.14-8.12.1 kernel-rt-4.12.14-8.12.1 kernel-rt-base-4.12.14-8.12.1 kernel-rt-devel-4.12.14-8.12.1 kernel-rt_debug-devel-4.12.14-8.12.1 kernel-syms-rt-4.12.14-8.12.1 ocfs2-kmp-rt-4.12.14-8.12.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14895.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-14901.html https://www.suse.com/security/cve/CVE-2019-15213.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-18660.html https://www.suse.com/security/cve/CVE-2019-18683.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-18809.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19049.html https://www.suse.com/security/cve/CVE-2019-19051.html https://www.suse.com/security/cve/CVE-2019-19052.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19056.html https://www.suse.com/security/cve/CVE-2019-19057.html https://www.suse.com/security/cve/CVE-2019-19058.html https://www.suse.com/security/cve/CVE-2019-19060.html https://www.suse.com/security/cve/CVE-2019-19062.html https://www.suse.com/security/cve/CVE-2019-19063.html https://www.suse.com/security/cve/CVE-2019-19065.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19067.html https://www.suse.com/security/cve/CVE-2019-19068.html https://www.suse.com/security/cve/CVE-2019-19073.html https://www.suse.com/security/cve/CVE-2019-19074.html https://www.suse.com/security/cve/CVE-2019-19075.html https://www.suse.com/security/cve/CVE-2019-19077.html https://www.suse.com/security/cve/CVE-2019-19227.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19332.html https://www.suse.com/security/cve/CVE-2019-19338.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19523.html https://www.suse.com/security/cve/CVE-2019-19524.html https://www.suse.com/security/cve/CVE-2019-19525.html https://www.suse.com/security/cve/CVE-2019-19526.html https://www.suse.com/security/cve/CVE-2019-19527.html https://www.suse.com/security/cve/CVE-2019-19528.html https://www.suse.com/security/cve/CVE-2019-19529.html https://www.suse.com/security/cve/CVE-2019-19530.html https://www.suse.com/security/cve/CVE-2019-19531.html https://www.suse.com/security/cve/CVE-2019-19532.html https://www.suse.com/security/cve/CVE-2019-19533.html https://www.suse.com/security/cve/CVE-2019-19534.html https://www.suse.com/security/cve/CVE-2019-19535.html https://www.suse.com/security/cve/CVE-2019-19536.html https://www.suse.com/security/cve/CVE-2019-19537.html https://www.suse.com/security/cve/CVE-2019-19543.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-7053.html https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1078248 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1108043 https://bugzilla.suse.com/1113722 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1115026 https://bugzilla.suse.com/1117169 https://bugzilla.suse.com/1120853 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1138039 https://bugzilla.suse.com/1140948 https://bugzilla.suse.com/1141054 https://bugzilla.suse.com/1142095 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146544 https://bugzilla.suse.com/1151548 https://bugzilla.suse.com/1151900 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1152631 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154043 https://bugzilla.suse.com/1154058 https://bugzilla.suse.com/1154355 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1155689 https://bugzilla.suse.com/1155897 https://bugzilla.suse.com/1155921 https://bugzilla.suse.com/1156258 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156462 https://bugzilla.suse.com/1156471 https://bugzilla.suse.com/1157038 https://bugzilla.suse.com/1157042 https://bugzilla.suse.com/1157070 https://bugzilla.suse.com/1157143 https://bugzilla.suse.com/1157145 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157158 https://bugzilla.suse.com/1157162 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1157171 https://bugzilla.suse.com/1157173 https://bugzilla.suse.com/1157178 https://bugzilla.suse.com/1157180 https://bugzilla.suse.com/1157182 https://bugzilla.suse.com/1157183 https://bugzilla.suse.com/1157184 https://bugzilla.suse.com/1157191 https://bugzilla.suse.com/1157193 https://bugzilla.suse.com/1157197 https://bugzilla.suse.com/1157298 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157307 https://bugzilla.suse.com/1157324 https://bugzilla.suse.com/1157333 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157463 https://bugzilla.suse.com/1157499 https://bugzilla.suse.com/1157678 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157698 https://bugzilla.suse.com/1157778 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157908 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158049 https://bugzilla.suse.com/1158063 https://bugzilla.suse.com/1158064 https://bugzilla.suse.com/1158065 https://bugzilla.suse.com/1158066 https://bugzilla.suse.com/1158067 https://bugzilla.suse.com/1158068 https://bugzilla.suse.com/1158082 https://bugzilla.suse.com/1158094 https://bugzilla.suse.com/1158132 https://bugzilla.suse.com/1158381 https://bugzilla.suse.com/1158394 https://bugzilla.suse.com/1158398 https://bugzilla.suse.com/1158407 https://bugzilla.suse.com/1158410 https://bugzilla.suse.com/1158413 https://bugzilla.suse.com/1158417 https://bugzilla.suse.com/1158427 https://bugzilla.suse.com/1158445 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1158637 https://bugzilla.suse.com/1158638 https://bugzilla.suse.com/1158639 https://bugzilla.suse.com/1158640 https://bugzilla.suse.com/1158641 https://bugzilla.suse.com/1158643 https://bugzilla.suse.com/1158644 https://bugzilla.suse.com/1158645 https://bugzilla.suse.com/1158646 https://bugzilla.suse.com/1158647 https://bugzilla.suse.com/1158649 https://bugzilla.suse.com/1158651 https://bugzilla.suse.com/1158652 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1158823 https://bugzilla.suse.com/1158824 https://bugzilla.suse.com/1158827 https://bugzilla.suse.com/1158834 https://bugzilla.suse.com/1158893 https://bugzilla.suse.com/1158900 https://bugzilla.suse.com/1158903 https://bugzilla.suse.com/1158904 https://bugzilla.suse.com/1158954 https://bugzilla.suse.com/1159024 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161875 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 From sle-security-updates at lists.suse.com Thu Mar 5 13:39:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Mar 2020 21:39:45 +0100 (CET) Subject: SUSE-SU-2020:0598-1: moderate: Security update for tomcat Message-ID: <20200305203945.810EDF79E@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0598-1 Rating: moderate References: #1164692 #1164825 #1164860 Cross-References: CVE-2019-17569 CVE-2020-1935 CVE-2020-1938 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for tomcat to version 9.0.31 fixes the following issues: Security issues fixed: - CVE-2019-17569: Fixed a regression in the handling of Transfer-Encoding headers that would have allowed HTTP Request Smuggling (bsc#1164825). - CVE-2020-1935: Fixed an HTTP Request Smuggling issue (bsc#1164860). - CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-598=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-598=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-598=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-598=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): tomcat-9.0.31-3.42.2 tomcat-admin-webapps-9.0.31-3.42.2 tomcat-el-3_0-api-9.0.31-3.42.2 tomcat-jsp-2_3-api-9.0.31-3.42.2 tomcat-lib-9.0.31-3.42.2 tomcat-servlet-4_0-api-9.0.31-3.42.2 tomcat-webapps-9.0.31-3.42.2 - SUSE Linux Enterprise Server 15-LTSS (noarch): tomcat-9.0.31-3.42.2 tomcat-admin-webapps-9.0.31-3.42.2 tomcat-el-3_0-api-9.0.31-3.42.2 tomcat-jsp-2_3-api-9.0.31-3.42.2 tomcat-lib-9.0.31-3.42.2 tomcat-servlet-4_0-api-9.0.31-3.42.2 tomcat-webapps-9.0.31-3.42.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): tomcat-9.0.31-3.42.2 tomcat-admin-webapps-9.0.31-3.42.2 tomcat-el-3_0-api-9.0.31-3.42.2 tomcat-jsp-2_3-api-9.0.31-3.42.2 tomcat-lib-9.0.31-3.42.2 tomcat-servlet-4_0-api-9.0.31-3.42.2 tomcat-webapps-9.0.31-3.42.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): tomcat-9.0.31-3.42.2 tomcat-admin-webapps-9.0.31-3.42.2 tomcat-el-3_0-api-9.0.31-3.42.2 tomcat-jsp-2_3-api-9.0.31-3.42.2 tomcat-lib-9.0.31-3.42.2 tomcat-servlet-4_0-api-9.0.31-3.42.2 tomcat-webapps-9.0.31-3.42.2 References: https://www.suse.com/security/cve/CVE-2019-17569.html https://www.suse.com/security/cve/CVE-2020-1935.html https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1164692 https://bugzilla.suse.com/1164825 https://bugzilla.suse.com/1164860 From sle-security-updates at lists.suse.com Fri Mar 6 07:13:38 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Mar 2020 15:13:38 +0100 (CET) Subject: SUSE-SU-2020:0605-1: moderate: Security update for the Linux Kernel Message-ID: <20200306141338.52B3CFCEF@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0605-1 Rating: moderate References: #1050244 #1051510 #1051858 #1065600 #1065729 #1071995 #1083647 #1085030 #1086301 #1086313 #1086314 #1104745 #1109837 #1111666 #1112178 #1112374 #1113956 #1114279 #1114685 #1123328 #1144333 #1151927 #1153917 #1154601 #1157155 #1157157 #1157692 #1158013 #1158026 #1158071 #1159028 #1159096 #1159377 #1159394 #1159588 #1159911 #1160147 #1160195 #1160210 #1160211 #1160433 #1160442 #1160469 #1160470 #1160476 #1160560 #1160618 #1160678 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1161087 #1161243 #1161472 #1161514 #1161518 #1161522 #1161523 #1161549 #1161674 #1161875 #1162028 Cross-References: CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-16994 CVE-2019-19036 CVE-2019-19045 CVE-2019-19054 CVE-2019-19318 CVE-2019-19927 CVE-2019-19965 CVE-2020-7053 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP5 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 57 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 real-time kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-14896: A heap overflow was found in the add_ie_rates() function of the Marvell Wifi Driver (bsc#1157157). - CVE-2019-14897: A stack overflow was found in the lbs_ibss_join_existing() function of the Marvell Wifi Driver (bsc#1157155). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19927: A slab-out-of-bounds read access could have been caused when mounting a crafted f2fs filesystem image and performing some operations on it, in drivers/gpu/drm/ttm/ttm_page_alloc.c (bnc#1160147). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966). The following non-security bugs were fixed: - ALSA: hda - Apply sync-write workaround to old Intel platforms, too (bsc#1111666). - ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker (bsc#1111666). - ALSA: hda/realtek - Add new codec supported for ALCS1200A (bsc#1111666). - ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen (bsc#1111666). - ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC (bsc#1111666). - ALSA: hda/realtek - Set EAPD control to default for ALC222 (bsc#1111666). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 (bsc#1111666). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI (bsc#1111666). - Fix partial checked out tree build ... so that bisection does not break. - Fix the locking in dcache_readdir() and friends (bsc#1123328). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - IB/hfi1: Do not cancel unused work item (bsc#1114685 ). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - Temporary workaround for bsc#1159096 should no longer be needed. - USB: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - USB: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - USB: serial: keyspan: handle unbound ports (bsc#1051510). - USB: serial: opticon: fix control-message timeouts (bsc#1051510). - USB: serial: quatech2: handle unbound ports (bsc#1051510). - USB: serial: suppress driver bind attributes (bsc#1051510). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1159377). - blk-mq: make sure that line break can be printed (bsc#1159377). - bnxt: apply computed clamp value for coalece parameter (bsc#1104745). - bnxt_en: Fix MSIX request logic for RDMA driver (bsc#1104745 ). - bnxt_en: Return error if FW returns more data than dump length (bsc#1104745). - bpf/sockmap: Read psock ingress_msg before sk_receive_queue (bsc#1083647). - bpf: Fix incorrect verifier simulation of ARSH under ALU32 (bsc#1083647). - bpf: Reject indirect var_off stack access in raw mode (bsc#1160618). - bpf: Reject indirect var_off stack access in unpriv mode (bco#1160618). - bpf: Sanity check max value for var_off stack access (bco#1160618). - bpf: Support variable offset stack access from helpers (bco#1160618). - bpf: add self-check logic to liveness analysis (bsc#1160618). - bpf: add verifier stats and log_level bit 2 (bsc#1160618). - bpf: improve stacksafe state comparison (bco#1160618). - bpf: improve verification speed by droping states (bsc#1160618). - bpf: improve verification speed by not remarking live_read (bsc#1160618). - bpf: improve verifier branch analysis (bsc#1160618). - bpf: increase complexity limit and maximum program size (bsc#1160618). - bpf: increase verifier log limit (bsc#1160618). - bpf: speed up stacksafe check (bco#1160618). - bpf: verifier: teach the verifier to reason about the BPF_JSET instruction (bco#1160618). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - cifs: Close cached root handle only if it had a lease (bsc#1144333). - cifs: Close open handle after interrupted close (bsc#1144333). - cifs: Do not miss cancelled OPEN responses (bsc#1144333). - cifs: Fix NULL pointer dereference in mid callback (bsc#1144333). - cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - cifs: Properly process SMB3 lease breaks (bsc#1144333). - cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - cifs: add support for flock (bsc#1144333). - cifs: close the shared root handle on tree disconnect (bsc#1144333). - cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - clk: imx: clk-composite-8m: add lock to gate/mux (git-fixes). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915/gvt: Pin vgpu dma address before using (bsc#1112178) - drm/i915/gvt: set guest display buffer as readonly (bsc#1112178) - drm/i915/gvt: use vgpu lock for active state setting (bsc#1112178) - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/sun4i: hdmi: Remove duplicate cleanup calls (bsc#1113956) - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - exit: panic before exit_mm() on global init exit (bsc#1161549). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11178). - iommu/iova: Init the struct iova to fix the possible memleak (bsc#1160469). - iommu/mediatek: Correct the flush_iotlb_all callback (bsc#1160470). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iommu: Remove device link to group on failure (bsc#1160755). - iwlwifi: change monitor DMA to be coherent (bsc#1161243). - kABI fixup for alloc_dax_region (bsc#1158071,bsc#1160678). - kABI: Protest new fields in BPF structs (bsc#1160618). - kABI: protect struct sctp_ep_common (kabi). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kvm: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - livepatch: Simplify stack trace retrieval (jsc#SLE-11178). - mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO (bsc#1112374). - mm, debug_pagealloc: do not rely on static keys too early (VM debuging functionality, bsc#1159096). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mmc: sdhci: Add a quirk for broken command queuing (git-fixes). - mmc: sdhci: Workaround broken command queuing on Intel GLK (git-fixes). - net, sysctl: Fix compiler warning when only cBPF is present (bsc#1109837). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (bsc#1071995 bsc#1161875). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - r8152: add missing endpoint sanity check (bsc#1051510). - s390/ftrace: save traced function caller (jsc#SLE-11178). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11178). - s390/head64: correct init_task stack setup (jsc#SLE-11178). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11178). - s390/kasan: avoid report in get_wchan (jsc#SLE-11178). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11178). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11178). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11178). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11178). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11178). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11178). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11178). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11178). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11178). - s390/unwind: correct stack switching during unwind (jsc#SLE-11178). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11178). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11178). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11178). - s390/unwind: fix mixing regs and sp (jsc#SLE-11178). - s390/unwind: introduce stack unwind API (jsc#SLE-11178). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11178). - s390/unwind: remove stack recursion warning (jsc#SLE-11178). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11178). - s390/unwind: start unwinding from reliable state (jsc#SLE-11178). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11178). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11178). - s390/unwind: unify task is current checks (jsc#SLE-11178). - s390: add stack switch helper (jsc#SLE-11178). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11178). - s390: always inline current_stack_pointer() (jsc#SLE-11178). - s390: always inline disabled_wait (jsc#SLE-11178). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11178). - s390: clean up stacks setup (jsc#SLE-11178). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11178). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11178). - s390: fine-tune stack switch helper (jsc#SLE-11178). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11178). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11178). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11178). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11178). - s390: preserve kabi for stack unwind API (jsc#SLE-11178). - s390: unify stack size definitions (jsc#SLE-11178). - scsi: lpfc: fix build failure with DEBUGFS disabled (bsc#1154601). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sfc: Remove 'PCIE error reporting unavailable' (bsc#1161472). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11178). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11178). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11178). - stacktrace: Provide common infrastructure (jsc#SLE-11178). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11178). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11178). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11178). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - tracing: Cleanup stack trace code (jsc#SLE-11178). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP5: zypper in -t patch SUSE-SLE-RT-12-SP5-2020-605=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch): kernel-devel-rt-4.12.14-6.3.1 kernel-source-rt-4.12.14-6.3.1 - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64): cluster-md-kmp-rt-4.12.14-6.3.1 dlm-kmp-rt-4.12.14-6.3.1 gfs2-kmp-rt-4.12.14-6.3.1 kernel-rt-4.12.14-6.3.1 kernel-rt-base-4.12.14-6.3.1 kernel-rt-devel-4.12.14-6.3.1 kernel-rt_debug-4.12.14-6.3.1 kernel-rt_debug-devel-4.12.14-6.3.1 kernel-syms-rt-4.12.14-6.3.1 ocfs2-kmp-rt-4.12.14-6.3.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19927.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2020-7053.html https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154601 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158071 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159096 https://bugzilla.suse.com/1159377 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1160147 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160469 https://bugzilla.suse.com/1160470 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160618 https://bugzilla.suse.com/1160678 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161243 https://bugzilla.suse.com/1161472 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161875 https://bugzilla.suse.com/1162028 From sle-security-updates at lists.suse.com Fri Mar 6 07:27:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Mar 2020 15:27:50 +0100 (CET) Subject: SUSE-SU-2020:0604-1: moderate: Security update for librsvg Message-ID: <20200306142750.4D1B3F79E@maintenance.suse.de> SUSE Security Update: Security update for librsvg ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0604-1 Rating: moderate References: #1162501 Cross-References: CVE-2019-20446 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for librsvg to version 2.40.21 fixes the following issues: librsvg was updated to version 2.40.21 fixing the following issues: - CVE-2019-20446: Fixed an issue where a crafted SVG file with nested patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. - Fixed a stack exhaustion with circular references in elements. - Fixed a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG "use" elements in malicious SVGs. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-604=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-604=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-604=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-604=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): librsvg-debugsource-2.40.21-5.9.1 librsvg-devel-2.40.21-5.9.1 typelib-1_0-Rsvg-2_0-2.40.21-5.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): librsvg-debugsource-2.40.21-5.9.1 librsvg-devel-2.40.21-5.9.1 typelib-1_0-Rsvg-2_0-2.40.21-5.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gdk-pixbuf-loader-rsvg-2.40.21-5.9.1 gdk-pixbuf-loader-rsvg-debuginfo-2.40.21-5.9.1 librsvg-2-2-2.40.21-5.9.1 librsvg-2-2-debuginfo-2.40.21-5.9.1 librsvg-debugsource-2.40.21-5.9.1 rsvg-view-2.40.21-5.9.1 rsvg-view-debuginfo-2.40.21-5.9.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): librsvg-2-2-32bit-2.40.21-5.9.1 librsvg-2-2-debuginfo-32bit-2.40.21-5.9.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): gdk-pixbuf-loader-rsvg-2.40.21-5.9.1 gdk-pixbuf-loader-rsvg-debuginfo-2.40.21-5.9.1 librsvg-2-2-2.40.21-5.9.1 librsvg-2-2-debuginfo-2.40.21-5.9.1 librsvg-debugsource-2.40.21-5.9.1 rsvg-view-2.40.21-5.9.1 rsvg-view-debuginfo-2.40.21-5.9.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): librsvg-2-2-32bit-2.40.21-5.9.1 librsvg-2-2-debuginfo-32bit-2.40.21-5.9.1 References: https://www.suse.com/security/cve/CVE-2019-20446.html https://bugzilla.suse.com/1162501 From sle-security-updates at lists.suse.com Fri Mar 6 07:30:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Mar 2020 15:30:41 +0100 (CET) Subject: SUSE-SU-2020:0601-1: moderate: Security update for gimp Message-ID: <20200306143041.0B706F79E@maintenance.suse.de> SUSE Security Update: Security update for gimp ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0601-1 Rating: moderate References: #1073625 #1073626 #1073629 #1161998 Cross-References: CVE-2017-17785 CVE-2017-17786 CVE-2017-17788 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for gimp fixes the following issues: - Fix for crashing due to segmentation fault caused by importing ghostscript files. (bsc#1161998) Security issues fixed: - CVE-2017-17785: Fixed an heap-based buffer overflow in FLI import (bsc#1073625) - CVE-2017-17786: Fixed an out-of-bounds read in TGA (bsc#1073626) - CVE-2017-17788: Fixed an out-of-bounds read in XCF (bsc#1073629) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-601=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-601=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-601=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-601=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-601=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): gimp-2.8.18-9.8.1 gimp-debuginfo-2.8.18-9.8.1 gimp-debugsource-2.8.18-9.8.1 gimp-plugins-python-2.8.18-9.8.1 gimp-plugins-python-debuginfo-2.8.18-9.8.1 libgimp-2_0-0-2.8.18-9.8.1 libgimp-2_0-0-debuginfo-2.8.18-9.8.1 libgimpui-2_0-0-2.8.18-9.8.1 libgimpui-2_0-0-debuginfo-2.8.18-9.8.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): gimp-lang-2.8.18-9.8.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (noarch): gimp-lang-2.8.18-9.8.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): gimp-2.8.18-9.8.1 gimp-debuginfo-2.8.18-9.8.1 gimp-debugsource-2.8.18-9.8.1 gimp-plugins-python-2.8.18-9.8.1 gimp-plugins-python-debuginfo-2.8.18-9.8.1 libgimp-2_0-0-2.8.18-9.8.1 libgimp-2_0-0-debuginfo-2.8.18-9.8.1 libgimpui-2_0-0-2.8.18-9.8.1 libgimpui-2_0-0-debuginfo-2.8.18-9.8.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): gimp-debuginfo-2.8.18-9.8.1 gimp-debugsource-2.8.18-9.8.1 gimp-devel-2.8.18-9.8.1 gimp-devel-debuginfo-2.8.18-9.8.1 libgimp-2_0-0-2.8.18-9.8.1 libgimp-2_0-0-debuginfo-2.8.18-9.8.1 libgimpui-2_0-0-2.8.18-9.8.1 libgimpui-2_0-0-debuginfo-2.8.18-9.8.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): gimp-debuginfo-2.8.18-9.8.1 gimp-debugsource-2.8.18-9.8.1 gimp-devel-2.8.18-9.8.1 gimp-devel-debuginfo-2.8.18-9.8.1 libgimp-2_0-0-2.8.18-9.8.1 libgimp-2_0-0-debuginfo-2.8.18-9.8.1 libgimpui-2_0-0-2.8.18-9.8.1 libgimpui-2_0-0-debuginfo-2.8.18-9.8.1 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): gimp-lang-2.8.18-9.8.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): gimp-2.8.18-9.8.1 gimp-debuginfo-2.8.18-9.8.1 gimp-debugsource-2.8.18-9.8.1 gimp-plugins-python-2.8.18-9.8.1 gimp-plugins-python-debuginfo-2.8.18-9.8.1 libgimp-2_0-0-2.8.18-9.8.1 libgimp-2_0-0-debuginfo-2.8.18-9.8.1 libgimpui-2_0-0-2.8.18-9.8.1 libgimpui-2_0-0-debuginfo-2.8.18-9.8.1 References: https://www.suse.com/security/cve/CVE-2017-17785.html https://www.suse.com/security/cve/CVE-2017-17786.html https://www.suse.com/security/cve/CVE-2017-17788.html https://bugzilla.suse.com/1073625 https://bugzilla.suse.com/1073626 https://bugzilla.suse.com/1073629 https://bugzilla.suse.com/1161998 From sle-security-updates at lists.suse.com Mon Mar 9 08:16:24 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Mar 2020 15:16:24 +0100 (CET) Subject: SUSE-SU-2020:0613-1: moderate: Security update for the Linux Kernel Message-ID: <20200309141624.5F611F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0613-1 Rating: moderate References: #1046303 #1050244 #1051510 #1051858 #1061840 #1065600 #1065729 #1071995 #1078248 #1083647 #1085030 #1086301 #1086313 #1086314 #1089644 #1090888 #1103989 #1103990 #1103991 #1104353 #1104427 #1104745 #1108043 #1109837 #1111666 #1112178 #1112374 #1113722 #1113956 #1113994 #1114279 #1114685 #1115026 #1117169 #1118661 #1119113 #1120853 #1123328 #1126206 #1126390 #1127354 #1127371 #1127611 #1127682 #1129551 #1129770 #1134973 #1134983 #1137223 #1137236 #1138039 #1140948 #1141054 #1142095 #1142635 #1142924 #1143959 #1144333 #1146519 #1146544 #1151067 #1151548 #1151900 #1151910 #1151927 #1152107 #1152631 #1153535 #1153628 #1153811 #1153917 #1154043 #1154058 #1154243 #1154355 #1154601 #1154768 #1154916 #1155331 #1155334 #1155689 #1155897 #1155921 #1156258 #1156259 #1156286 #1156462 #1156471 #1156928 #1157032 #1157038 #1157042 #1157044 #1157045 #1157046 #1157049 #1157070 #1157115 #1157143 #1157145 #1157155 #1157157 #1157158 #1157160 #1157162 #1157169 #1157171 #1157173 #1157178 #1157180 #1157182 #1157183 #1157184 #1157191 #1157193 #1157197 #1157298 #1157303 #1157304 #1157307 #1157324 #1157333 #1157386 #1157424 #1157463 #1157499 #1157678 #1157692 #1157698 #1157778 #1157853 #1157895 #1157908 #1158013 #1158021 #1158026 #1158049 #1158063 #1158064 #1158065 #1158066 #1158067 #1158068 #1158071 #1158082 #1158094 #1158132 #1158381 #1158394 #1158398 #1158407 #1158410 #1158413 #1158417 #1158427 #1158445 #1158533 #1158637 #1158638 #1158639 #1158640 #1158641 #1158643 #1158644 #1158645 #1158646 #1158647 #1158649 #1158651 #1158652 #1158819 #1158823 #1158824 #1158827 #1158834 #1158893 #1158900 #1158903 #1158904 #1158954 #1159024 #1159028 #1159297 #1159377 #1159394 #1159483 #1159484 #1159500 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160147 #1160195 #1160210 #1160211 #1160433 #1160442 #1160469 #1160470 #1160476 #1160560 #1160618 #1160678 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1161087 #1161243 #1161472 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161674 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162028 #1162067 #1162109 #1162139 Cross-References: CVE-2019-14615 CVE-2019-14895 CVE-2019-14896 CVE-2019-14897 CVE-2019-14901 CVE-2019-15213 CVE-2019-16746 CVE-2019-16994 CVE-2019-18660 CVE-2019-18683 CVE-2019-18808 CVE-2019-18809 CVE-2019-19036 CVE-2019-19045 CVE-2019-19046 CVE-2019-19049 CVE-2019-19051 CVE-2019-19052 CVE-2019-19054 CVE-2019-19056 CVE-2019-19057 CVE-2019-19058 CVE-2019-19060 CVE-2019-19062 CVE-2019-19063 CVE-2019-19065 CVE-2019-19066 CVE-2019-19067 CVE-2019-19068 CVE-2019-19073 CVE-2019-19074 CVE-2019-19075 CVE-2019-19077 CVE-2019-19078 CVE-2019-19080 CVE-2019-19081 CVE-2019-19082 CVE-2019-19083 CVE-2019-19227 CVE-2019-19318 CVE-2019-19319 CVE-2019-19332 CVE-2019-19338 CVE-2019-19447 CVE-2019-19523 CVE-2019-19524 CVE-2019-19525 CVE-2019-19526 CVE-2019-19527 CVE-2019-19528 CVE-2019-19529 CVE-2019-19530 CVE-2019-19531 CVE-2019-19532 CVE-2019-19533 CVE-2019-19534 CVE-2019-19535 CVE-2019-19536 CVE-2019-19537 CVE-2019-19543 CVE-2019-19767 CVE-2019-19927 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2020-7053 CVE-2020-8428 Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that solves 69 vulnerabilities and has 168 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 real-time kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195). - CVE-2019-14895: A heap-based buffer overflow was discovered in the Marvell WiFi driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service or possibly execute arbitrary code (bnc#1157158). - CVE-2019-14896: A heap overflow was found in the add_ie_rates() function of the Marvell Wifi Driver (bsc#1157157). - CVE-2019-14897: A stack overflow was found in the lbs_ibss_join_existing() function of the Marvell Wifi Driver (bsc#1157155). - CVE-2019-14901: A heap overflow flaw was found in the Marvell WiFi driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code (bnc#1157042). - CVE-2019-15213: A use-after-free bug caused by a malicious USB device was found in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544). - CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c. The check for the length of variable elements in a beacon head was insufficient, leading to a buffer overflow (bnc#1152107). - CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523). - CVE-2019-18660: An information disclosure bug occured because the Spectre-RSB mitigation were not in place for all applicable CPUs, aka CID-39e72bf96f58 (bnc#1157038). - CVE-2019-18683: Multiple race conditions were discovered in drivers/media/platform/vivid. It was exploitable for privilege escalation if local users had access to /dev/video0, but only if the driver happened to be loaded. At least one of these race conditions led to a use-after-free (bnc#1155897). - CVE-2019-18808: A memory leak in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption), aka CID-128c66429247 (bnc#1156259). - CVE-2019-18809: A memory leak in drivers/media/usb/dvb-usb/af9005.c allowed attackers to cause a denial of service (memory consumption), aka CID-2289adbfa559 (bnc#1156258). - CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692). - CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522). - CVE-2019-19046: There was a memory leak in __ipmi_bmc_register (bsc#1157304). - CVE-2019-19049: There was an unlikely memory leak in unittest_data_add (bsc#1157173). - CVE-2019-19051: A memory leak in drivers/net/wimax/i2400m/op-rfkill.c allowed attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7 (bnc#1159024). - CVE-2019-19052: A memory leak in drivers/net/can/usb/gs_usb.c allowed attackers to cause a denial of service (memory consumption), aka CID-fb5be6a7b486 (bnc#1157324). - CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518). - CVE-2019-19056: A memory leak in drivers/net/wireless/marvell/mwifiex/pcie.c allowed attackers to cause a denial of service (memory consumption), aka CID-db8fd2cde932 (bnc#1157197). - CVE-2019-19057: Two memory leaks in drivers/net/wireless/marvell/mwifiex/pcie.c allowed attackers to cause a denial of service (memory consumption), aka CID-d10dcb615c8e (bnc#1157193 bsc#1157197). - CVE-2019-19058: A memory leak in drivers/net/wireless/intel/iwlwifi/fw/dbg.c allowed attackers to cause a denial of service (memory consumption), aka CID-b4b814fec1a5 (bnc#1157145). - CVE-2019-19060: A memory leak in drivers/iio/imu/adis_buffer.c allowed attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41 (bnc#1157178). - CVE-2019-19062: A memory leak in crypto/crypto_user_base.c allowed attackers to cause a denial of service (memory consumption), aka CID-ffdde5932042 (bnc#1157333). - CVE-2019-19063: Two memory leaks in drivers/net/wireless/realtek/rtlwifi/usb.c allowed attackers to cause a denial of service (memory consumption), aka CID-3f9361695113 (bnc#1157298). - CVE-2019-19065: A memory leak in drivers/infiniband/hw/hfi1/sdma.c allowed attackers to cause a denial of service (memory consumption), aka CID-34b3be18a04e (bnc#1157191). - CVE-2019-19066: A memory leak in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption), aka CID-0e62395da2bd (bnc#1157303). - CVE-2019-19067: There were four unlikely memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c (bnc#1157180). - CVE-2019-19068: A memory leak in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c allowed attackers to cause a denial of service (memory consumption), aka CID-a2cdd07488e6 (bnc#1157307). - CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c allowed attackers to cause a denial of service (memory consumption), aka CID-853acf7caf10 (bnc#1157070). - CVE-2019-19074: A memory leak in drivers/net/wireless/ath/ath9k/wmi.c allowed attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4 (bnc#1157143). - CVE-2019-19075: A memory leak in drivers/net/ieee802154/ca8210.c allowed attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e (bnc#1157162). - CVE-2019-19077: A memory leak in drivers/infiniband/hw/bnxt_re/ib_verbs.c allowed attackers to cause a denial of service (memory consumption), aka CID-4a9d46a9fe14 (bnc#1157171). - CVE-2019-19078: A memory leak in drivers/net/wireless/ath/ath10k/usb.c allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2 (bnc#1157032). - CVE-2019-19080: Four memory leaks in drivers/net/ethernet/netronome/nfp/flower/main.c allowed attackers to cause a denial of service (memory consumption), aka CID-8572cea1461a (bnc#1157044). - CVE-2019-19081: A memory leak in drivers/net/ethernet/netronome/nfp/flower/main.c allowed attackers to cause a denial of service (memory consumption), aka CID-8ce39eb5a67a (bnc#1157045). - CVE-2019-19082: Memory leaks were found in the *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc, aka CID-104c307147ad (bnc#1157046). - CVE-2019-19083: Memory leaks were found in the *clock_source_create() functions under drivers/gpu/drm/amd/display/dc, aka CID-055e547478a1 (bnc#1157049). - CVE-2019-19227: In the AppleTalk subsystem there was a potential NULL pointer dereference because register_snap_client may return NULL. This could have led to denial of service, aka CID-9804501fa122 (bnc#1157678). - CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026). - CVE-2019-19319: A slab-out-of-bounds write access could have occured when setxattr was called after mounting of a specially crafted ext4 image (bnc#1158021). - CVE-2019-19332: An out-of-bounds memory write issue was found in the way the KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could have used this flaw to crash the system (bnc#1158827). - CVE-2019-19338: There was an incomplete fix for an issue with Transactional Synchronisation Extensions in the KVM code (bsc#1158954). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819). - CVE-2019-19523: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79 (bsc#1158823). - CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9 (bsc#1158413). - CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035 (bsc#1158417). - CVE-2019-19526: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098 (bsc#1158893). - CVE-2019-19527: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e (bsc#1158900). - CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d (bsc#1158407). - CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41 (bnc#1158381). - CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef (bsc#1158410). - CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca (bsc#1158445). - CVE-2019-19532: There were multiple out-of-bounds write bugs that can be caused by a malicious USB HID device, aka CID-d9d4b1e46d95 (bsc#1158824). - CVE-2019-19533: There was an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464 (bsc#1158834). - CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29 (bsc#1158398). - CVE-2019-19535: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042 (bsc#1158903). - CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0 (bsc#1158394). - CVE-2019-19537: There was a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9 (bsc#1158904). - CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427). - CVE-2019-19767: There were multiple use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163 (bnc#1159297). - CVE-2019-19927: A slab-out-of-bounds read access occured when mounting a crafted f2fs filesystem image and performing some operations on it (bnc#1160147). - CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911). - CVE-2019-19966: There was a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that could have caused a denial of service, aka CID-dea37a972655 (bnc#1159841). - CVE-2019-20054: There was a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e (bnc#1159910). - CVE-2019-20095: Several memory leaks were found in drivers/net/wireless/marvell/mwifiex/cfg80211.c, aka CID-003b686ace82 (bnc#1159909). - CVE-2019-20096: There was a memory leak in __feat_register_sp() in net/dccp/feat.c, aka CID-1d3ff0950e2b (bnc#1159908). - CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - a typo in %kernel_base_conflicts macro name - ACPI / APEI: Do not wait to serialise with oops messages when panic()ing (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI / hotplug / PCI: Allocate resources directly under the non-hotplug bridge (bsc#1111666). - ACPI / LPSS: Exclude I2C busses shared with PUNIT from pmc_atom_d3_mask (bsc#1051510). - ACPI / LPSS: Ignore acpi_device_fix_up_power() return value (bsc#1051510). - ACPI / SBS: Fix rare oops when removing modules (bsc#1051510). - ACPI/nfit, device-dax: Identify differentiated memory with a unique numa-node (bsc#1158071). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: OSL: only free map once in osl.c (bsc#1051510). - ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 (bsc#1051510). - ACPICA: Never run _REG on system_memory and system_IO (bsc#1051510). - ACPICA: Use %d for signed int print formatting instead of %u (bsc#1051510). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: 6fire: Drop the dead code (git-fixes). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: cs4236: fix error return comparison of an unsigned integer (git-fixes). - ALSA: echoaudio: simplify get_audio_levels (bsc#1051510). - ALSA: fireface: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: firewire-motu: Correct a typo in the clock proc string (git-fixes). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda - Add mute led support for HP ProBook 645 G4 (git-fixes). - ALSA: hda - Apply sync-write workaround to old Intel platforms, too (bsc#1111666). - ALSA: hda - constify and cleanup static NodeID tables (bsc#1111666). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda - Fix pending unsol events at shutdown (git-fixes). - ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda/hdmi - Add new pci ids for AMD GPU display audio (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - Clear codec->relaxed_resume flag at unbinding (git-fixes). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/hdmi - Fix duplicate unref of pci_dev (bsc#1051510). - ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD (git-fixes). - ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker (bsc#1111666). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Add Headset Mic supported for HP cPC (bsc#1111666). - ALSA: hda/realtek - Add new codec supported for ALCS1200A (bsc#1111666). - ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen (bsc#1111666). - ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too (bsc#1111666). - ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 (git-fixes). - ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC (git-fixes). - ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC (bsc#1111666). - ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop (git-fixes). - ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G (git-fixes). - ALSA: hda/realtek - Line-out jack does not work on a Dell AIO (bsc#1051510). - ALSA: hda/realtek - More constifications (bsc#1111666). - ALSA: hda/realtek - Move some alc236 pintbls to fallback table (git-fixes). - ALSA: hda/realtek - Move some alc256 pintbls to fallback table (git-fixes). - ALSA: hda/realtek - Set EAPD control to default for ALC222 (bsc#1111666). - ALSA: hda: constify copied structure (bsc#1111666). - ALSA: hda: Constify snd_kcontrol_new items (bsc#1111666). - ALSA: hda: Constify snd_pci_quirk tables (bsc#1111666). - ALSA: hda: correct kernel-doc parameter descriptions (bsc#1111666). - ALSA: hda: Fix racy display power access (bsc#1156928). - ALSA: hda: hdmi - fix port numbering for ICL and TGL platforms (git-fixes). - ALSA: hda: hdmi - remove redundant code comments (git-fixes). - ALSA: hda: More constifications (bsc#1111666). - ALSA: hda: patch_hdmi: remove warnings with empty body (bsc#1111666). - ALSA: hda: patch_realtek: fix empty macro usage in if block (bsc#1111666). - ALSA: i2c/cs8427: Fix int to char conversion (bsc#1051510). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: intel8x0m: Register irq handler after register initializations (bsc#1051510). - ALSA: oxfw: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: pcm: oss: Avoid potential buffer overflows (git-fixes). - ALSA: pcm: signedness bug in snd_pcm_plug_alloc() (bsc#1051510). - ALSA: pcm: Yet another missing check of non-cached buffer type (bsc#1111666). - ALSA: seq: Do error checks at creating system ports (bsc#1051510). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: sh: Fix unused variable warnings (bsc#1111666). - ALSA: usb-audio: Add skip_validation option (git-fixes). - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 (bsc#1111666). - ALSA: usb-audio: Fix Focusrite Scarlett 6i6 gen1 - input handling (git-fixes). - ALSA: usb-audio: Fix incorrect NULL check in create_yamaha_midi_quirk() (git-fixes). - ALSA: usb-audio: Fix incorrect size check for processing/extension units (git-fixes). - ALSA: usb-audio: Fix NULL dereference at parsing BADD (git-fixes). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - ALSA: usb-audio: sound: usb: usb true/false for bool return type (git-fixes). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - appledisplay: fix error handling in the scheduled work (git-fixes). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: compress: fix unsigned integer overflow check (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: davinci-mcasp: Handle return value of devm_kasprintf (stable 4.14.y). - ASoC: davinci: Kill BUG_ON() usage (stable 4.14.y). - ASoC: dpcm: Properly initialise hw->rate_max (bsc#1051510). - ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: kirkwood: fix external clock probe defer (git-fixes). - ASoC: msm8916-wcd-analog: Fix RX1 selection in RDAC2 MUX (git-fixes). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI (bsc#1111666). - ASoC: sgtl5000: avoid division by zero if lo_vag is zero (bsc#1051510). - ASoC: tegra_sgtl5000: fix device_node refcounting (bsc#1051510). - ASoC: tlv320aic31xx: Handle inverted BCLK in non-DSP modes (stable 4.14.y). - ASoC: tlv320dac31xx: mark expected switch fall-through (stable 4.14.y). - ASoC: wm8962: fix lambda value (git-fixes). - ata: ep93xx: Use proper enums for directions (bsc#1051510). - ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem (bsc#1111666). - ath10k: avoid possible memory access violation (bsc#1111666). - ath10k: Correct error handling of dma_map_single() (bsc#1111666). - ath10k: Correct the DMA direction for management tx buffers (bsc#1111666). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath10k: fix kernel panic by moving pci flush after napi_disable (bsc#1051510). - ath10k: fix vdev-start timeout on error (bsc#1051510). - ath10k: limit available channels via DT ieee80211-freq-limit (bsc#1051510). - ath10k: pci: Fix comment on ath10k_pci_dump_memory_sram (bsc#1111666). - ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe (bsc#1111666). - ath10k: skip resetting rx filter for WCN3990 (bsc#1111666). - ath10k: wmi: disable softirq's while calling ieee80211_rx (bsc#1051510). - ath6kl: Fix off by one error in scan completion (bsc#1051510). - ath9k: add back support for using active monitor interfaces for tx99 (bsc#1051510). - ath9k: Fix a locking bug in ath9k_add_interface() (bsc#1051510). - ath9k: fix reporting calculated new FFT upper max (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - ath9k: fix tx99 with monitor mode interface (bsc#1051510). - ath9k_hw: fix uninitialized variable data (bsc#1051510). - atl1e: checking the status of atl1e_write_phy_reg (bsc#1051510). - audit: Allow auditd to set pid to 0 to end auditing (bsc#1158094). - ax88172a: fix information leak on short answers (bsc#1051510). - backlight: lm3639: Unconditionally call led_classdev_unregister (bsc#1051510). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1159377). - blk-mq: make sure that line break can be printed (bsc#1159377). - Bluetooth: btusb: fix PM leak in error case of setup (bsc#1051510). - Bluetooth: delete a stray unlock (bsc#1051510). - Bluetooth: Fix invalid-free in bcsp_close() (git-fixes). - Bluetooth: Fix memory leak in hci_connect_le_scan (bsc#1051510). - Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading (bsc#1051510). - Bluetooth: hci_core: fix init for HCI_USER_CHANNEL (bsc#1051510). - Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS (bsc#1051510). - bnxt: apply computed clamp value for coalece parameter (bsc#1104745). - bnxt_en: Fix MSIX request logic for RDMA driver (bsc#1104745 ). - bnxt_en: Increase timeout for HWRM_DBG_COREDUMP_XX commands (bsc#1104745). - bnxt_en: Return error if FW returns more data than dump length (bsc#1104745). - bnxt_en: Update firmware interface spec. to 1.10.0.47 (bsc#1157115) - bnxt_en: Update firmware interface spec. to 1.10.0.89 (bsc#1157115) - bnxt_en: Update firmware interface to 1.10.0.69 (bsc#1157115) - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - bpf, offload: Unlock on error in bpf_offload_dev_create() (bsc#1109837). - bpf/sockmap: Read psock ingress_msg before sk_receive_queue (bsc#1083647). - bpf/stackmap: Fix deadlock with rq_lock in bpf_get_stack() (bsc#1083647). - bpf: add self-check logic to liveness analysis (bsc#1160618). - bpf: add verifier stats and log_level bit 2 (bsc#1160618). - bpf: fix BTF limits (bsc#1109837). - bpf: fix BTF verification of enums (bsc#1109837). - bpf: Fix incorrect verifier simulation of ARSH under ALU32 (bsc#1083647). - bpf: Fix use after free in subprog's jited symbol removal (bsc#1109837). - bpf: improve stacksafe state comparison (bco#1160618). - bpf: improve verification speed by droping states (bsc#1160618). - bpf: improve verification speed by not remarking live_read (bsc#1160618). - bpf: improve verifier branch analysis (bsc#1160618). - bpf: increase complexity limit and maximum program size (bsc#1160618). - bpf: increase verifier log limit (bsc#1160618). - bpf: Make use of probe_user_write in probe write helper (bsc#1083647). - bpf: Reject indirect var_off stack access in raw mode (bsc#1160618). - bpf: Reject indirect var_off stack access in unpriv mode (bco#1160618). - bpf: Sanity check max value for var_off stack access (bco#1160618). - bpf: skmsg, fix potential psock NULL pointer dereference (bsc#1109837). - bpf: speed up stacksafe check (bco#1160618). - bpf: Support variable offset stack access from helpers (bco#1160618). - bpf: verifier: teach the verifier to reason about the BPF_JSET instruction (bco#1160618). - brcmfmac: fix full timeout waiting for action frame on-channel tx (bsc#1051510). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() (bsc#1111666). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - brcmfmac: fix wrong strnchr usage (bsc#1111666). - brcmfmac: increase buffer for obtaining firmware capabilities (bsc#1111666). - brcmfmac: reduce timeout for action frame scan (bsc#1051510). - brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 (bsc#1111666). - brcmfmac: set F2 watermark to 256 for 4373 (bsc#1111666). - brcmfmac: set SDIO F1 MesBusyCtrl for CYW4373 (bsc#1111666). - brcmsmac: AP mode: update beacon when TIM changes (bsc#1051510). - brcmsmac: never log "tid x is not agg'able" by default (bsc#1051510). - brcmsmac: Use kvmalloc() for ucode allocations (bsc#1111666). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: c_can: c_can_poll(): only read status register after status IRQ (git-fixes). - can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mcba_usb: fix use-after-free on disconnect (git-fixes). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can: peak_usb: fix a potential out-of-sync while decoding packets (git-fixes). - can: peak_usb: fix slab info leak (git-fixes). - can: peak_usb: report bus recovery as well (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): do not increase the skb_queue beyond skb_queue_len_max (git-fixes). - can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors (bsc#1051510). - can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak (git-fixes). - can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak (git-fixes). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - can: usb_8dev: fix use-after-free on disconnect (git-fixes). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - ceph: add missing check in d_revalidate snapdir handling (bsc#1157183). - ceph: do not try to handle hashed dentries in non-O_CREAT atomic_open (bsc#1157184). - ceph: fix use-after-free in __ceph_remove_cap() (bsc#1154058). - ceph: just skip unrecognized info in ceph_reply_info_extra (bsc#1157182). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set (bsc#1051510). - cfg80211: call disconnect_wk when AP stops (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix deadlocks in autodisconnect work (bsc#1111666). - cfg80211: fix memory leak in cfg80211_cqm_rssi_update (bsc#1111666). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces (bsc#1051510). - cfg80211: validate wmm rule when setting (bsc#1111666). - cgroup,writeback: do not switch wbs immediately on dead wbs if the memcg is dead (bsc#1158645). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - cifs: add a helper to find an existing readable handle to a file (bsc#1144333, bsc#1154355). - cifs: add support for flock (bsc#1144333). - cifs: avoid using MID 0xFFFF (bsc#1144333, bsc#1154355). - cifs: Close cached root handle only if it had a lease (bsc#1144333). - cifs: Close open handle after interrupted close (bsc#1144333). - cifs: close the shared root handle on tree disconnect (bsc#1144333). - cifs: create a helper to find a writeable handle by path name (bsc#1144333, bsc#1154355). - cifs: Do not miss cancelled OPEN responses (bsc#1144333). - cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs (bsc#1144333, bsc#1154355). - cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333). - cifs: fix max ea value size (bsc#1144333, bsc#1154355). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: Fix missed free operations (bsc#1144333, bsc#1154355). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: Fix NULL pointer dereference in mid callback (bsc#1144333). - cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - cifs: Fix oplock handling for SMB 2.1+ protocols (bsc#1144333, bsc#1154355). - cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - cifs: Fix retry mid list corruption on reconnects (bsc#1144333, bsc#1154355). - cifs: Fix SMB2 oplock break processing (bsc#1144333, bsc#1154355). - cifs: Fix use after free of file info structures (bsc#1144333, bsc#1154355). - cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - cifs: Force reval dentry if LOOKUP_REVAL flag is set (bsc#1144333, bsc#1154355). - cifs: Force revalidate inode when dentry is stale (bsc#1144333, bsc#1154355). - cifs: Gracefully handle QueryInfo errors during open (bsc#1144333, bsc#1154355). - cifs: move cifsFileInfo_put logic into a work-queue (bsc#1144333, bsc#1154355). - cifs: prepare SMB2_Flush to be usable in compounds (bsc#1144333, bsc#1154355). - cifs: Properly process SMB3 lease breaks (bsc#1144333). - cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - cifs: set domainName when a domain-key is used in multiuser (bsc#1144333, bsc#1154355). - cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic (bsc#1144333, bsc#1154355). - cifs: use existing handle for compound_op(OP_SET_INFO) when possible (bsc#1144333, bsc#1154355). - cifs: Use kzfree() to zero out the password (bsc#1144333, bsc#1154355). - clk: at91: avoid sleeping early (git-fixes). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: imx: clk-composite-8m: add lock to gate/mux (git-fixes). - clk: pxa: fix one of the pxa RTC clocks (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume (bsc#1051510). - clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume (git-fixes). - clk: samsung: Use clk_hw API for calling clk framework from clk notifiers (bsc#1051510). - clk: sunxi-ng: a80: fix the zero'ing of bits 16 and 18 (git-fixes). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines (bsc#1051510). - clocksource/drivers/sh_cmt: Fixup for 64-bit machines (bsc#1051510). - compat_ioctl: handle SIOCOUTQNSD (bsc#1051510). - component: fix loop condition to call unbind() if bind() fails (bsc#1051510). - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - Cover up kABI breakage due to DH key verification (bsc#1155331). - cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() (bsc#1051510). - cpufreq: intel_pstate: Register when ACPI PCCH is present (bsc#1051510). - cpufreq: powernv: fix stack bloat and hard limit on number of CPUs (bsc#1051510). - cpufreq: Skip cpufreq resume if it's not suspended (bsc#1051510). - cpufreq: ti-cpufreq: add missing of_node_put() (bsc#1051510). - cpupower : Fix cpupower working when cpu0 is offline (bsc#1051510). - cpupower : frequency-set -r option misses the last cpu in related cpu list (bsc#1051510). - cpupower: Fix coredump on VMWare (bsc#1051510). - crypto: af_alg - cast ki_complete ternary op to int (bsc#1051510). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: caam/qi2 - fix typo in algorithm's driver name (bsc#1111666). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix big endian bug in ECC library (bsc#1051510). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: fix a memory leak in rsa-kcs1pad's encryption mode (bsc#1051510). - crypto: geode-aes - switch to skcipher for cbc(aes) fallback (bsc#1051510). - crypto: mxc-scc - fix build warnings on ARM64 (bsc#1051510). - crypto: mxs-dcp - Fix AES issues (bsc#1051510). - crypto: mxs-dcp - Fix SHA null hashes and output length (bsc#1051510). - crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - crypto: s5p-sss: Fix Fix argument list alignment (bsc#1051510). - crypto: tgr192 - remove unneeded semicolon (bsc#1051510). - cw1200: Fix a signedness bug in cw1200_load_firmware() (bsc#1051510). - cxgb4: fix panic when attaching to ULD fail (networking-stable-19_11_05). - cxgb4: request the TX CIDX updates to status page (bsc#1127354 bsc#1127371). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - dccp: do not leak jiffies on the wire (networking-stable-19_11_05). - dlm: do not leak kernel pointer to userspace (bsc#1051510). - dlm: fix invalid free (bsc#1051510). - dma-buf: Fix memory leak in sync_file_merge() (git-fixes). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: dma-jz4780: Do not depend on MACH_JZ4780 (bsc#1051510). - dmaengine: dma-jz4780: Further residue status fix (bsc#1051510). - dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - dmaengine: imx-sdma: fix use-after-free on probe error path (bsc#1051510). - dmaengine: rcar-dmac: set scatter/gather max segment size (bsc#1051510). - dmaengine: timb_dma: Use proper enum in td_prep_slave_sg (bsc#1051510). - docs: move protection-keys.rst to the core-api book (bsc#1078248). - Documentation: debugfs: Document debugfs helper for unsigned long values (git-fixes). - Documentation: x86: convert protection-keys.txt to reST (bsc#1078248). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drivers/base/platform.c: kmemleak ignore a known leak (bsc#1051510). - drivers/regulator: fix a missing check of return value (bsc#1051510). - drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported (bsc#1113956) - drm/amd/powerplay: remove set but not used variable 'us_mvdd' (bsc#1111666). - drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_device_set_cg_state' (bsc#1111666). - drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1111666). - drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1114279) - drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) (bsc#1111666). - drm/amdgpu: remove set but not used variable 'invalid' (bsc#1111666). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1113722) - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915/gvt: fix dropping obj reference twice (bsc#1111666). - drm/i915/gvt: Pin vgpu dma address before using (bsc#1112178) - drm/i915/gvt: set guest display buffer as readonly (bsc#1112178) - drm/i915/gvt: use vgpu lock for active state setting (bsc#1112178) - drm/i915/perf: add missing delay for OA muxes configuration (bsc#1111666). - drm/i915/pmu: "Frequency" is reported as accumulated cycles (bsc#1112178) - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() (bsc#1111666). - drm/i915: Do not dereference request if it may have been retired when (bsc#1142635) - drm/i915: Fix and improve MCR selection logic (bsc#1112178) - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set (bsc#1111666). - drm/i915: Lock the engine while dumping the active request (bsc#1142635) - drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV (bsc#1111666). - drm/i915: Reacquire priolist cache after dropping the engine lock (bsc#1129770) - drm/i915: Reacquire priolist cache after dropping the engine lock (bsc#1129770) - drm/i915: Sanity check mmap length against object size (bsc#1111666). - drm/i915: Skip modeset for cdclk changes if possible (bsc#1156928). - drm/msm: fix memleak on release (bsc#1111666). - drm/msm: include linux/sched/task.h (bsc#1112178) - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau/bar/gf100: ensure BAR is mapped (bsc#1111666). - drm/nouveau/bar/nv50: check bar1 vmm return value (bsc#1111666). - drm/nouveau/mmu: qualify vmm during dtor (bsc#1111666). - drm/omap: fix max fclk divider for omap36xx (bsc#1113722) - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix bad DMA from INTERRUPT_CNTL2 (git-fixes). - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/radeon: fix si_enable_smc_cac() failed issue (bsc#1113722) - drm/rect: Avoid division by zero (bsc#1111666). - drm/rect: update kerneldoc for drm_rect_clip_scaled() (bsc#1111666). - drm/rockchip: Round up _before_ giving to the clock framework (bsc#1114279) - drm/sun4i: hdmi: Remove duplicate cleanup calls (bsc#1113956) - drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 (bsc#1111666). - drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model (bsc#1111666). - drm/ttm: ttm_tt_init_fields() can be static (bsc#1111666). - drm: fix module name in edid_firmware log message (bsc#1113956) - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1111666). - drm: panel-lvds: Potential Oops in probe error handling (bsc#1114279) - e1000e: Add support for Comet Lake (bsc#1158533). - e1000e: Add support for Tiger Lake (bsc#1158533). - e1000e: Drop unnecessary __E1000_DOWN bit twiddling (bsc#1158049). - e1000e: Increase pause and refresh time (bsc#1158533). - e1000e: Use dev_get_drvdata where possible (bsc#1158049). - e1000e: Use rtnl_lock to prevent race conditions between net and pci/pm (bsc#1158049). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable (bsc#1158646). - ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either (bsc#1158647). - EDAC/ghes: Fix locking and memory barrier issues (bsc#1114279). EDAC/ghes: Do not warn when incrementing refcount on 0 (bsc#1114279). - EDAC/ghes: Fix Use after free in ghes_edac remove path (bsc#1114279). - exit: panic before exit_mm() on global init exit (bsc#1161549). - ext4: fix punch hole for inline_data file systems (bsc#1158640). - ext4: update direct I/O read lock pattern for IOCB_NOWAIT (bsc#1158639). - extcon: cht-wc: Return from default case to avoid warnings (bsc#1051510). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() (bsc#1051510). - fbdev: sbuslib: use checked version of put_user() (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - Fix partial checked out tree build ... so that bisection does not break. - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - ftrace: Introduce PERMANENT ftrace_ops flag (bsc#1120853). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - gpio: mpc8xxx: Do not overwrite default irq_set_type callback (bsc#1051510). - gpio: syscon: Fix possible NULL ptr usage (bsc#1051510). - gpiolib: acpi: Add Terra Pad 1061 to the run_edge_events_on_boot_blacklist (bsc#1051510). - gsmi: Fix bug in append_to_eventlog sysfs handler (bsc#1051510). - HID: Add ASUS T100CHI keyboard dock battery quirks (bsc#1051510). - HID: Add quirk for Microsoft PIXART OEM mouse (bsc#1051510). - HID: asus: Add T100CHI bluetooth keyboard dock special keys mapping (bsc#1051510). - HID: doc: fix wrong data structure reference for UHID_OUTPUT (bsc#1051510). - HID: Fix assumption that devices have inputs (git-fixes). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: intel-ish-hid: fixes incorrect error handling (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - HID: wacom: generic: Treat serial number and related fields as unsigned (git-fixes). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros (bsc#1051510). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pwm-fan) Silence error on probe deferral (bsc#1051510). - hwrng: omap - Fix RNG wait loop timeout (bsc#1051510). - hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled (bsc#1051510). - hwrng: stm32 - fix unbalanced pm_runtime_enable (bsc#1051510). - hypfs: Fix error number left in struct pointer member (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - i2c: of: Try to find an I2C adapter matching the parent (bsc#1129770) - i40e: enable X710 support (bsc#1151067). - IB/hfi1: Do not cancel unused work item (bsc#1114685 ). - IB/mlx5: Fix steering rule of drop and count (bsc#1103991 ). - IB/mlx5: Free mpi in mp_slave mode (bsc#1103991). - IB/mlx5: Remove dead code (bsc#1103991). - IB/mlx5: Support MLX5_CMD_OP_QUERY_LAG as a DEVX general command (bsc#1103991). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - ice: fix potential infinite loop because loop counter being too small (bsc#1118661). - ice: fix stack leakage (bsc#1118661). - idr: Fix idr_alloc_u32 on 32-bit systems (bsc#1051510). - iio: adc: max9611: explicitly cast gain_selectors (bsc#1051510). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: adc: stm32-adc: fix stopping dma (git-fixes). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - iio: dac: mcp4922: fix error handling in mcp4922_write_raw (bsc#1051510). - iio: imu: adis16480: assign bias value only if operation succeeded (git-fixes). - iio: imu: adis16480: make sure provided frequency is positive (git-fixes). - iio: imu: adis: assign read val in debugfs hook only if op successful (git-fixes). - iio: imu: adis: assign value only if return code zero in read funcs (git-fixes). - include/linux/bitrev.h: fix constant bitrev (bsc#1114279). - inet: protect against too small mtu values (networking-stable-19_12_16). - inet: stop leaking jiffies on the wire (networking-stable-19_11_05). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: ff-memless - kill timer in destroy() (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: silead - try firmware reload after unsuccessful resume (bsc#1051510). - Input: st1232 - set INPUT_PROP_DIRECT property (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - Input: synaptics-rmi4 - clear IRQ enables for F54 (bsc#1051510). - Input: synaptics-rmi4 - destroy F54 poller workqueue when removing (bsc#1051510). - Input: synaptics-rmi4 - disable the relative position IRQ in the F12 driver (bsc#1051510). - Input: synaptics-rmi4 - do not consume more data than we have (F11, F12) (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - fix video buffer size (git-fixes). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - intel_th: Fix a double put_device() in error path (git-fixes). - iomap: Fix pipe page leakage during splicing (bsc#1158651). - iommu/iova: Init the struct iova to fix the possible memleak (bsc#1160469). - iommu/mediatek: Correct the flush_iotlb_all callback (bsc#1160470). - iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros (bsc#1158063). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iommu: Remove device link to group on failure (bsc#1160755). - ipmi: Do not allow device module unload when in use (bsc#1154768). - ipmi:dmi: Ignore IPMI SMBIOS entries with a zero base address (bsc#1051510). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - ipv4: Return -ENETUNREACH if we can't create route but saddr is valid (networking-stable-19_10_24). - irqdomain: Add the missing assignment of domain->fwnode for named fwnode (bsc#1111666). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: api: annotate compressed BA notif array sizes (bsc#1051510). - iwlwifi: change monitor DMA to be coherent (bsc#1161243). - iwlwifi: check kasprintf() return value (bsc#1051510). - iwlwifi: clear persistence bit according to device family (bsc#1111666). - iwlwifi: drop packets with bad status in CD (bsc#1111666). - iwlwifi: mvm: avoid sending too many BARs (bsc#1051510). - iwlwifi: mvm: do not send keys when entering D3 (bsc#1051510). - iwlwifi: mvm: force TCM re-evaluation on TCM resume (bsc#1111666). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - iwlwifi: mvm: use correct FIFO length (bsc#1111666). - iwlwifi: pcie: fit reclaim msg to MAX_MSG_LEN (bsc#1111666). - iwlwifi: pcie: fix erroneous print (bsc#1111666). - iwlwifi: pcie: read correct prph address for newer devices (bsc#1111666). - iwlwifi: trans: Clear persistence bit when starting the FW (bsc#1111666). - ixgbe: fix double clean of Tx descriptors with xdp (bsc#1113994 ). - ixgbevf: Fix secpath usage for IPsec Tx offload (bsc#1113994 ). - kABI fix for "ipmi: Do not allow device module unload when in use" (bsc#1154768). - kABI fixup alloc_dax_region (bsc#1158071). - kABI fixup for alloc_dax_region (bsc#1158071,bsc#1160678). - kABI workaround for ath10k hw_filter_reset_required field (bsc#1111666). - kABI workaround for ath10k last_wmi_vdev_start_status field (bsc#1051510). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kABI workaround for iwlwifi iwl_rx_cmd_buffer change (bsc#1111666). - kABI workaround for struct mwifiex_power_cfg change (bsc#1051510). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: Fix for "KVM: x86: Introduce vcpu->arch.xsaves_enabled" (bsc#1158066). - kABI: protect struct sctp_ep_common (kabi). - kABI: Protest new fields in BPF structs (bsc#1160618). - kABI: s390: struct subchannel (git-fixes). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - kexec: bail out upon SIGKILL when allocating memory (git-fixes). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: fix __insn32_query() inline assembly (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: s390: vsie: Do not shadow CRYCB when no AP and no keys (git-fixes). - KVM: s390: vsie: Return correct values for Invalid CRYCB format (git-fixes). - KVM: SVM: Guard against DEACTIVATE when performing WBINVD/DF_FLUSH (bsc#1114279). - KVM: SVM: Serialize access to the SEV ASID bitmap (bsc#1114279). - KVM: VMX: Consider PID.PIR to determine if vCPU has pending interrupts (bsc#1158064). - KVM: VMX: Fix conditions for guest IA32_XSS support (bsc#1158065). - KVM: x86/mmu: Take slots_lock when using kvm_mmu_zap_all_fast() (bsc#1158067). - kvm: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Introduce vcpu->arch.xsaves_enabled (bsc#1158066). - KVM: x86: Remove a spurious export of a static function (bsc#1158954). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (bsc#1153535). - libnvdimm/pfn: Account for PAGE_SIZE > info-block-size in nd_pfn_init() (bsc#1127682 bsc#1153535 ltc#175033 ltc#181834). - libnvdimm: Export the target_node attribute for regions and namespaces (bsc#1158071). - libnvdimm: Fix devm_nsio_enable() kabi (bsc#1153535). - liquidio: fix race condition in instruction completion processing (bsc#1051510). - livepatch: Allow to distinguish different version of system state changes (bsc#1071995). - livepatch: Basic API to track system state changes (bsc#1071995 ). - livepatch: Keep replaced patches until post_patch callback is called (bsc#1071995). - livepatch: Selftests of the API for tracking system state changes (bsc#1071995). - loop: add ioctl for changing logical block size (bsc#1108043). - loop: fix no-unmap write-zeroes request behavior (bsc#1158637). - lpfc: size cpu map by last cpu id set (bsc#1157160). - mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED (bsc#1051510). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix ieee80211_txq_setup_flows() failure path (bsc#1111666). - mac80211: fix station inactive_time shortly after boot (bsc#1051510). - mac80211: minstrel: fix CCK rate group streams value (bsc#1051510). - mac80211: minstrel: fix sampling/reporting of CCK rates in HT mode (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: schedule bc_work even if error (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - mailbox: mailbox-test: fix null pointer if no mmio (bsc#1051510). - mailbox: reset txdone_method TXDONE_BY_POLL if client knows_txdone (git-fixes). - media: au0828: Fix incorrect error messages (bsc#1051510). - media: bdisp: fix memleak on release (git-fixes). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: cxusb: detect cxusb_ctrl_msg error in query (bsc#1051510). - media: davinci: Fix implicit enum conversion warning (bsc#1051510). - media: exynos4-is: Fix recursive locking in isp_video_release() (git-fixes). - media: fix: media: pci: meye: validate offset to avoid arbitrary access (bsc#1051510). - media: flexcop-usb: ensure -EIO is returned on error condition (git-fixes). - media: imon: invalid dereference in imon_touch_event (bsc#1051510). - media: isif: fix a NULL pointer dereference bug (bsc#1051510). - media: ov6650: Fix control handler not freed on init error (git-fixes). - media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init() (bsc#1051510). - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: pxa_camera: Fix check for pdev->dev.of_node (bsc#1051510). - media: radio: wl1273: fix interrupt masking on release (git-fixes). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: ti-vpe: vpe: Fix Motion Vector vpdma stride (git-fixes). - media: usbvision: Fix races among open, close, and disconnect (bsc#1051510). - media: uvcvideo: Fix error path in control parsing failure (git-fixes). - media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: vim2m: Fix abort issue (git-fixes). - media: vivid: Set vid_cap_streaming and vid_out_streaming to true (bsc#1051510). - mei: bus: prefix device names on bus with the bus name (bsc#1051510). - mei: fix modalias documentation (git-fixes). - mei: samples: fix a signedness bug in amt_host_if_call() (bsc#1051510). - mfd: intel-lpss: Add default I2C device properties for Gemini Lake (bsc#1051510). - mfd: max8997: Enale irq-wakeup unconditionally (bsc#1051510). - mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values (bsc#1051510). - mfd: palmas: Assign the right powerhold mask for tps65917 (git-fixes). - mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable (bsc#1051510). - mISDN: Fix type of switch control variable in ctrl_teimanager (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mlx5: add parameter to disable enhanced IPoIB (bsc#1142095) - mlxsw: spectrum_flower: Fail in case user specifies multiple mirror actions (bsc#1112374). - mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO (bsc#1112374). - mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel (bsc#1112374). - mm, memory_hotplug: do not clear numa_node association after hot_remove (bnc#1115026). - mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() (git fixes (mm/gup)). - mm/compaction.c: clear total_{migrate,free}_scanned before scanning a new zone (git fixes (mm/compaction)). - mm/debug.c: PageAnon() is true for PageKsm() pages (git fixes (mm/debug)). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mmc: core: fix wl1251 sdio quirks (git-fixes). - mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card (git-fixes). - mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail (bsc#1051510). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci-of-at91: fix quirk2 overwrite (git-fixes). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: sdhci: Add a quirk for broken command queuing (git-fixes). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci: Workaround broken command queuing on Intel GLK (git-fixes). - mmc: sdio: fix wl1251 vendor id (git-fixes). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - moduleparam: fix parameter description mismatch (bsc#1051510). - mqprio: Fix out-of-bounds access in mqprio_dump (bsc#1109837). - mt7601u: fix bbp version check in mt7601u_wait_bbp_ready (bsc#1051510). - mt76x0: init hw capabilities. - mtd: spear_smi: Fix Write Burst mode (bsc#1051510). - mtd: spi-nor: fix silent truncation in spi_nor_read() (bsc#1051510). - mwifex: free rx_cmd skb in suspended state (bsc#1111666). - mwifiex: debugfs: correct histogram spacing, formatting (bsc#1051510). - mwifiex: delete unused mwifiex_get_intf_num() (bsc#1111666). - mwifiex: do no submit URB in suspended state (bsc#1111666). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: Fix NL80211_TX_POWER_LIMITED (bsc#1051510). - mwifiex: fix potential NULL dereference and use after free (bsc#1051510). - mwifiex: update set_mac_address logic (bsc#1111666). - nbd: prevent memory leak (bsc#1158638). - net, sysctl: Fix compiler warning when only cBPF is present (bsc#1109837). - net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047). - net/ibmvnic: Ignore H_FUNCTION return from H_EOI to tolerate XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/mlx4_core: Dynamically set guaranteed amount of counters per VF (networking-stable-19_11_05). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx4_en: Fix wrong limitation for number of TX rings (bsc#1103989). - net/mlx5: Accumulate levels for chains prio namespaces (bsc#1103990). - net/mlx5: FWTrace, Reduce stack usage (bsc#1103990). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlx5e: Fix eswitch debug print of max fdb flow (bsc#1103990 ). - net/mlx5e: Fix ethtool self test: link speed (bsc#1103990 ). - net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget (networking-stable-19_11_05). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlx5e: Print a warning when LRO feature is dropped or not allowed (bsc#1103990). - net/mlx5e: Query global pause state before setting prio2buffer (bsc#1103990). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net/sched: cbs: Fix not adding cbs instance to list (bsc#1109837). - net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate (bsc#1109837). - net/smc: avoid fallback in case of non-blocking connect (git-fixes). - net/smc: do not schedule tx_work in SMC_CLOSED state (git-fixes). - net/smc: fix closing of fallback SMC sockets (git-fixes). - net/smc: Fix error path in smc_init (git-fixes). - net/smc: fix ethernet interface refcounting (git-fixes). - net/smc: fix fastopen for non-blocking connect() (git-fixes). - net/smc: fix refcount non-blocking connect() -part 2 (git-fixes). - net/smc: fix refcounting for non-blocking connect() (git-fixes). - net/smc: fix SMCD link group creation with VLAN id (git-fixes). - net/smc: keep vlan_id for SMC-R in smc_listen_work() (git-fixes). - net/smc: original socket family in inet_sock_diag (git-fixes). - net: add READ_ONCE() annotation in __skb_wait_for_more_packets() (networking-stable-19_11_05). - net: add skb_queue_empty_lockless() (networking-stable-19_11_05). - net: annotate accesses to sk->sk_incoming_cpu (networking-stable-19_11_05). - net: annotate lockless accesses to sk->sk_napi_id (networking-stable-19_11_05). - net: avoid potential infinite loop in tc_ctl_action() (networking-stable-19_10_24). - net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 (networking-stable-19_10_24). - net: bcmgenet: reset 40nm EPHY on energy detect (networking-stable-19_11_05). - net: bcmgenet: Set phydev->dev_flags only for internal PHYs (networking-stable-19_10_24). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dsa: b53: Do not clear existing mirrored port mask (networking-stable-19_11_05). - net: dsa: bcm_sf2: Fix IMP setup for port different than 8 (networking-stable-19_11_05). - net: dsa: fix switch tree list (networking-stable-19_11_05). - net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum (networking-stable-19_11_05). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: fix sk_page_frag() recursion from memory reclaim (networking-stable-19_11_05). - net: hisilicon: Fix ping latency when deal with high throughput (networking-stable-19_11_05). - net: hns3: change GFP flag during lock period (bsc#1104353 ). - net: hns3: do not query unsupported commands in debugfs (bsc#1104353). - net: hns3: fix ETS bandwidth validation bug (bsc#1104353 ). - net: hns3: fix GFP flag error in hclge_mac_update_stats() (bsc#1126390). - net: hns3: fix some reset handshake issue (bsc#1104353 ). - net: hns3: prevent unnecessary MAC TNL interrupt (bsc#1104353 bsc#1134983). - net: hns: Fix the stray netpoll locks causing deadlock in NAPI path (bsc#1104353). - net: phy: at803x: Change error to EINVAL for invalid MAC (bsc#1051510). - net: phy: bcm7xxx: define soft_reset for 40nm EPHY (bsc#1119113 ). - net: phy: broadcom: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: Check against net_device being NULL (bsc#1051510). - net: phy: dp83867: Set up RGMII TX delay (bsc#1051510). - net: phy: Fix not to call phy_resume() if PHY is not attached (bsc#1051510). - net: phy: Fix the register offsets in Broadcom iProc mdio mux driver (bsc#1051510). - net: phy: fixed_phy: Fix fixed_phy not checking GPIO (bsc#1051510). - net: phy: marvell: clear wol event before setting it (bsc#1051510). - net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: meson-gxl: check phy_write return value (bsc#1051510). - net: phy: micrel: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 (bsc#1051510). - net: phy: mscc: read 'vsc8531,vddmac' as an u32 (bsc#1051510). - net: phy: xgene: disable clk on error paths (bsc#1051510). - net: phy: xgmiitorgmii: Check phy_driver ready before accessing (bsc#1051510). - net: phy: xgmiitorgmii: Check read_status results (bsc#1051510). - net: phy: xgmiitorgmii: Support generic PHY status read (bsc#1051510). - net: phylink: Fix flow control resolution (bsc#1119113 ). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net: sched: cbs: Avoid division by zero when calculating the port rate (bsc#1109837). - net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key (bsc#1109837). - net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues (bsc#1109837). - net: sched: fix possible crash in tcf_action_destroy() (bsc#1109837). - net: sched: fix reordering issues (bsc#1109837). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: sock_map, fix missing ulp check in sock hash case (bsc#1109837). - net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow (networking-stable-19_10_24). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - net: use skb_queue_empty_lockless() in busy poll contexts (networking-stable-19_11_05). - net: use skb_queue_empty_lockless() in poll() handlers (networking-stable-19_11_05). - net: wireless: ti: remove local VENDOR_ID and DEVICE_ID definitions (git-fixes). - net: wireless: ti: wl1251 use new SDIO_VENDOR_ID_TI_WL1251 definition (git-fixes). - net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() (networking-stable-19_11_05). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - netns: fix GFP flags in rtnl_net_notifyid() (networking-stable-19_11_05). - nfc: fdp: fix incorrect free object (networking-stable-19_11_10). - nfc: netlink: fix double device reference drop (git-fixes). - nfc: nxp-nci: Fix NULL pointer dereference after I2C communication error (git-fixes). - nfc: pn533: fix bulk-message timeout (bsc#1051510). - nfc: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - nfc: port100: handle command failure cleanly (git-fixes). - nfc: st21nfca: fix double free (networking-stable-19_11_10). - nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs (bsc#1109837). - nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs (bsc#1109837). - nl80211: Fix a GET_KEY reply attribute (bsc#1051510). - nvme-tcp: support C2HData with SUCCESS flag (bsc#1157386). - ocfs2: fix panic due to ocfs2_wq is null (bsc#1158644). - ocfs2: fix passing zero to 'PTR_ERR' warning (bsc#1158649). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: fix flow command message size (git-fixes). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - padata: use smp_mb in padata_reorder to avoid orphaned padata jobs (git-fixes). - PCI/ACPI: Correct error message for ASPM disabling (bsc#1051510). - PCI/MSI: Fix incorrect MSI-X masking on resume (bsc#1051510). - PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity() (bsc#1051510). - PCI/PM: Clear PCIe PME Status even for legacy power management (bsc#1111666). - PCI/PME: Fix possible use-after-free on remove (git-fixes). - PCI/PTM: Remove spurious "d" from granularity message (bsc#1051510). - PCI: Apply Cavium ACS quirk to ThunderX2 and ThunderX3 (bsc#1051510). - PCI: dwc: Fix find_next_bit() usage (bsc#1051510). - PCI: Fix Intel ACS quirk UPDCR register address (bsc#1051510). - PCI: pciehp: Avoid returning prematurely from sysfs requests (git-fixes). - PCI: pciehp: Do not disable interrupt twice on suspend (bsc#1111666). - PCI: rcar: Fix missing MACCTLR register setting in initialization sequence (bsc#1051510). - PCI: sysfs: Ignore lockdep for remove attribute (git-fixes). - PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 (git-fixes). - perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp (bsc#1142924). - phy: phy-twl4030-usb: fix denied runtime access (git-fixes). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call (git-fixes). - pinctrl: at91: do not use the same irqchip with multiple gpiochips (git-fixes). - pinctrl: cherryview: Allocate IRQ chip dynamic (git-fixes). - pinctrl: cherryview: Fix irq_valid_mask calculation (bsc#1111666). - pinctrl: lewisburg: Update pin list according to v1.1v6 (bsc#1051510). - pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT (bsc#1051510). - pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: samsung: Fix device node refcount leaks in init code (bsc#1051510). - pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init (bsc#1051510). - pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - pinctrl: sunxi: Fix a memory leak in 'sunxi_pinctrl_build_state()' (bsc#1051510). - pinctrl: xway: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD (bsc#1051510). - pktcdvd: remove warning on attempting to register non-passthrough dev (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - PM / AVS: SmartReflex: NULL check before some freeing functions is not needed (bsc#1051510). - PM / devfreq: Check NULL governor in available_governors_show (git-fixes). - PM / devfreq: exynos-bus: Correct clock enable sequence (bsc#1051510). - PM / devfreq: Lock devfreq in trans_stat_show (git-fixes). - PM / devfreq: passive: fix compiler warning (bsc#1051510). - PM / devfreq: passive: Use non-devm notifiers (bsc#1051510). - PM / Domains: Deal with multiple states but no governor in genpd (bsc#1051510). - PM / hibernate: Check the success of generating md5 digest before hibernation (bsc#1051510). - power: reset: at91-poweroff: do not procede if at91_shdwc is allocated (bsc#1051510). - power: supply: ab8500_fg: silence uninitialized variable warnings (bsc#1051510). - power: supply: twl4030_charger: disable eoc interrupt on linear charge (bsc#1051510). - power: supply: twl4030_charger: fix charging current out-of-bounds (bsc#1051510). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc/book3s64/hash: Use secondary hash for bolted mapping if the primary is full (bsc#1157778 ltc#182520). - powerpc/bpf: Fix tail call implementation (bsc#1157698). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/papr_scm: Do not enable direct map for a region by default (bsc#1129551). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740). - powerpc/pseries/mobility: notify network peers after migration (bsc#1152631 ltc#181798). - powerpc/pseries: Do not fail hash page table insert for bolted mapping (bsc#1157778 ltc#182520). - powerpc/pseries: Do not opencode HPTE_V_BOLTED (bsc#1157778 ltc#182520). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - ppdev: fix PPGETTIME/PPSETTIME ioctls (bsc#1051510). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - printk: Export console_printk (bsc#1071995). - pwm: bcm-iproc: Prevent unloading the driver module while in use (git-fixes). - pwm: Clear chip_data in pwm_put() (bsc#1051510). - pwm: clps711x: Fix period calculation (bsc#1051510). - pwm: lpss: Only set update bit if we are actually changing the settings (bsc#1051510). - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - qxl: fix null-pointer crash during suspend (bsc#1111666). - r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2 (networking-stable-19_11_05). - r8152: add missing endpoint sanity check (bsc#1051510). - random: move FIPS continuous test to output functions (bsc#1155334). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - RDMA/bnxt_re: Enable SRIOV VF support on Broadcom's 57500 adapter series (bsc#1154916). - RDMA/bnxt_re: Fix chip number validation Broadcom's Gen P5 series (bsc#1157895). - RDMA/bnxt_re: Fix missing le16_to_cpu (bsc#1157895). - RDMA/bnxt_re: Fix stat push into dma buffer on gen p5 devices (bsc#1157115) - RDMA/efa: Clear the admin command buffer prior to its submission (git-fixes) This change was already picked through Amazon driver repo but was not marked with a Git-commit tag. - RDMA/hns: Bugfix for qpc/cqc timer configuration (bsc#1104427 bsc#1126206). - RDMA/hns: Correct the value of srq_desc_size (bsc#1104427 ). - RDMA/hns: Fix comparison of unsigned long variable 'end' with less than zero (bsc#1104427 bsc#1137236). - RDMA/hns: Fix to support 64K page for srq (bsc#1104427 ). - RDMA/hns: Fix wrong assignment of qp_access_flags (bsc#1104427 ). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - README.BRANCH: Removing myself from the maintainer list - regulator: ab8500: Remove AB8505 USB regulator (bsc#1051510). - regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - regulator: tps65910: fix a missing check of return value (bsc#1051510). - remoteproc: Check for NULL firmwares in sysfs interface (git-fixes). - reset: fix of_reset_simple_xlate kerneldoc comment (bsc#1051510). - reset: Fix potential use-after-free in __of_reset_control_get() (bsc#1051510). - reset: fix reset_control_get_exclusive kerneldoc comment (bsc#1051510). - reset: fix reset_control_ops kerneldoc comment (bsc#1051510). - resource: fix locking in find_next_iomem_res() (bsc#1114279). - rpm/kernel-binary.spec.in: add COMPRESS_VMLINUX (bnc#1155921) Let COMPRESS_VMLINUX determine the compression used for vmlinux. By default (historically), it is gz. - rpm/kernel-source.spec.in: Fix dependency of kernel-devel (bsc#1154043) - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/modules.fips: update module list (bsc#1157853) - rsi_91x_usb: fix interface sanity check (git-fixes). - rt2800: remove errornous duplicate condition (git-fixes). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument (bsc#1051510). - rtl818x: fix potential use after free (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - rtlwifi: btcoex: Use proper enumerated types for Wi-Fi only interface (bsc#1111666). - rtlwifi: Remove unnecessary NULL check in rtl_regd_init (bsc#1051510). - rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (bsc#1111666). - rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address (bsc#1051510). - rtlwifi: rtl8192de: Fix missing enable interrupt flag (bsc#1051510). - s390/bpf: fix lcgr instruction encoding (bsc#1051510). - s390/bpf: use 32-bit index for tail calls (bsc#1051510). - s390/cio: avoid calling strlen on null pointer (bsc#1051510). - s390/cio: exclude subchannels with no parent from pseudo check (bsc#1051510). - s390/cio: fix virtio-ccw DMA without PV (git-fixes). - s390/cmm: fix information leak in cmm_timeout_handler() (bsc#1051510). - s390/idle: fix cpu idle time calculation (bsc#1051510). - s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported (bsc#1051510). - s390/process: avoid potential reading of freed stack (bsc#1051510). - s390/qdio: (re-)initialize tiqdio list entries (bsc#1051510). - s390/qdio: do not touch the dsci in tiqdio_add_input_queues() (bsc#1051510). - s390/qeth: clean up page frag creation (git-fixes). - s390/qeth: consolidate skb allocation (git-fixes). - s390/qeth: ensure linear access to packet headers (git-fixes). - s390/qeth: guard against runt packets (git-fixes). - s390/qeth: return proper errno on IO error (bsc#1051510). - s390/setup: fix boot crash for machine without EDAT-1 (bsc#1051510 bsc#1140948). - s390/setup: fix early warning messages (bsc#1051510 bsc#1140948). - s390/topology: avoid firing events before kobjs are created (bsc#1051510). - s390/zcrypt: fix memleak at release (git-fixes). - s390: fix stfle zero padding (bsc#1051510). - s390: vsie: Use effective CRYCBD.31 to check CRYCBD validity (git-fixes). - sched/fair: Add tmp_alone_branch assertion (bnc#1156462). - sched/fair: Fix insertion in rq->leaf_cfs_rq_list (bnc#1156462). - sched/fair: Fix O(nr_cgroups) in the load balancing path (bnc#1156462). - sched/fair: Optimize update_blocked_averages() (bnc#1156462). - sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132). - scsi: lpfc: fix build failure with DEBUGFS disabled (bsc#1154601). - scsi: lpfc: Fix Oops in nvme_register with target logout/login (bsc#1151900). - scsi: lpfc: Honor module parameter lpfc_use_adisc (bsc#1153628). - scsi: lpfc: use hdwq assigned cpu for allocation (bsc#1157160). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Add debug dump of LOGO payload and ELS IOCB (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Added support for MPI and PEP regions for ISP28XX (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Allow PLOGI in target mode (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Change discovery state before PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Configure local loop for N2N target (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Correctly retrieve and interpret active flash region (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Do not call qlt_async_event twice (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Do not defer relogin unconditonally (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Drop superfluous INIT_WORK of del_work (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix incorrect SFUB length used for Secure Flash Update MB Cmd (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan (bsc#1138039). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Ignore NULL pointer in tcm_qla2xxx_free_mcmd (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Initialize free_work before flushing it (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Send Notify ACK after N2N PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: unregister ports after GPN_FT failure (bsc#1138039). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use correct number of vectors for online CPUs (bsc#1137223). - scsi: qla2xxx: Use explicit LOGO in target mode (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - scsi: zfcp: fix request object use-after-free in send path causing wrong traces (bsc#1051510). - scsi: zfcp: trace channel log even for FCP command responses (git-fixes). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - sctp: change sctp_prot .no_autobind with true (networking-stable-19_10_24). - selftests: net: reuseport_dualstack: fix uninitalized parameter (networking-stable-19_11_05). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: max310x: Fix tx_empty() callback (bsc#1051510). - serial: mxs-auart: Fix potential infinite loop (bsc#1051510). - serial: samsung: Enable baud clock for UART reset procedure in resume (bsc#1051510). - serial: uartps: Fix suspend functionality (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sfc: Remove 'PCIE error reporting unavailable' (bsc#1161472). - signal: Properly set TRACE_SIGNAL_LOSE_INFO in __send_signal (bsc#1157463). - slcan: Fix memory leak in error path (bsc#1051510). - slip: Fix memory leak in slip_open error path (bsc#1051510). - slip: Fix use-after-free Read in slip_open (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: fix leak in "open on server" perf counter (bsc#1144333, bsc#1154355). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: fix signing verification of large reads (bsc#1144333, bsc#1154355). - smb3: fix unmount hang in open_shroot (bsc#1144333, bsc#1154355). - smb3: improve handling of share deleted (and share recreated) (bsc#1144333, bsc#1154355). - smb3: Incorrect size for netname negotiate context (bsc#1144333, bsc#1154355). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc: imx: gpc: fix PDN delay (bsc#1051510). - soc: qcom: wcnss_ctrl: Avoid string overflow (bsc#1051510). - spi: atmel: Fix CS high support (bsc#1051510). - spi: atmel: fix handling of cs_change set on non-last xfer (bsc#1051510). - spi: fsl-lpspi: Prevent FIFO under/overrun by default (bsc#1051510). - spi: mediatek: Do not modify spi_transfer when transfer (bsc#1051510). - spi: mediatek: use correct mata->xfer_len when in fifo transfer (bsc#1051510). - spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch (bsc#1051510). - spi: omap2-mcspi: Set FIFO DMA trigger level to word length (bsc#1051510). - spi: pic32: Use proper enum in dmaengine_prep_slave_rg (bsc#1051510). - spi: rockchip: initialize dma_slave_config properly (bsc#1051510). - spi: spidev: Fix OF tree warning logic (bsc#1051510). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: rtl8192e: fix potential use after free (bsc#1051510). - staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids (bsc#1051510). - staging: rtl8723bs: Drop ACPI device ids (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stm class: Fix a double free of stm_source_device (bsc#1051510). - supported.conf: - synclink_gt(): fix compat_ioctl() (bsc#1051510). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - tcp_nv: fix potential integer overflow in tcpnv_acked (bsc#1051510). - thermal: Fix deadlock in thermal thermal_zone_device_check (bsc#1051510). - thunderbolt: Fix lockdep circular locking depedency warning (git-fixes). - tipc: Avoid copying bytes beyond the supplied data (bsc#1051510). - tipc: check bearer name with right length in tipc_nl_compat_bearer_enable (bsc#1051510). - tipc: check link name with right length in tipc_nl_compat_link_set (bsc#1051510). - tipc: check msg->req data len in tipc_nl_compat_bearer_disable (bsc#1051510). - tipc: compat: allow tipc commands without arguments (bsc#1051510). - tipc: fix a missing check of genlmsg_put (bsc#1051510). - tipc: fix link name length check (bsc#1051510). - tipc: fix memory leak in tipc_nl_compat_publ_dump (bsc#1051510). - tipc: fix skb may be leaky in tipc_link_input (bsc#1051510). - tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path (bsc#1051510). - tipc: fix wrong timeout input for tipc_wait_for_cond() (bsc#1051510). - tipc: handle the err returned from cmd header function (bsc#1051510). - tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb (bsc#1051510). - tipc: tipc clang warning (bsc#1051510). - tools/power/x86/intel-speed-select: Fix a read overflow in isst_set_tdp_level_msr() (bsc#1111666). - tools: bpftool: fix arguments for p_err() in do_event_pipe() (bsc#1109837). - tpm: add check after commands attribs tab allocation (bsc#1051510). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty: serial: fsl_lpuart: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: imx: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: msm_serial: Fix flow control (bsc#1051510). - tty: serial: pch_uart: correct usage of dma_unmap_sg (bsc#1051510). - tun: fix data-race in gro_normal_list() (bsc#1111666). - uaccess: Add non-pagefault user-space write function (bsc#1083647). - ubifs: Correctly initialize c->min_log_bytes (bsc#1158641). - ubifs: Limit the number of pages in shrink_liability (bsc#1158643). - udp: use skb_queue_empty_lockless() (networking-stable-19_11_05). - usb-serial: cp201x: support Mark-10 digital force gauge (bsc#1051510). - usb: adutux: fix interface sanity check (bsc#1051510). - usb: Allow USB device to be warm reset in suspended state (bsc#1051510). - usb: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - usb: chaoskey: fix error case of a timeout (git-fixes). - usb: chipidea: Fix otg event handler (bsc#1051510). - usb: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - usb: chipidea: imx: enable OTG overcurrent in case USB subsystem is already started (bsc#1051510). - usb: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - usb: core: urb: fix URB structure initialization function (bsc#1051510). - usb: documentation: flags on usb-storage versus UAS (bsc#1051510). - usb: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - usb: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - usb: dwc3: ep0: Clear started flag on completion (bsc#1051510). - usb: dwc3: gadget: Check ENBLSLPM before sending ep command (bsc#1051510). - usb: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - usb: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - usb: gadget: pch_udc: fix use after free (bsc#1051510). - usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status() (bsc#1051510). - usb: gadget: uvc: configfs: Drop leaked references to config items (bsc#1051510). - usb: gadget: uvc: configfs: Prevent format changes after linking header (bsc#1051510). - usb: gadget: uvc: Factor out video USB request queueing (bsc#1051510). - usb: gadget: uvc: Only halt video streaming endpoint in bulk mode (bsc#1051510). - usb: gadget: u_serial: add missing port entry locking (bsc#1051510). - usb: idmouse: fix interface sanity checks (bsc#1051510). - usb: misc: appledisplay: fix backlight update_status return code (bsc#1051510). - usb: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - usb: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - usb: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - usb: roles: fix a potential use after free (git-fixes). - usb: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for U-Blox C099-F9P (bsc#1051510). - usb: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - usb: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - usb: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - usb: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - usb: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - usb: serial: ir-usb: fix IrLAP framing (bsc#1051510). - usb: serial: ir-usb: fix link-speed handling (bsc#1051510). - usb: serial: keyspan: handle unbound ports (bsc#1051510). - usb: serial: mos7720: fix remote wakeup (git-fixes). - usb: serial: mos7840: add USB ID to support Moxa UPort 2210 (bsc#1051510). - usb: serial: mos7840: fix remote wakeup (git-fixes). - usb: serial: opticon: fix control-message timeouts (bsc#1051510). - usb: serial: option: add support for DW5821e with eSIM support (bsc#1051510). - usb: serial: option: add support for Foxconn T77W968 LTE modules (bsc#1051510). - usb: serial: option: Add support for Quectel RM500Q (bsc#1051510). - usb: serial: quatech2: handle unbound ports (bsc#1051510). - usb: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - usb: serial: suppress driver bind attributes (bsc#1051510). - usb: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - usb: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - usb: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - usb: xhci-mtk: fix ISOC error when interval is zero (bsc#1051510). - usb: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - usb: xhci: only set D3hot for pci device (bsc#1051510). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - usbip: tools: fix fd leakage in the function of read_attr_usbip_status (git-fixes). - vfio-ccw: Fix misleading comment when setting orb.cmd.c64 (bsc#1051510). - vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn (bsc#1051510). - vfio: ccw: push down unsupported IDA check (bsc#1156471 LTC#182362). - vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 (bsc#1051510). - video/hdmi: Fix AVI bar unpack (git-fixes). - video: backlight: Add devres versions of of_find_backlight (bsc#1090888) Taken for 6010831dde5. - video: backlight: Add of_find_backlight helper in backlight.c (bsc#1090888) Taken for 6010831dde5. - virtio/s390: fix race on airq_areas (bsc#1051510). - virtio_console: allocate inbufs in add_port() only if it is needed (git-fixes). - virtio_ring: fix return code on DMA mapping fails (git-fixes). - vmxnet3: turn off lro when rxcsum is disabled (bsc#1157499). - vsock/virtio: fix sock refcnt holding during the shutdown (git-fixes). - watchdog: meson: Fix the wrong value of left time (bsc#1051510). - watchdog: sama5d4: fix WDD value to be always set to max (bsc#1051510). - wil6210: drop Rx multicast packets that are looped-back to STA (bsc#1111666). - wil6210: fix debugfs memory access alignment (bsc#1111666). - wil6210: fix invalid memory access for rx_buff_mgmt debugfs (bsc#1111666). - wil6210: fix L2 RX status handling (bsc#1111666). - wil6210: fix locking in wmi_call (bsc#1111666). - wil6210: fix RGF_CAF_ICR address for Talyn-MB (bsc#1111666). - wil6210: prevent usage of tx ring 0 for eDMA (bsc#1111666). - wil6210: set edma variables only for Talyn-MB devices (bsc#1111666). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811). - x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/mm/pkeys: Fix typo in Documentation/x86/protection-keys.txt (bsc#1078248). - x86/pkeys: Update documentation about availability (bsc#1078248). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential lockdep warning (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/resctrl: Prevent NULL pointer dereference when reading mondata (bsc#1114279). - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs (bsc#1158068). - x86/speculation: Fix incorrect MDS/TAA mitigation status (bsc#1114279). - x86/speculation: Fix redundant MDS mitigation message (bsc#1114279). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xfs: Sanity check flags of Q_XQUOTARM call (bsc#1158652). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - xsk: Fix registration of Rx-only sockets (bsc#1109837). - xsk: relax UMEM headroom alignment (bsc#1109837). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP1: zypper in -t patch SUSE-SLE-Module-RT-15-SP1-2020-613=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-613=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP1 (noarch): kernel-devel-rt-4.12.14-14.17.1 kernel-source-rt-4.12.14-14.17.1 - SUSE Linux Enterprise Module for Realtime 15-SP1 (x86_64): cluster-md-kmp-rt-4.12.14-14.17.1 cluster-md-kmp-rt-debuginfo-4.12.14-14.17.1 dlm-kmp-rt-4.12.14-14.17.1 dlm-kmp-rt-debuginfo-4.12.14-14.17.1 gfs2-kmp-rt-4.12.14-14.17.1 gfs2-kmp-rt-debuginfo-4.12.14-14.17.1 kernel-rt-4.12.14-14.17.1 kernel-rt-base-4.12.14-14.17.1 kernel-rt-base-debuginfo-4.12.14-14.17.1 kernel-rt-debuginfo-4.12.14-14.17.1 kernel-rt-debugsource-4.12.14-14.17.1 kernel-rt-devel-4.12.14-14.17.1 kernel-rt-devel-debuginfo-4.12.14-14.17.1 kernel-rt_debug-debuginfo-4.12.14-14.17.1 kernel-rt_debug-debugsource-4.12.14-14.17.1 kernel-rt_debug-devel-4.12.14-14.17.1 kernel-rt_debug-devel-debuginfo-4.12.14-14.17.1 kernel-syms-rt-4.12.14-14.17.1 ocfs2-kmp-rt-4.12.14-14.17.1 ocfs2-kmp-rt-debuginfo-4.12.14-14.17.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): cluster-md-kmp-rt_debug-4.12.14-14.17.1 cluster-md-kmp-rt_debug-debuginfo-4.12.14-14.17.1 dlm-kmp-rt_debug-4.12.14-14.17.1 dlm-kmp-rt_debug-debuginfo-4.12.14-14.17.1 gfs2-kmp-rt_debug-4.12.14-14.17.1 gfs2-kmp-rt_debug-debuginfo-4.12.14-14.17.1 kernel-rt-debuginfo-4.12.14-14.17.1 kernel-rt-debugsource-4.12.14-14.17.1 kernel-rt-extra-4.12.14-14.17.1 kernel-rt-extra-debuginfo-4.12.14-14.17.1 kernel-rt-livepatch-devel-4.12.14-14.17.1 kernel-rt_debug-4.12.14-14.17.1 kernel-rt_debug-base-4.12.14-14.17.1 kernel-rt_debug-base-debuginfo-4.12.14-14.17.1 kernel-rt_debug-debuginfo-4.12.14-14.17.1 kernel-rt_debug-debugsource-4.12.14-14.17.1 kernel-rt_debug-extra-4.12.14-14.17.1 kernel-rt_debug-extra-debuginfo-4.12.14-14.17.1 kernel-rt_debug-livepatch-devel-4.12.14-14.17.1 kselftests-kmp-rt-4.12.14-14.17.1 kselftests-kmp-rt-debuginfo-4.12.14-14.17.1 kselftests-kmp-rt_debug-4.12.14-14.17.1 kselftests-kmp-rt_debug-debuginfo-4.12.14-14.17.1 ocfs2-kmp-rt_debug-4.12.14-14.17.1 ocfs2-kmp-rt_debug-debuginfo-4.12.14-14.17.1 reiserfs-kmp-rt-4.12.14-14.17.1 reiserfs-kmp-rt-debuginfo-4.12.14-14.17.1 reiserfs-kmp-rt_debug-4.12.14-14.17.1 reiserfs-kmp-rt_debug-debuginfo-4.12.14-14.17.1 References: https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14895.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-14901.html https://www.suse.com/security/cve/CVE-2019-15213.html https://www.suse.com/security/cve/CVE-2019-16746.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-18660.html https://www.suse.com/security/cve/CVE-2019-18683.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-18809.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19046.html https://www.suse.com/security/cve/CVE-2019-19049.html https://www.suse.com/security/cve/CVE-2019-19051.html https://www.suse.com/security/cve/CVE-2019-19052.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19056.html https://www.suse.com/security/cve/CVE-2019-19057.html https://www.suse.com/security/cve/CVE-2019-19058.html https://www.suse.com/security/cve/CVE-2019-19060.html https://www.suse.com/security/cve/CVE-2019-19062.html https://www.suse.com/security/cve/CVE-2019-19063.html https://www.suse.com/security/cve/CVE-2019-19065.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19067.html https://www.suse.com/security/cve/CVE-2019-19068.html https://www.suse.com/security/cve/CVE-2019-19073.html https://www.suse.com/security/cve/CVE-2019-19074.html https://www.suse.com/security/cve/CVE-2019-19075.html https://www.suse.com/security/cve/CVE-2019-19077.html https://www.suse.com/security/cve/CVE-2019-19078.html https://www.suse.com/security/cve/CVE-2019-19080.html https://www.suse.com/security/cve/CVE-2019-19081.html https://www.suse.com/security/cve/CVE-2019-19082.html https://www.suse.com/security/cve/CVE-2019-19083.html https://www.suse.com/security/cve/CVE-2019-19227.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19332.html https://www.suse.com/security/cve/CVE-2019-19338.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19523.html https://www.suse.com/security/cve/CVE-2019-19524.html https://www.suse.com/security/cve/CVE-2019-19525.html https://www.suse.com/security/cve/CVE-2019-19526.html https://www.suse.com/security/cve/CVE-2019-19527.html https://www.suse.com/security/cve/CVE-2019-19528.html https://www.suse.com/security/cve/CVE-2019-19529.html https://www.suse.com/security/cve/CVE-2019-19530.html https://www.suse.com/security/cve/CVE-2019-19531.html https://www.suse.com/security/cve/CVE-2019-19532.html https://www.suse.com/security/cve/CVE-2019-19533.html https://www.suse.com/security/cve/CVE-2019-19534.html https://www.suse.com/security/cve/CVE-2019-19535.html https://www.suse.com/security/cve/CVE-2019-19536.html https://www.suse.com/security/cve/CVE-2019-19537.html https://www.suse.com/security/cve/CVE-2019-19543.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19927.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1078248 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1103989 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1108043 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113722 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1113994 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1115026 https://bugzilla.suse.com/1117169 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1119113 https://bugzilla.suse.com/1120853 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1126206 https://bugzilla.suse.com/1126390 https://bugzilla.suse.com/1127354 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1127682 https://bugzilla.suse.com/1129551 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1134983 https://bugzilla.suse.com/1137223 https://bugzilla.suse.com/1137236 https://bugzilla.suse.com/1138039 https://bugzilla.suse.com/1140948 https://bugzilla.suse.com/1141054 https://bugzilla.suse.com/1142095 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1142924 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146544 https://bugzilla.suse.com/1151067 https://bugzilla.suse.com/1151548 https://bugzilla.suse.com/1151900 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1152107 https://bugzilla.suse.com/1152631 https://bugzilla.suse.com/1153535 https://bugzilla.suse.com/1153628 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154043 https://bugzilla.suse.com/1154058 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1154355 https://bugzilla.suse.com/1154601 https://bugzilla.suse.com/1154768 https://bugzilla.suse.com/1154916 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1155689 https://bugzilla.suse.com/1155897 https://bugzilla.suse.com/1155921 https://bugzilla.suse.com/1156258 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156462 https://bugzilla.suse.com/1156471 https://bugzilla.suse.com/1156928 https://bugzilla.suse.com/1157032 https://bugzilla.suse.com/1157038 https://bugzilla.suse.com/1157042 https://bugzilla.suse.com/1157044 https://bugzilla.suse.com/1157045 https://bugzilla.suse.com/1157046 https://bugzilla.suse.com/1157049 https://bugzilla.suse.com/1157070 https://bugzilla.suse.com/1157115 https://bugzilla.suse.com/1157143 https://bugzilla.suse.com/1157145 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157158 https://bugzilla.suse.com/1157160 https://bugzilla.suse.com/1157162 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1157171 https://bugzilla.suse.com/1157173 https://bugzilla.suse.com/1157178 https://bugzilla.suse.com/1157180 https://bugzilla.suse.com/1157182 https://bugzilla.suse.com/1157183 https://bugzilla.suse.com/1157184 https://bugzilla.suse.com/1157191 https://bugzilla.suse.com/1157193 https://bugzilla.suse.com/1157197 https://bugzilla.suse.com/1157298 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157304 https://bugzilla.suse.com/1157307 https://bugzilla.suse.com/1157324 https://bugzilla.suse.com/1157333 https://bugzilla.suse.com/1157386 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157463 https://bugzilla.suse.com/1157499 https://bugzilla.suse.com/1157678 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1157698 https://bugzilla.suse.com/1157778 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157895 https://bugzilla.suse.com/1157908 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158049 https://bugzilla.suse.com/1158063 https://bugzilla.suse.com/1158064 https://bugzilla.suse.com/1158065 https://bugzilla.suse.com/1158066 https://bugzilla.suse.com/1158067 https://bugzilla.suse.com/1158068 https://bugzilla.suse.com/1158071 https://bugzilla.suse.com/1158082 https://bugzilla.suse.com/1158094 https://bugzilla.suse.com/1158132 https://bugzilla.suse.com/1158381 https://bugzilla.suse.com/1158394 https://bugzilla.suse.com/1158398 https://bugzilla.suse.com/1158407 https://bugzilla.suse.com/1158410 https://bugzilla.suse.com/1158413 https://bugzilla.suse.com/1158417 https://bugzilla.suse.com/1158427 https://bugzilla.suse.com/1158445 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1158637 https://bugzilla.suse.com/1158638 https://bugzilla.suse.com/1158639 https://bugzilla.suse.com/1158640 https://bugzilla.suse.com/1158641 https://bugzilla.suse.com/1158643 https://bugzilla.suse.com/1158644 https://bugzilla.suse.com/1158645 https://bugzilla.suse.com/1158646 https://bugzilla.suse.com/1158647 https://bugzilla.suse.com/1158649 https://bugzilla.suse.com/1158651 https://bugzilla.suse.com/1158652 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1158823 https://bugzilla.suse.com/1158824 https://bugzilla.suse.com/1158827 https://bugzilla.suse.com/1158834 https://bugzilla.suse.com/1158893 https://bugzilla.suse.com/1158900 https://bugzilla.suse.com/1158903 https://bugzilla.suse.com/1158904 https://bugzilla.suse.com/1158954 https://bugzilla.suse.com/1159024 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159377 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159500 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160147 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160469 https://bugzilla.suse.com/1160470 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160618 https://bugzilla.suse.com/1160678 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161243 https://bugzilla.suse.com/1161472 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162028 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 From sle-security-updates at lists.suse.com Mon Mar 9 08:50:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Mar 2020 15:50:42 +0100 (CET) Subject: SUSE-SU-2020:14309-1: moderate: Security update for gd Message-ID: <20200309145042.D2C93FC56@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14309-1 Rating: moderate References: #1050241 #1123522 #1140120 Cross-References: CVE-2017-7890 CVE-2019-11038 CVE-2019-6978 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for gd fixes the following issues: Security vulnerability addressed: - CVE-2017-7890: Fixed a buffer over-read into uninitialized memory (bsc#1050241). - CVE-2019-6978: Fixed a double free in the GD graphics library (bsc#1123522). - CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-gd-14309=1 Package List: - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): gd-debuginfo-2.0.36.RC1-52.33.12.1 gd-debugsource-2.0.36.RC1-52.33.12.1 References: https://www.suse.com/security/cve/CVE-2017-7890.html https://www.suse.com/security/cve/CVE-2019-11038.html https://www.suse.com/security/cve/CVE-2019-6978.html https://bugzilla.suse.com/1050241 https://bugzilla.suse.com/1123522 https://bugzilla.suse.com/1140120 From sle-security-updates at lists.suse.com Mon Mar 9 11:13:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Mar 2020 18:13:49 +0100 (CET) Subject: SUSE-SU-2020:0617-1: important: Security update for ipmitool Message-ID: <20200309171349.50654F79E@maintenance.suse.de> SUSE Security Update: Security update for ipmitool ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0617-1 Rating: important References: #1085469 #1163026 Cross-References: CVE-2020-5208 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for ipmitool fixes the following issues: - CVE-2020-5208: Fixed multiple remote code executtion vulnerabilities (bsc#1163026). - picmg discover messages are now DEBUG and not INFO messages (bsc#1085469). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-617=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-617=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-617=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-617=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): ipmitool-1.8.18-4.3.1 ipmitool-debuginfo-1.8.18-4.3.1 ipmitool-debugsource-1.8.18-4.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): ipmitool-1.8.18-4.3.1 ipmitool-debuginfo-1.8.18-4.3.1 ipmitool-debugsource-1.8.18-4.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): ipmitool-1.8.18-4.3.1 ipmitool-debuginfo-1.8.18-4.3.1 ipmitool-debugsource-1.8.18-4.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): ipmitool-1.8.18-4.3.1 ipmitool-debuginfo-1.8.18-4.3.1 ipmitool-debugsource-1.8.18-4.3.1 References: https://www.suse.com/security/cve/CVE-2020-5208.html https://bugzilla.suse.com/1085469 https://bugzilla.suse.com/1163026 From sle-security-updates at lists.suse.com Mon Mar 9 14:16:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Mar 2020 21:16:56 +0100 (CET) Subject: SUSE-SU-2020:0623-1: moderate: Security update for gd Message-ID: <20200309201656.47310FC56@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0623-1 Rating: moderate References: #1050241 #1140120 #1165471 Cross-References: CVE-2017-7890 CVE-2018-14553 CVE-2019-11038 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for gd fixes the following issues: - CVE-2017-7890: Fixed a buffer over-read into uninitialized memory (bsc#1050241). - CVE-2018-14553: Fixed a null pointer dereference in gdImageClone() (bsc#1165471). - CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-623=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-623=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-623=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-623=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-623=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-623=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-623=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): gd-32bit-2.1.0-24.17.1 gd-debuginfo-32bit-2.1.0-24.17.1 gd-debugsource-2.1.0-24.17.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): gd-32bit-2.1.0-24.17.1 gd-debuginfo-32bit-2.1.0-24.17.1 gd-debugsource-2.1.0-24.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): gd-debuginfo-2.1.0-24.17.1 gd-debugsource-2.1.0-24.17.1 gd-devel-2.1.0-24.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): gd-debuginfo-2.1.0-24.17.1 gd-debugsource-2.1.0-24.17.1 gd-devel-2.1.0-24.17.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gd-2.1.0-24.17.1 gd-debuginfo-2.1.0-24.17.1 gd-debugsource-2.1.0-24.17.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): gd-2.1.0-24.17.1 gd-debuginfo-2.1.0-24.17.1 gd-debugsource-2.1.0-24.17.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): gd-2.1.0-24.17.1 gd-32bit-2.1.0-24.17.1 gd-debuginfo-2.1.0-24.17.1 gd-debuginfo-32bit-2.1.0-24.17.1 gd-debugsource-2.1.0-24.17.1 References: https://www.suse.com/security/cve/CVE-2017-7890.html https://www.suse.com/security/cve/CVE-2018-14553.html https://www.suse.com/security/cve/CVE-2019-11038.html https://bugzilla.suse.com/1050241 https://bugzilla.suse.com/1140120 https://bugzilla.suse.com/1165471 From sle-security-updates at lists.suse.com Mon Mar 9 14:24:13 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Mar 2020 21:24:13 +0100 (CET) Subject: SUSE-SU-2020:0622-1: important: Security update for php7 Message-ID: <20200309202413.42D01FC56@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0622-1 Rating: important References: #1162629 #1162632 #1165280 #1165289 Cross-References: CVE-2020-7059 CVE-2020-7060 CVE-2020-7062 CVE-2020-7063 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for php7 fixes the following issues: - CVE-2020-7062: Fixed a null pointer dereference when using file upload functionality under specific circumstances (bsc#1165280). - CVE-2020-7063: Fixed an issue where adding files change the permissions to default (bsc#1165289). - CVE-2020-7059: Fixed an out of bounds read in php_strip_tags_ex which may have led to denial of service (bsc#1162629). - CVE-2020-7060: Fixed a global buffer overflow in mbfl_filt_conv_big5_wchar which may have led to memory corruption (bsc#1162632). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-622=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-622=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-622=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-622=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-622=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-622=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): apache2-mod_php7-7.2.5-4.52.4 apache2-mod_php7-debuginfo-7.2.5-4.52.4 php7-7.2.5-4.52.4 php7-bcmath-7.2.5-4.52.4 php7-bcmath-debuginfo-7.2.5-4.52.4 php7-bz2-7.2.5-4.52.4 php7-bz2-debuginfo-7.2.5-4.52.4 php7-calendar-7.2.5-4.52.4 php7-calendar-debuginfo-7.2.5-4.52.4 php7-ctype-7.2.5-4.52.4 php7-ctype-debuginfo-7.2.5-4.52.4 php7-curl-7.2.5-4.52.4 php7-curl-debuginfo-7.2.5-4.52.4 php7-dba-7.2.5-4.52.4 php7-dba-debuginfo-7.2.5-4.52.4 php7-debuginfo-7.2.5-4.52.4 php7-debugsource-7.2.5-4.52.4 php7-devel-7.2.5-4.52.4 php7-dom-7.2.5-4.52.4 php7-dom-debuginfo-7.2.5-4.52.4 php7-enchant-7.2.5-4.52.4 php7-enchant-debuginfo-7.2.5-4.52.4 php7-exif-7.2.5-4.52.4 php7-exif-debuginfo-7.2.5-4.52.4 php7-fastcgi-7.2.5-4.52.4 php7-fastcgi-debuginfo-7.2.5-4.52.4 php7-fileinfo-7.2.5-4.52.4 php7-fileinfo-debuginfo-7.2.5-4.52.4 php7-fpm-7.2.5-4.52.4 php7-fpm-debuginfo-7.2.5-4.52.4 php7-ftp-7.2.5-4.52.4 php7-ftp-debuginfo-7.2.5-4.52.4 php7-gd-7.2.5-4.52.4 php7-gd-debuginfo-7.2.5-4.52.4 php7-gettext-7.2.5-4.52.4 php7-gettext-debuginfo-7.2.5-4.52.4 php7-gmp-7.2.5-4.52.4 php7-gmp-debuginfo-7.2.5-4.52.4 php7-iconv-7.2.5-4.52.4 php7-iconv-debuginfo-7.2.5-4.52.4 php7-intl-7.2.5-4.52.4 php7-intl-debuginfo-7.2.5-4.52.4 php7-json-7.2.5-4.52.4 php7-json-debuginfo-7.2.5-4.52.4 php7-ldap-7.2.5-4.52.4 php7-ldap-debuginfo-7.2.5-4.52.4 php7-mbstring-7.2.5-4.52.4 php7-mbstring-debuginfo-7.2.5-4.52.4 php7-mysql-7.2.5-4.52.4 php7-mysql-debuginfo-7.2.5-4.52.4 php7-odbc-7.2.5-4.52.4 php7-odbc-debuginfo-7.2.5-4.52.4 php7-opcache-7.2.5-4.52.4 php7-opcache-debuginfo-7.2.5-4.52.4 php7-openssl-7.2.5-4.52.4 php7-openssl-debuginfo-7.2.5-4.52.4 php7-pcntl-7.2.5-4.52.4 php7-pcntl-debuginfo-7.2.5-4.52.4 php7-pdo-7.2.5-4.52.4 php7-pdo-debuginfo-7.2.5-4.52.4 php7-pgsql-7.2.5-4.52.4 php7-pgsql-debuginfo-7.2.5-4.52.4 php7-phar-7.2.5-4.52.4 php7-phar-debuginfo-7.2.5-4.52.4 php7-posix-7.2.5-4.52.4 php7-posix-debuginfo-7.2.5-4.52.4 php7-shmop-7.2.5-4.52.4 php7-shmop-debuginfo-7.2.5-4.52.4 php7-snmp-7.2.5-4.52.4 php7-snmp-debuginfo-7.2.5-4.52.4 php7-soap-7.2.5-4.52.4 php7-soap-debuginfo-7.2.5-4.52.4 php7-sockets-7.2.5-4.52.4 php7-sockets-debuginfo-7.2.5-4.52.4 php7-sodium-7.2.5-4.52.4 php7-sodium-debuginfo-7.2.5-4.52.4 php7-sqlite-7.2.5-4.52.4 php7-sqlite-debuginfo-7.2.5-4.52.4 php7-sysvmsg-7.2.5-4.52.4 php7-sysvmsg-debuginfo-7.2.5-4.52.4 php7-sysvsem-7.2.5-4.52.4 php7-sysvsem-debuginfo-7.2.5-4.52.4 php7-sysvshm-7.2.5-4.52.4 php7-sysvshm-debuginfo-7.2.5-4.52.4 php7-tokenizer-7.2.5-4.52.4 php7-tokenizer-debuginfo-7.2.5-4.52.4 php7-wddx-7.2.5-4.52.4 php7-wddx-debuginfo-7.2.5-4.52.4 php7-xmlreader-7.2.5-4.52.4 php7-xmlreader-debuginfo-7.2.5-4.52.4 php7-xmlrpc-7.2.5-4.52.4 php7-xmlrpc-debuginfo-7.2.5-4.52.4 php7-xmlwriter-7.2.5-4.52.4 php7-xmlwriter-debuginfo-7.2.5-4.52.4 php7-xsl-7.2.5-4.52.4 php7-xsl-debuginfo-7.2.5-4.52.4 php7-zip-7.2.5-4.52.4 php7-zip-debuginfo-7.2.5-4.52.4 php7-zlib-7.2.5-4.52.4 php7-zlib-debuginfo-7.2.5-4.52.4 - SUSE Linux Enterprise Server for SAP 15 (noarch): php7-pear-7.2.5-4.52.4 php7-pear-Archive_Tar-7.2.5-4.52.4 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): apache2-mod_php7-7.2.5-4.52.4 apache2-mod_php7-debuginfo-7.2.5-4.52.4 php7-7.2.5-4.52.4 php7-bcmath-7.2.5-4.52.4 php7-bcmath-debuginfo-7.2.5-4.52.4 php7-bz2-7.2.5-4.52.4 php7-bz2-debuginfo-7.2.5-4.52.4 php7-calendar-7.2.5-4.52.4 php7-calendar-debuginfo-7.2.5-4.52.4 php7-ctype-7.2.5-4.52.4 php7-ctype-debuginfo-7.2.5-4.52.4 php7-curl-7.2.5-4.52.4 php7-curl-debuginfo-7.2.5-4.52.4 php7-dba-7.2.5-4.52.4 php7-dba-debuginfo-7.2.5-4.52.4 php7-debuginfo-7.2.5-4.52.4 php7-debugsource-7.2.5-4.52.4 php7-devel-7.2.5-4.52.4 php7-dom-7.2.5-4.52.4 php7-dom-debuginfo-7.2.5-4.52.4 php7-enchant-7.2.5-4.52.4 php7-enchant-debuginfo-7.2.5-4.52.4 php7-exif-7.2.5-4.52.4 php7-exif-debuginfo-7.2.5-4.52.4 php7-fastcgi-7.2.5-4.52.4 php7-fastcgi-debuginfo-7.2.5-4.52.4 php7-fileinfo-7.2.5-4.52.4 php7-fileinfo-debuginfo-7.2.5-4.52.4 php7-fpm-7.2.5-4.52.4 php7-fpm-debuginfo-7.2.5-4.52.4 php7-ftp-7.2.5-4.52.4 php7-ftp-debuginfo-7.2.5-4.52.4 php7-gd-7.2.5-4.52.4 php7-gd-debuginfo-7.2.5-4.52.4 php7-gettext-7.2.5-4.52.4 php7-gettext-debuginfo-7.2.5-4.52.4 php7-gmp-7.2.5-4.52.4 php7-gmp-debuginfo-7.2.5-4.52.4 php7-iconv-7.2.5-4.52.4 php7-iconv-debuginfo-7.2.5-4.52.4 php7-intl-7.2.5-4.52.4 php7-intl-debuginfo-7.2.5-4.52.4 php7-json-7.2.5-4.52.4 php7-json-debuginfo-7.2.5-4.52.4 php7-ldap-7.2.5-4.52.4 php7-ldap-debuginfo-7.2.5-4.52.4 php7-mbstring-7.2.5-4.52.4 php7-mbstring-debuginfo-7.2.5-4.52.4 php7-mysql-7.2.5-4.52.4 php7-mysql-debuginfo-7.2.5-4.52.4 php7-odbc-7.2.5-4.52.4 php7-odbc-debuginfo-7.2.5-4.52.4 php7-opcache-7.2.5-4.52.4 php7-opcache-debuginfo-7.2.5-4.52.4 php7-openssl-7.2.5-4.52.4 php7-openssl-debuginfo-7.2.5-4.52.4 php7-pcntl-7.2.5-4.52.4 php7-pcntl-debuginfo-7.2.5-4.52.4 php7-pdo-7.2.5-4.52.4 php7-pdo-debuginfo-7.2.5-4.52.4 php7-pgsql-7.2.5-4.52.4 php7-pgsql-debuginfo-7.2.5-4.52.4 php7-phar-7.2.5-4.52.4 php7-phar-debuginfo-7.2.5-4.52.4 php7-posix-7.2.5-4.52.4 php7-posix-debuginfo-7.2.5-4.52.4 php7-shmop-7.2.5-4.52.4 php7-shmop-debuginfo-7.2.5-4.52.4 php7-snmp-7.2.5-4.52.4 php7-snmp-debuginfo-7.2.5-4.52.4 php7-soap-7.2.5-4.52.4 php7-soap-debuginfo-7.2.5-4.52.4 php7-sockets-7.2.5-4.52.4 php7-sockets-debuginfo-7.2.5-4.52.4 php7-sodium-7.2.5-4.52.4 php7-sodium-debuginfo-7.2.5-4.52.4 php7-sqlite-7.2.5-4.52.4 php7-sqlite-debuginfo-7.2.5-4.52.4 php7-sysvmsg-7.2.5-4.52.4 php7-sysvmsg-debuginfo-7.2.5-4.52.4 php7-sysvsem-7.2.5-4.52.4 php7-sysvsem-debuginfo-7.2.5-4.52.4 php7-sysvshm-7.2.5-4.52.4 php7-sysvshm-debuginfo-7.2.5-4.52.4 php7-tokenizer-7.2.5-4.52.4 php7-tokenizer-debuginfo-7.2.5-4.52.4 php7-wddx-7.2.5-4.52.4 php7-wddx-debuginfo-7.2.5-4.52.4 php7-xmlreader-7.2.5-4.52.4 php7-xmlreader-debuginfo-7.2.5-4.52.4 php7-xmlrpc-7.2.5-4.52.4 php7-xmlrpc-debuginfo-7.2.5-4.52.4 php7-xmlwriter-7.2.5-4.52.4 php7-xmlwriter-debuginfo-7.2.5-4.52.4 php7-xsl-7.2.5-4.52.4 php7-xsl-debuginfo-7.2.5-4.52.4 php7-zip-7.2.5-4.52.4 php7-zip-debuginfo-7.2.5-4.52.4 php7-zlib-7.2.5-4.52.4 php7-zlib-debuginfo-7.2.5-4.52.4 - SUSE Linux Enterprise Server 15-LTSS (noarch): php7-pear-7.2.5-4.52.4 php7-pear-Archive_Tar-7.2.5-4.52.4 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.2.5-4.52.4 apache2-mod_php7-debuginfo-7.2.5-4.52.4 php7-7.2.5-4.52.4 php7-bcmath-7.2.5-4.52.4 php7-bcmath-debuginfo-7.2.5-4.52.4 php7-bz2-7.2.5-4.52.4 php7-bz2-debuginfo-7.2.5-4.52.4 php7-calendar-7.2.5-4.52.4 php7-calendar-debuginfo-7.2.5-4.52.4 php7-ctype-7.2.5-4.52.4 php7-ctype-debuginfo-7.2.5-4.52.4 php7-curl-7.2.5-4.52.4 php7-curl-debuginfo-7.2.5-4.52.4 php7-dba-7.2.5-4.52.4 php7-dba-debuginfo-7.2.5-4.52.4 php7-debuginfo-7.2.5-4.52.4 php7-debugsource-7.2.5-4.52.4 php7-devel-7.2.5-4.52.4 php7-dom-7.2.5-4.52.4 php7-dom-debuginfo-7.2.5-4.52.4 php7-enchant-7.2.5-4.52.4 php7-enchant-debuginfo-7.2.5-4.52.4 php7-exif-7.2.5-4.52.4 php7-exif-debuginfo-7.2.5-4.52.4 php7-fastcgi-7.2.5-4.52.4 php7-fastcgi-debuginfo-7.2.5-4.52.4 php7-fileinfo-7.2.5-4.52.4 php7-fileinfo-debuginfo-7.2.5-4.52.4 php7-fpm-7.2.5-4.52.4 php7-fpm-debuginfo-7.2.5-4.52.4 php7-ftp-7.2.5-4.52.4 php7-ftp-debuginfo-7.2.5-4.52.4 php7-gd-7.2.5-4.52.4 php7-gd-debuginfo-7.2.5-4.52.4 php7-gettext-7.2.5-4.52.4 php7-gettext-debuginfo-7.2.5-4.52.4 php7-gmp-7.2.5-4.52.4 php7-gmp-debuginfo-7.2.5-4.52.4 php7-iconv-7.2.5-4.52.4 php7-iconv-debuginfo-7.2.5-4.52.4 php7-intl-7.2.5-4.52.4 php7-intl-debuginfo-7.2.5-4.52.4 php7-json-7.2.5-4.52.4 php7-json-debuginfo-7.2.5-4.52.4 php7-ldap-7.2.5-4.52.4 php7-ldap-debuginfo-7.2.5-4.52.4 php7-mbstring-7.2.5-4.52.4 php7-mbstring-debuginfo-7.2.5-4.52.4 php7-mysql-7.2.5-4.52.4 php7-mysql-debuginfo-7.2.5-4.52.4 php7-odbc-7.2.5-4.52.4 php7-odbc-debuginfo-7.2.5-4.52.4 php7-opcache-7.2.5-4.52.4 php7-opcache-debuginfo-7.2.5-4.52.4 php7-openssl-7.2.5-4.52.4 php7-openssl-debuginfo-7.2.5-4.52.4 php7-pcntl-7.2.5-4.52.4 php7-pcntl-debuginfo-7.2.5-4.52.4 php7-pdo-7.2.5-4.52.4 php7-pdo-debuginfo-7.2.5-4.52.4 php7-pgsql-7.2.5-4.52.4 php7-pgsql-debuginfo-7.2.5-4.52.4 php7-phar-7.2.5-4.52.4 php7-phar-debuginfo-7.2.5-4.52.4 php7-posix-7.2.5-4.52.4 php7-posix-debuginfo-7.2.5-4.52.4 php7-shmop-7.2.5-4.52.4 php7-shmop-debuginfo-7.2.5-4.52.4 php7-snmp-7.2.5-4.52.4 php7-snmp-debuginfo-7.2.5-4.52.4 php7-soap-7.2.5-4.52.4 php7-soap-debuginfo-7.2.5-4.52.4 php7-sockets-7.2.5-4.52.4 php7-sockets-debuginfo-7.2.5-4.52.4 php7-sodium-7.2.5-4.52.4 php7-sodium-debuginfo-7.2.5-4.52.4 php7-sqlite-7.2.5-4.52.4 php7-sqlite-debuginfo-7.2.5-4.52.4 php7-sysvmsg-7.2.5-4.52.4 php7-sysvmsg-debuginfo-7.2.5-4.52.4 php7-sysvsem-7.2.5-4.52.4 php7-sysvsem-debuginfo-7.2.5-4.52.4 php7-sysvshm-7.2.5-4.52.4 php7-sysvshm-debuginfo-7.2.5-4.52.4 php7-tokenizer-7.2.5-4.52.4 php7-tokenizer-debuginfo-7.2.5-4.52.4 php7-wddx-7.2.5-4.52.4 php7-wddx-debuginfo-7.2.5-4.52.4 php7-xmlreader-7.2.5-4.52.4 php7-xmlreader-debuginfo-7.2.5-4.52.4 php7-xmlrpc-7.2.5-4.52.4 php7-xmlrpc-debuginfo-7.2.5-4.52.4 php7-xmlwriter-7.2.5-4.52.4 php7-xmlwriter-debuginfo-7.2.5-4.52.4 php7-xsl-7.2.5-4.52.4 php7-xsl-debuginfo-7.2.5-4.52.4 php7-zip-7.2.5-4.52.4 php7-zip-debuginfo-7.2.5-4.52.4 php7-zlib-7.2.5-4.52.4 php7-zlib-debuginfo-7.2.5-4.52.4 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): php7-pear-7.2.5-4.52.4 php7-pear-Archive_Tar-7.2.5-4.52.4 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.2.5-4.52.4 php7-debugsource-7.2.5-4.52.4 php7-embed-7.2.5-4.52.4 php7-embed-debuginfo-7.2.5-4.52.4 php7-readline-7.2.5-4.52.4 php7-readline-debuginfo-7.2.5-4.52.4 php7-sodium-7.2.5-4.52.4 php7-sodium-debuginfo-7.2.5-4.52.4 php7-tidy-7.2.5-4.52.4 php7-tidy-debuginfo-7.2.5-4.52.4 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): apache2-mod_php7-7.2.5-4.52.4 apache2-mod_php7-debuginfo-7.2.5-4.52.4 php7-7.2.5-4.52.4 php7-bcmath-7.2.5-4.52.4 php7-bcmath-debuginfo-7.2.5-4.52.4 php7-bz2-7.2.5-4.52.4 php7-bz2-debuginfo-7.2.5-4.52.4 php7-calendar-7.2.5-4.52.4 php7-calendar-debuginfo-7.2.5-4.52.4 php7-ctype-7.2.5-4.52.4 php7-ctype-debuginfo-7.2.5-4.52.4 php7-curl-7.2.5-4.52.4 php7-curl-debuginfo-7.2.5-4.52.4 php7-dba-7.2.5-4.52.4 php7-dba-debuginfo-7.2.5-4.52.4 php7-debuginfo-7.2.5-4.52.4 php7-debugsource-7.2.5-4.52.4 php7-devel-7.2.5-4.52.4 php7-dom-7.2.5-4.52.4 php7-dom-debuginfo-7.2.5-4.52.4 php7-enchant-7.2.5-4.52.4 php7-enchant-debuginfo-7.2.5-4.52.4 php7-exif-7.2.5-4.52.4 php7-exif-debuginfo-7.2.5-4.52.4 php7-fastcgi-7.2.5-4.52.4 php7-fastcgi-debuginfo-7.2.5-4.52.4 php7-fileinfo-7.2.5-4.52.4 php7-fileinfo-debuginfo-7.2.5-4.52.4 php7-fpm-7.2.5-4.52.4 php7-fpm-debuginfo-7.2.5-4.52.4 php7-ftp-7.2.5-4.52.4 php7-ftp-debuginfo-7.2.5-4.52.4 php7-gd-7.2.5-4.52.4 php7-gd-debuginfo-7.2.5-4.52.4 php7-gettext-7.2.5-4.52.4 php7-gettext-debuginfo-7.2.5-4.52.4 php7-gmp-7.2.5-4.52.4 php7-gmp-debuginfo-7.2.5-4.52.4 php7-iconv-7.2.5-4.52.4 php7-iconv-debuginfo-7.2.5-4.52.4 php7-intl-7.2.5-4.52.4 php7-intl-debuginfo-7.2.5-4.52.4 php7-json-7.2.5-4.52.4 php7-json-debuginfo-7.2.5-4.52.4 php7-ldap-7.2.5-4.52.4 php7-ldap-debuginfo-7.2.5-4.52.4 php7-mbstring-7.2.5-4.52.4 php7-mbstring-debuginfo-7.2.5-4.52.4 php7-mysql-7.2.5-4.52.4 php7-mysql-debuginfo-7.2.5-4.52.4 php7-odbc-7.2.5-4.52.4 php7-odbc-debuginfo-7.2.5-4.52.4 php7-opcache-7.2.5-4.52.4 php7-opcache-debuginfo-7.2.5-4.52.4 php7-openssl-7.2.5-4.52.4 php7-openssl-debuginfo-7.2.5-4.52.4 php7-pcntl-7.2.5-4.52.4 php7-pcntl-debuginfo-7.2.5-4.52.4 php7-pdo-7.2.5-4.52.4 php7-pdo-debuginfo-7.2.5-4.52.4 php7-pgsql-7.2.5-4.52.4 php7-pgsql-debuginfo-7.2.5-4.52.4 php7-phar-7.2.5-4.52.4 php7-phar-debuginfo-7.2.5-4.52.4 php7-posix-7.2.5-4.52.4 php7-posix-debuginfo-7.2.5-4.52.4 php7-shmop-7.2.5-4.52.4 php7-shmop-debuginfo-7.2.5-4.52.4 php7-snmp-7.2.5-4.52.4 php7-snmp-debuginfo-7.2.5-4.52.4 php7-soap-7.2.5-4.52.4 php7-soap-debuginfo-7.2.5-4.52.4 php7-sockets-7.2.5-4.52.4 php7-sockets-debuginfo-7.2.5-4.52.4 php7-sodium-7.2.5-4.52.4 php7-sodium-debuginfo-7.2.5-4.52.4 php7-sqlite-7.2.5-4.52.4 php7-sqlite-debuginfo-7.2.5-4.52.4 php7-sysvmsg-7.2.5-4.52.4 php7-sysvmsg-debuginfo-7.2.5-4.52.4 php7-sysvsem-7.2.5-4.52.4 php7-sysvsem-debuginfo-7.2.5-4.52.4 php7-sysvshm-7.2.5-4.52.4 php7-sysvshm-debuginfo-7.2.5-4.52.4 php7-tokenizer-7.2.5-4.52.4 php7-tokenizer-debuginfo-7.2.5-4.52.4 php7-wddx-7.2.5-4.52.4 php7-wddx-debuginfo-7.2.5-4.52.4 php7-xmlreader-7.2.5-4.52.4 php7-xmlreader-debuginfo-7.2.5-4.52.4 php7-xmlrpc-7.2.5-4.52.4 php7-xmlrpc-debuginfo-7.2.5-4.52.4 php7-xmlwriter-7.2.5-4.52.4 php7-xmlwriter-debuginfo-7.2.5-4.52.4 php7-xsl-7.2.5-4.52.4 php7-xsl-debuginfo-7.2.5-4.52.4 php7-zip-7.2.5-4.52.4 php7-zip-debuginfo-7.2.5-4.52.4 php7-zlib-7.2.5-4.52.4 php7-zlib-debuginfo-7.2.5-4.52.4 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): php7-pear-7.2.5-4.52.4 php7-pear-Archive_Tar-7.2.5-4.52.4 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): apache2-mod_php7-7.2.5-4.52.4 apache2-mod_php7-debuginfo-7.2.5-4.52.4 php7-7.2.5-4.52.4 php7-bcmath-7.2.5-4.52.4 php7-bcmath-debuginfo-7.2.5-4.52.4 php7-bz2-7.2.5-4.52.4 php7-bz2-debuginfo-7.2.5-4.52.4 php7-calendar-7.2.5-4.52.4 php7-calendar-debuginfo-7.2.5-4.52.4 php7-ctype-7.2.5-4.52.4 php7-ctype-debuginfo-7.2.5-4.52.4 php7-curl-7.2.5-4.52.4 php7-curl-debuginfo-7.2.5-4.52.4 php7-dba-7.2.5-4.52.4 php7-dba-debuginfo-7.2.5-4.52.4 php7-debuginfo-7.2.5-4.52.4 php7-debugsource-7.2.5-4.52.4 php7-devel-7.2.5-4.52.4 php7-dom-7.2.5-4.52.4 php7-dom-debuginfo-7.2.5-4.52.4 php7-enchant-7.2.5-4.52.4 php7-enchant-debuginfo-7.2.5-4.52.4 php7-exif-7.2.5-4.52.4 php7-exif-debuginfo-7.2.5-4.52.4 php7-fastcgi-7.2.5-4.52.4 php7-fastcgi-debuginfo-7.2.5-4.52.4 php7-fileinfo-7.2.5-4.52.4 php7-fileinfo-debuginfo-7.2.5-4.52.4 php7-fpm-7.2.5-4.52.4 php7-fpm-debuginfo-7.2.5-4.52.4 php7-ftp-7.2.5-4.52.4 php7-ftp-debuginfo-7.2.5-4.52.4 php7-gd-7.2.5-4.52.4 php7-gd-debuginfo-7.2.5-4.52.4 php7-gettext-7.2.5-4.52.4 php7-gettext-debuginfo-7.2.5-4.52.4 php7-gmp-7.2.5-4.52.4 php7-gmp-debuginfo-7.2.5-4.52.4 php7-iconv-7.2.5-4.52.4 php7-iconv-debuginfo-7.2.5-4.52.4 php7-intl-7.2.5-4.52.4 php7-intl-debuginfo-7.2.5-4.52.4 php7-json-7.2.5-4.52.4 php7-json-debuginfo-7.2.5-4.52.4 php7-ldap-7.2.5-4.52.4 php7-ldap-debuginfo-7.2.5-4.52.4 php7-mbstring-7.2.5-4.52.4 php7-mbstring-debuginfo-7.2.5-4.52.4 php7-mysql-7.2.5-4.52.4 php7-mysql-debuginfo-7.2.5-4.52.4 php7-odbc-7.2.5-4.52.4 php7-odbc-debuginfo-7.2.5-4.52.4 php7-opcache-7.2.5-4.52.4 php7-opcache-debuginfo-7.2.5-4.52.4 php7-openssl-7.2.5-4.52.4 php7-openssl-debuginfo-7.2.5-4.52.4 php7-pcntl-7.2.5-4.52.4 php7-pcntl-debuginfo-7.2.5-4.52.4 php7-pdo-7.2.5-4.52.4 php7-pdo-debuginfo-7.2.5-4.52.4 php7-pgsql-7.2.5-4.52.4 php7-pgsql-debuginfo-7.2.5-4.52.4 php7-phar-7.2.5-4.52.4 php7-phar-debuginfo-7.2.5-4.52.4 php7-posix-7.2.5-4.52.4 php7-posix-debuginfo-7.2.5-4.52.4 php7-shmop-7.2.5-4.52.4 php7-shmop-debuginfo-7.2.5-4.52.4 php7-snmp-7.2.5-4.52.4 php7-snmp-debuginfo-7.2.5-4.52.4 php7-soap-7.2.5-4.52.4 php7-soap-debuginfo-7.2.5-4.52.4 php7-sockets-7.2.5-4.52.4 php7-sockets-debuginfo-7.2.5-4.52.4 php7-sodium-7.2.5-4.52.4 php7-sodium-debuginfo-7.2.5-4.52.4 php7-sqlite-7.2.5-4.52.4 php7-sqlite-debuginfo-7.2.5-4.52.4 php7-sysvmsg-7.2.5-4.52.4 php7-sysvmsg-debuginfo-7.2.5-4.52.4 php7-sysvsem-7.2.5-4.52.4 php7-sysvsem-debuginfo-7.2.5-4.52.4 php7-sysvshm-7.2.5-4.52.4 php7-sysvshm-debuginfo-7.2.5-4.52.4 php7-tokenizer-7.2.5-4.52.4 php7-tokenizer-debuginfo-7.2.5-4.52.4 php7-wddx-7.2.5-4.52.4 php7-wddx-debuginfo-7.2.5-4.52.4 php7-xmlreader-7.2.5-4.52.4 php7-xmlreader-debuginfo-7.2.5-4.52.4 php7-xmlrpc-7.2.5-4.52.4 php7-xmlrpc-debuginfo-7.2.5-4.52.4 php7-xmlwriter-7.2.5-4.52.4 php7-xmlwriter-debuginfo-7.2.5-4.52.4 php7-xsl-7.2.5-4.52.4 php7-xsl-debuginfo-7.2.5-4.52.4 php7-zip-7.2.5-4.52.4 php7-zip-debuginfo-7.2.5-4.52.4 php7-zlib-7.2.5-4.52.4 php7-zlib-debuginfo-7.2.5-4.52.4 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): php7-pear-7.2.5-4.52.4 php7-pear-Archive_Tar-7.2.5-4.52.4 References: https://www.suse.com/security/cve/CVE-2020-7059.html https://www.suse.com/security/cve/CVE-2020-7060.html https://www.suse.com/security/cve/CVE-2020-7062.html https://www.suse.com/security/cve/CVE-2020-7063.html https://bugzilla.suse.com/1162629 https://bugzilla.suse.com/1162632 https://bugzilla.suse.com/1165280 https://bugzilla.suse.com/1165289 From sle-security-updates at lists.suse.com Tue Mar 10 11:13:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Mar 2020 18:13:50 +0100 (CET) Subject: SUSE-SU-2020:0632-1: important: Security update for tomcat Message-ID: <20200310171350.DA5CDF79E@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0632-1 Rating: important References: #1139924 #1159723 #1159729 #1164692 #1164825 #1164860 Cross-References: CVE-2019-10072 CVE-2019-12418 CVE-2019-17563 CVE-2019-17569 CVE-2020-1935 CVE-2020-1938 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for tomcat to version 9.0.31 fixes the following issues: Security issues fixed: - CVE-2019-10072: Fixed a denial-of-service that could have been caused by clients omitting WINDOW_UPDATE messages in HTTP/2 streams (bsc#1139924). - CVE-2019-12418: Fixed a local privilege escalation by manipulating the RMI registry (bsc#1159723). - CVE-2019-17563: Fixed a session fixation attack when using FORM authentication (bsc#1159729). - CVE-2019-17569: Fixed a regression in the handling of Transfer-Encoding headers that would have allowed HTTP Request Smuggling (bsc#1164825). - CVE-2020-1935: Fixed an HTTP Request Smuggling issue (bsc#1164860). - CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-632=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-632=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): tomcat-9.0.31-3.25.1 tomcat-admin-webapps-9.0.31-3.25.1 tomcat-docs-webapp-9.0.31-3.25.1 tomcat-el-3_0-api-9.0.31-3.25.1 tomcat-javadoc-9.0.31-3.25.1 tomcat-jsp-2_3-api-9.0.31-3.25.1 tomcat-lib-9.0.31-3.25.1 tomcat-servlet-4_0-api-9.0.31-3.25.1 tomcat-webapps-9.0.31-3.25.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): tomcat-9.0.31-3.25.1 tomcat-admin-webapps-9.0.31-3.25.1 tomcat-docs-webapp-9.0.31-3.25.1 tomcat-el-3_0-api-9.0.31-3.25.1 tomcat-javadoc-9.0.31-3.25.1 tomcat-jsp-2_3-api-9.0.31-3.25.1 tomcat-lib-9.0.31-3.25.1 tomcat-servlet-4_0-api-9.0.31-3.25.1 tomcat-webapps-9.0.31-3.25.1 References: https://www.suse.com/security/cve/CVE-2019-10072.html https://www.suse.com/security/cve/CVE-2019-12418.html https://www.suse.com/security/cve/CVE-2019-17563.html https://www.suse.com/security/cve/CVE-2019-17569.html https://www.suse.com/security/cve/CVE-2020-1935.html https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1139924 https://bugzilla.suse.com/1159723 https://bugzilla.suse.com/1159729 https://bugzilla.suse.com/1164692 https://bugzilla.suse.com/1164825 https://bugzilla.suse.com/1164860 From sle-security-updates at lists.suse.com Tue Mar 10 11:17:18 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Mar 2020 18:17:18 +0100 (CET) Subject: SUSE-SU-2020:0629-1: moderate: Security update for librsvg Message-ID: <20200310171718.351EFF79E@maintenance.suse.de> SUSE Security Update: Security update for librsvg ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0629-1 Rating: moderate References: #1162501 Cross-References: CVE-2019-20446 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for librsvg to version 2.42.8 fixes the following issues: librsvg was updated to version 2.42.8 fixing the following issues: - CVE-2019-20446: Fixed an issue where a crafted SVG file with nested patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. - Fixed a stack exhaustion with circular references in elements. - Fixed a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG "use" elements in malicious SVGs. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-629=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-629=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-629=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): librsvg-debugsource-2.42.8-3.3.1 rsvg-view-2.42.8-3.3.1 rsvg-view-debuginfo-2.42.8-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): gdk-pixbuf-loader-rsvg-32bit-2.42.8-3.3.1 gdk-pixbuf-loader-rsvg-32bit-debuginfo-2.42.8-3.3.1 librsvg-2-2-32bit-2.42.8-3.3.1 librsvg-2-2-32bit-debuginfo-2.42.8-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): rsvg-thumbnailer-2.42.8-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): librsvg-debugsource-2.42.8-3.3.1 librsvg-devel-2.42.8-3.3.1 typelib-1_0-Rsvg-2_0-2.42.8-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 gdk-pixbuf-loader-rsvg-debuginfo-2.42.8-3.3.1 librsvg-2-2-2.42.8-3.3.1 librsvg-2-2-debuginfo-2.42.8-3.3.1 librsvg-debugsource-2.42.8-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-20446.html https://bugzilla.suse.com/1162501 From sle-security-updates at lists.suse.com Tue Mar 10 11:23:28 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Mar 2020 18:23:28 +0100 (CET) Subject: SUSE-SU-2020:0628-1: important: Security update for java-1_7_0-openjdk Message-ID: <20200310172328.EA6AEF79E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0628-1 Rating: important References: #1160968 Cross-References: CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2659 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for java-1_7_0-openjdk fixes the following issues: Update java-1_7_0-openjdk to version jdk7u251 (January 2020 CPU, bsc#1160968): - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2020-2590: Improve Kerberos interop capabilities - CVE-2020-2593: Normalize normalization for all - CVE-2020-2601: Better Ticket Granting Services - CVE-2020-2604: Better serial filter handling - CVE-2020-2659: Enhance datagram socket support - CVE-2020-2654: Improve Object Identifier Processing Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-628=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-628=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-628=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-628=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-628=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-628=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-628=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-628=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-628=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-628=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-628=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-628=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-628=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-628=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-628=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-628=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE OpenStack Cloud 8 (x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 - HPE Helion Openstack 8 (x86_64): java-1_7_0-openjdk-1.7.0.251-43.35.1 java-1_7_0-openjdk-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-debugsource-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-1.7.0.251-43.35.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-1.7.0.251-43.35.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-1.7.0.251-43.35.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.251-43.35.1 References: https://www.suse.com/security/cve/CVE-2020-2583.html https://www.suse.com/security/cve/CVE-2020-2590.html https://www.suse.com/security/cve/CVE-2020-2593.html https://www.suse.com/security/cve/CVE-2020-2601.html https://www.suse.com/security/cve/CVE-2020-2604.html https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2659.html https://bugzilla.suse.com/1160968 From sle-security-updates at lists.suse.com Tue Mar 10 11:26:23 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Mar 2020 18:26:23 +0100 (CET) Subject: SUSE-SU-2020:0631-1: important: Security update for tomcat Message-ID: <20200310172623.5430CF79E@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0631-1 Rating: important References: #1164692 #1164825 #1164860 Cross-References: CVE-2019-17569 CVE-2020-1935 CVE-2020-1938 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for tomcat to version 9.0.31 fixes the following issues: Security issues fixed: - CVE-2019-17569: Fixed a regression in the handling of Transfer-Encoding headers that would have allowed HTTP Request Smuggling (bsc#1164825). - CVE-2020-1935: Fixed an HTTP Request Smuggling issue (bsc#1164860). - CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-631=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-631=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): tomcat-9.0.31-4.22.1 tomcat-admin-webapps-9.0.31-4.22.1 tomcat-el-3_0-api-9.0.31-4.22.1 tomcat-jsp-2_3-api-9.0.31-4.22.1 tomcat-lib-9.0.31-4.22.1 tomcat-servlet-4_0-api-9.0.31-4.22.1 tomcat-webapps-9.0.31-4.22.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): tomcat-docs-webapp-9.0.31-4.22.1 tomcat-embed-9.0.31-4.22.1 tomcat-javadoc-9.0.31-4.22.1 tomcat-jsvc-9.0.31-4.22.1 References: https://www.suse.com/security/cve/CVE-2019-17569.html https://www.suse.com/security/cve/CVE-2020-1935.html https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1164692 https://bugzilla.suse.com/1164825 https://bugzilla.suse.com/1164860 From sle-security-updates at lists.suse.com Tue Mar 10 11:31:18 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Mar 2020 18:31:18 +0100 (CET) Subject: SUSE-SU-2020:0630-1: important: Security update for ipmitool Message-ID: <20200310173118.EBB71F79E@maintenance.suse.de> SUSE Security Update: Security update for ipmitool ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0630-1 Rating: important References: #1085469 #1163026 Cross-References: CVE-2020-5208 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for ipmitool fixes the following issues: - CVE-2020-5208: Fixed multiple remote code executtion vulnerabilities (bsc#1163026). - picmg discover messages are now DEBUG and not INFO messages (bsc#1085469). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-630=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-630=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-630=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-630=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-630=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-630=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-630=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-630=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-630=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-630=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 - SUSE OpenStack Cloud 8 (x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 - HPE Helion Openstack 8 (x86_64): ipmitool-1.8.18-5.9.1 ipmitool-debuginfo-1.8.18-5.9.1 ipmitool-debugsource-1.8.18-5.9.1 References: https://www.suse.com/security/cve/CVE-2020-5208.html https://bugzilla.suse.com/1085469 https://bugzilla.suse.com/1163026 From sle-security-updates at lists.suse.com Wed Mar 11 11:19:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Mar 2020 18:19:08 +0100 (CET) Subject: SUSE-SU-2020:0642-1: important: Security update for ardana-ansible, ardana-cinder, ardana-cobbler, ardana-db, ardana-horizon, ardana-input-model, ardana-monasca, ardana-mq, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, openstack-barbican, openstack-ceilometer, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-designate, openstack-heat, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-ironic-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-horizon-plugin-octavia-ui, openstack-ironic, openstack-ironic-python-agent, openstack-keystone, openstack-magnum, openstack-monasca-agent, openstack-neutron, openstack-neutron-fwaas, openstack-neutron-gbp, openstack-neutron-vpnaas, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-sahara, openstack-swift, python-amqp, python-ironic-lib, python-keystoneauth1, python -keystoneclient, python-keystonemiddleware, python-ovs, supportutils-plugin-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, venv-openstack-horizon Message-ID: <20200311171908.182D6F79E@maintenance.suse.de> SUSE Security Update: Security update for ardana-ansible, ardana-cinder, ardana-cobbler, ardana-db, ardana-horizon, ardana-input-model, ardana-monasca, ardana-mq, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, openstack-barbican, openstack-ceilometer, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-designate, openstack-heat, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-ironic-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-horizon-plugin-octavia-ui, openstack-ironic, openstack-ironic-python-agent, openstack-keystone, openstack-magnum, openstack-monasca-agent, openstack-neutron, openstack-neutron-fwaas, openstack-neutron-gbp, openstack-neutron-vpnaas, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-sahara, openstack-swift, python-amqp, python-ironic-lib, python-keystoneauth1, python-keystoneclient, python-keystonemiddleware, python-ovs, supportutils-plugin-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, venv-openstack-horizon ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0642-1 Rating: important References: #1117080 #1152007 #1154235 #1156305 #1156914 #1157028 #1157206 #1157482 #1158581 #1158675 #1161351 #1161721 Cross-References: CVE-2018-17954 CVE-2019-13117 CVE-2019-16770 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that solves three vulnerabilities and has 9 fixes is now available. Description: This update for ardana-ansible, ardana-cinder, ardana-cobbler, ardana-db, ardana-horizon, ardana-input-model, ardana-monasca, ardana-mq, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, openstack-barbican, openstack-ceilometer, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-designate, openstack-heat, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-ironic-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-horizon-plugin-octavia-ui, openstack-ironic, openstack-ironic-python-agent, openstack-keystone, openstack-magnum, openstack-monasca-agent, openstack-neutron, openstack-neutron-fwaas, openstack-neutron-gbp, openstack-neutron-vpnaas, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-sahara, openstack-swift, python-amqp, python-ironic-lib, python-keystoneauth1, python-keystoneclient, python-keystonemiddleware, python-ovs, supportutils-plugin-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, venv-openstack-horizon fixes the following issues: Security issues fixed: - CVE-2018-17954: Enabled restricted commands for Cloud 8 (bsc#1117080). - CVE-2019-16770: Fixed a DoS vulnerability a malicious client could use to block a large amount of threads (bsc#1158675). Non-security issues fixed: Changes in ardana-ansible: - Update to version 9.0+git.1581611758.f694f7d: * Don't run deprecated-vhost-removal on localhost (SOC-11098) - Update to version 9.0+git.1580906085.40eb430: * simplify glance image upload (SOC-11089) - Update to version 9.0+git.1580220034.3236aa5: * Ensure rabbitmq-server started after packages updated (SOC-11070) - Update to version 9.0+git.1576060554.bdd84e6: * Fix grep for image details on service-guest-image (SOC-11012) Changes in ardana-cinder: - Update to version 9.0+git.1579256229.c8b4b38: * Add option to flatten snapshots when using SES (SOC-11054) - Update to version 9.0+git.1574694613.04a8b74: * Ensure nfs-client installed for NetApp support (SOC-9005) - Update to version 9.0+git.1574359983.c198cc9: * Add option for nfs_share configuration (SOC-9005) Changes in ardana-cobbler: - Update to version 9.0+git.1574950066.a3c4be4: * Set root device on SLES autoyast templates (SOC-7365) - Update to version 9.0+git.1573845154.3545efd: * Change install_recommended to true (SOC-9005) Changes in ardana-db: - Update to version 9.0+git.1578936438.b9a9b95: * Switch to using override file in my.cnf.d (SOC-11043) - Update to version 9.0+git.1578595169.57c5911: * account for pre-update nodes (SOC-11037) Changes in ardana-horizon: - Update to version 9.0+git.1575562864.8ed5e10: * Generate policy for Octavia dashboard (SOC-10883) - Update to version 9.0+git.1575562860.2ce2851: * Fix policy configuration generation (SOC-10883) Changes in ardana-input-model: - Update to version 9.0+git.1580403439.d425462: * Enable port security extension neutron (SOC-11027) - Update to version 9.0+git.1574953363.60cf58f: * octavia: use lbaasv2-proxy service plugin (SOC-10987) Changes in ardana-monasca: - Update to version 9.0+git.1579273481.4b8c46f: * Leverage schema conversion script for upgrade (SOC-10277) - Update to version 9.0+git.1575919721.5c42222: * align Monasca DB schema with upstream prior to upgrade (SOC-10277) Changes in ardana-mq: - Update to version 9.0+git.1581024903.8e74867: * Ensure HA queue sync wait fails (SOC-11083) - Update to version 9.0+git.1580934283.230ff8b: * Fix HA policy setting comments (SOC-10317, SOC-11082) - Update to version 9.0+git.1580746285.da922ce: * Set HA policy accordingly (SOC-10317, SOC-11082) - Update to version 9.0+git.1575405552.d84f662: * Change the HA policy mirror (SOC-10317) Changes in ardana-nova: - Update to version 9.0+git.1580304673.6c668eb: * Set notification_format to unversioned in nova.conf (bsc#1161721) - Update to version 9.0+git.1575481165.9d3826f: * Remove duplicate entries for alias configuration for GPU (SOC-10837) - Update to version 9.0+git.1573764498.ed4098d: * Pass through gpu device info. (SOC-10837) Changes in ardana-octavia: - Update to version 9.0+git.1576074489.62de7e2: * Add load-balancer roles (SOC-8743) - Update to version 9.0+git.1575366951.e0216b4: * Add policy.json to match the neutron lbaasv2 policy (SOC-10987) - Update to version 9.0+git.1574358661.c976583: * Change event_streamer_driver to noop (bsc#1154235) Changes in ardana-osconfig: - Update to version 9.0+git.1580235830.0dca223: * Start OVS services before wicked service at boot (SOC-11067) - Update to version 9.0+git.1579790275.8afb314: * Adjust 'fs.inotify.max_user_instances' to align with crowbar (bsc#1161351) Changes in ardana-tempest: - Update to version 9.0+git.1578932816.e299c08: * Revert to using cirros image for heat tests (SOC-7028) - Update to version 9.0+git.1578413400.0614192: * Create network resources needed by some heat tests (SOC-7028) - Update to version 9.0+git.1576611974.d17e4df: * Enable octavia tempest plugin test cases (SOC-8743) - Update to version 9.0+git.1574955714.5bae846: * Update lbaas tempest filter for octavia (SOC-10987) Changes in ardana-tls: - Update to version 9.0+git.1575296665.3fdfe45: * Make sure VNC CA file contain our internal CAs (SOC-10968) - Update to version 9.0+git.1574280348.a306396: * default the certificate validity to 5 years for the VNC cert (SOC-10973) Changes in crowbar-core: - Update to version 6.0+git.1582892022.cbd70e833: * upgrade: Run DHCP evacuation (SOC-11046) - Update to version 6.0+git.1582200015.08264d8f9: * Fix deployment queue display (SOC-10741) - Update to version 6.0+git.1580144807.7d068caf0: * network: start OVS before wickedd (SOC-11067) - Update to version 6.0+git.1578997967.4591670f0: * dns: add checks to designate migration (SOC-11047) - Update to version 6.0+git.1578935422.01edb0a9b: * Do not log an error for a case that is correct (trivial) - Update to version 6.0+git.1578563578.68beda299: * Upgrade neutron agent together with nova-compute package (SOC-11031) - Update to version 6.0+git.1578402096.90d9332d9: * apache2: Restart after enabling SSL flag (SOC-11029) * crowbar: add crowbar-pacemaker dependency (SOC-10986) - Update to version 6.0+git.1576756414.ca49a781d: * bind9: Add legacy public.foo DNS entries (SOC-11006) - Update to version 6.0+git.1576662075.88de27567: * upgrade: Make a check for SLES product version (SOC-3089) - Update to version 6.0+git.1576493114.5e9534f13: * upgrade: Stop if nova-compute upgrade fails (SOC-10378) * upgrade: Fix typo in log message (typo) - Update to version 6.0+git.1576149781.1ac02ef0d: * upgrade: add missing exit to Monasca DB dump (trivial) - Update to version 6.0+git.1576072790.23b58b4a2: * upgrade: Fix systemd unit listing (trivial) * Make sure the crowbar migrations are OK (SOC-6849) - Update to version 6.0+git.1575980638.3cad5a333: * Ignore CVE-2019-16770 (SOC-10999) * upgrade: Make cluster health check at the start of services step (SOC-6849) * upgrade: Remove DRBD specific code from the continuation parts (SOC-10985) - Update to version 6.0+git.1575628097.5a7475686: * upgrade: Do not stop and reload nova services in normal mode (SOC-10995) - Update to version 6.0+git.1574763248.ad958e68c: * Disable installation repository (bsc#1152007) * Disable automatic repo services (bsc#1152007) - Update to version 6.0+git.1574431193.3f5c69937: * [upgrade] Wait for keystone to be ready after start (bsc#1157206) - Update to version 6.0+git.1574363439.bc4d86c9b: * upgrade: Make sure cinder-volume is really stopped (bsc#1156305) - Update to version 6.0+git.1574270808.e4344109b: * upgrade: Ignore Cloud repository during repocheck (bsc#1152007) - Update to version 6.0+git.1574102328.13f0b12bf: * Ignore CVE-2019-13117 in CI builds (bsc#1157028) Changes in crowbar-ha: - Update to version 6.0+git.1574286261.6fd1a34: * Drop g-haproxy removal code (bsc#1156914) Changes in crowbar-openstack: - Update to version 6.0+git.1580922461.67fb3c087: * Designate: make sure dns-server is active on a non-admin node (SOC-10636) * Revert rabbitmq: sync startup definitions.json with recipe (SOC-11082) - Update to version 6.0+git.1580480133.d27bf75d0: * ec2-api: run keystone_register on cluster founder only (SOC-11079) - Update to version 6.0+git.1580308069.558c6dd8a: * rabbitmq: sync startup definitions.json with recipe (SOC-11077) - Update to version 6.0+git.1579097055.cf15ef22e: * tempest: enable multiattach for NetApp + LVM (SCPM-97) * tempest: tempest run filters as templates (SOC-11052) - Update to version 6.0+git.1578491103.ca03b990c: * Install openstack client for neutron recipes (SOC-11039) - Update to version 6.0+git.1576859278.871ed9151: * octavia: Add topology setting (SOC-10876) - Update to version 6.0+git.1576769055.cae3ecf9a: * octavia: Add anti-affinity settings (SOC-11026) * designate: Fix the migrations of ssl values (SOC-11030) * octavia: Also delete unused amphora images (SOC-11024) * octavia: Delete old amphora images (SOC-11024) * octavia: Install amphora image always (SOC-11024) - Update to version 6.0+git.1576688912.0cfb42201: * Do not read data from barclamp that has not been saved (SOC-11028) * octavia: Add ssh key to health manager (SOC-11025) - Update to version 6.0+git.1576513513.8456a08f8: * designate: Mark as user managed (SOC-10233) - Update to version 6.0+git.1576331976.c068cbe15: * octavia: Update configuration parameters (SOC-10904) - Update to version 6.0+git.1576245850.2d50399b5: * tempest: Update default image on schema (SOC-11023) - Update to version 6.0+git.1576145909.ec2c5f746: * octavia: enable octavia tempest plugin test cases (SOC-8743) - Update to version 6.0+git.1576091112.c802654e0: * keystone: Add OS_INTERFACE env var to .openrc (SOC-11006) * horizon: add Octavia horizon dashboard (SOC-10833) - Update to version 6.0+git.1575917420.9a9d1b024: * Add Crowbar UI options for mgmt net (SOC-10904) * octavia: configure barbican auth (SOC-10989) * octavia: fix deprecated config options (SOC-10990) - Update to version 6.0+git.1574850023.d4c2337fc: * tempest: create lbaas-octavia filter (SOC-10965) * octavia: switch to noop event streamer (SOC-10868) * tempest: fix lbaasv2 tests with Octavia lbaasv2-proxy service plugin (SOC-10907) - Update to version 6.0+git.1574685608.1c9818d53: * horizon: fix keystone node lookup (SOC-10978) - Update to version 6.0+git.1574428771.9bd63ba0d: * designate: declare all mdns servers as master on pool config (SOC-10952) - Update to version 6.0+git.1574334452.15e0db044: * designate: add support for SSL (SOC-10877) * horizon: install lbaas horizon dashboard (SOC-10883) - Update to version 6.0+git.1574270038.651a48486: * octavia: add SSL section to the UI (SOC-10906) - Update to version 6.0+git.1574094012.3c62b569f: * octavia: Add memcached_servers for token caching (SOC-10905) Changes in crowbar-ui: - Update to version 1.3.0+git.1575896697.a01a3a08: * upgrade: Added missing error title * travis: Stop testing against nodejs4 Changes in keepalived: - update to 2.0.19 - new BR pkgconfig(libnftnl) to fix nftables support - add nftables to the BR - added patch * linux-4.15.patch - add buildrequires for file-devel - used in the checker to verify scripts - enable json stats and config dump support new BR: pkgconfig(json-c) - enable http regexp support: new BR pcre2-devel - disable dbus instance creation support as it is marked as dangerous - Add BFD build option to keepalived.spec rpm file Issue #1114 identified that the keepalived.spec file was not being generated to build BFD support even if keepalived had been configured to support it. - full changelog https://keepalived.org/changelog.html Changes in openstack-barbican: - Update to version barbican-7.0.1.dev24: * Fix the barbicanclient installation not from source - Update to version barbican-7.0.1.dev23: * Don't use branch matching * Make broken fedora\_latest job n-v Changes in openstack-barbican: - Update to version barbican-7.0.1.dev24: * Fix the barbicanclient installation not from source - Update to version barbican-7.0.1.dev23: * Don't use branch matching * Make broken fedora\_latest job n-v Changes in openstack-ceilometer: - Update to version ceilometer-11.0.2.dev21: * Tell reno to ignore the kilo branch * Run Grenade job under Python 2 for compatibility - Update to version ceilometer-11.0.2.dev19: * [stable-only] Cap msgpack - Update to version ceilometer-11.0.2.dev18: * Add note for loadbalancer resource type support - Update to version ceilometer-11.0.2.dev17: * Fix samples with dots in sample name - Update to version ceilometer-11.0.2.dev15: * Add loadbalancer resource type Changes in openstack-ceilometer: - Update to version ceilometer-11.0.2.dev21: * Tell reno to ignore the kilo branch * Run Grenade job under Python 2 for compatibility - Update to version ceilometer-11.0.2.dev19: * [stable-only] Cap msgpack - Update to version ceilometer-11.0.2.dev18: * Add note for loadbalancer resource type support - Update to version ceilometer-11.0.2.dev17: * Fix samples with dots in sample name - Update to version ceilometer-11.0.2.dev15: * Add loadbalancer resource type Changes in openstack-cinder: - Update to version cinder-13.0.9.dev11: * Cinder backup export broken - Update to version cinder-13.0.9.dev10: * Support Incremental Backup Completion In RBD - Update to version cinder-13.0.9.dev8: * Fix: Create new cache entry when xtremio reaches snap limit * Tell reno to ignore the kilo branch - Update to version cinder-13.0.9.dev5: * Make volume soft delete more thorough - Update to version cinder-13.0.9.dev4: * Cap sphinx for py2 to match global reqs 13.0.8 - Update to version cinder-13.0.8.dev12: * Add 'volume\_attachment' to volume expected attributes * Fix service\_uuid migration for volumes with no host - Update to version cinder-13.0.8.dev9: * Increase cpu limit for image conversion Changes in openstack-cinder: - Update to version cinder-13.0.9.dev11: * Cinder backup export broken - Update to version cinder-13.0.9.dev10: * Support Incremental Backup Completion In RBD - Update to version cinder-13.0.9.dev8: * Fix: Create new cache entry when xtremio reaches snap limit * Tell reno to ignore the kilo branch - Update to version cinder-13.0.9.dev5: * Make volume soft delete more thorough - Update to version cinder-13.0.9.dev4: * Cap sphinx for py2 to match global reqs 13.0.8 - Update to version cinder-13.0.8.dev12: * Add 'volume\_attachment' to volume expected attributes * Fix service\_uuid migration for volumes with no host - Update to version cinder-13.0.8.dev9: * Increase cpu limit for image conversion Changes in openstack-dashboard: - Update to version horizon-14.1.1.dev1: 14.1.0 * Ensure python versions - Update to version horizon-14.0.5.dev9: * Fix typo in publicize\_image policy name - Update to version horizon-14.0.5.dev8: * Fix "prev" link pagination for instances with identical timestamps - Update to version horizon-14.0.5.dev7: * Fix deleting port from port details page * Fix tenant floating\_ip\_allocation call in neutron rest api - Update to version horizon-14.0.5.dev3: * Add "prev" link to instance page list pagination - horizon: Obsolete python-django_openstack_auth (SOC-10228) port of https://review.opendev.org/#/c/685224 - Update to version horizon-14.0.5.dev2: * Call Glance list with certain image ids Changes in openstack-dashboard-theme-SUSE: - Add trigger for openstack-horizon-plugin-octavia-ui (SOC-10883) Changes in openstack-designate: - Update to version designate-7.0.1.dev23: * Use Tempest 'all' tox env Changes in openstack-designate: - Update to version designate-7.0.1.dev23: * Use Tempest 'all' tox env Changes in openstack-heat: - Update to version openstack-heat-11.0.3.dev31: * Update Fedora image ref for test jobs - Update to version openstack-heat-11.0.3.dev29: * Docs: use extrefs to link to other projects' docs - Update to version openstack-heat-11.0.3.dev28: * Use stable constraint for Tempest pinned stable branches - Update to version openstack-heat-11.0.3.dev27: * Correct BRANCH\_OVERRIDE for stable/rocky * Correct availability\_zone to be non-mandatory in heat - Update to version openstack-heat-11.0.3.dev24: * Fix the wrong time unit for OS::Octavia::HealthMonitor Changes in openstack-heat: - Update to version openstack-heat-11.0.3.dev31: * Update Fedora image ref for test jobs - Update to version openstack-heat-11.0.3.dev29: * Docs: use extrefs to link to other projects' docs - Update to version openstack-heat-11.0.3.dev28: * Use stable constraint for Tempest pinned stable branches - Update to version openstack-heat-11.0.3.dev27: * Correct BRANCH\_OVERRIDE for stable/rocky * Correct availability\_zone to be non-mandatory in heat - Update to version openstack-heat-11.0.3.dev24: * Fix the wrong time unit for OS::Octavia::HealthMonitor Changes in openstack-horizon-plugin-designate-ui: - Update to version designate-dashboard-7.0.1.dev8: * Fix list zones updated at same time Changes in openstack-horizon-plugin-ironic-ui: - Update to version ironic-ui-3.3.1.dev14: * Fix horizon dependency * OpenDev Migration Patch Changes in openstack-horizon-plugin-neutron-lbaas-ui: - Update to version neutron-lbaas-dashboard-5.0.1.dev8: * Fix auth url for Barbican client - Add _1481_project_ng_loadbalancersv2_panel.pyc file to package (SOC-10883) The .pyc file needs to be removed when the package is uninstalled, otherwise the panel will remain enabled in the dashboard and cause errors. Changes in openstack-ironic: - Update to version ironic-11.1.4.dev22: * Change MTU logic to allow for lower MTUs automatically * Do not ignore 'fields' query parameter when building next url * Ensure pagination marker is always set - Update to version ironic-11.1.4.dev17: * grub configuration should use user kernel and ramdisk - Update to version ironic-11.1.4.dev16: * Change log level based on node status Changes in openstack-ironic: - Remove rootwrap.d/ironic-lib.filters. This file is included in python-ironic-lib >= 2.14.2. - Update to version ironic-11.1.4.dev22: * Change MTU logic to allow for lower MTUs automatically * Do not ignore 'fields' query parameter when building next url * Ensure pagination marker is always set - Update to version ironic-11.1.4.dev17: * grub configuration should use user kernel and ramdisk - Update to version ironic-11.1.4.dev16: * Change log level based on node status Changes in openstack-ironic-python-agent: - Update to version ironic-python-agent-3.3.3.dev6: * Fix tox.ini to correctly test lower-constraints Changes in openstack-keystone: - Update to version keystone-14.1.1.dev36: * Tell reno to ignore the kilo branch - Update to version keystone-14.1.1.dev35: * Always have username in CADF initiator - Update to version keystone-14.1.1.dev33: * Fix role\_assignments role.id filter * Ensure bootstrap handles multiple roles with the same name - Update to version keystone-14.1.1.dev29: * Add the missing packages when install keystone Changes in openstack-keystone: - Update to version keystone-14.1.1.dev36: * Tell reno to ignore the kilo branch - Update to version keystone-14.1.1.dev35: * Always have username in CADF initiator - Update to version keystone-14.1.1.dev33: * Fix role\_assignments role.id filter * Ensure bootstrap handles multiple roles with the same name - Update to version keystone-14.1.1.dev29: * Add the missing packages when install keystone Changes in openstack-magnum: - Update to version magnum-7.2.1.dev1: * Remove buildimage jobs 7.2.0 - Update to version magnum-7.1.1.dev38: * k8s\_fedora: Move rp\_filter=1 for calico up * k8s\_fedora\_atomic: Add PodSecurityPolicy * k8s: Clear cni configuration * fix: Deploy enable\_service last (rocky only) - Update to version magnum-7.1.1.dev34: * k8s\_fedora: Label master nodes with kubectl * k8s: stop introspecting instance name * Fix proportional autoscaler image * Using Fedora Atomic 29 as default image Changes in openstack-magnum: - Update to version magnum-7.2.1.dev1: * Remove buildimage jobs 7.2.0 - Update to version magnum-7.1.1.dev38: * k8s\_fedora: Move rp\_filter=1 for calico up * k8s\_fedora\_atomic: Add PodSecurityPolicy * k8s: Clear cni configuration * fix: Deploy enable\_service last (rocky only) - Update to version magnum-7.1.1.dev34: * k8s\_fedora: Label master nodes with kubectl * k8s: stop introspecting instance name * Fix proportional autoscaler image * Using Fedora Atomic 29 as default image Changes in openstack-monasca-agent: - update to version 2.8.1~dev13 - add X.509 certificate check plugin - update to version 2.8.1~dev12 - Update hacking version to 1.1.x - OpenDev Migration Patch Changes in openstack-neutron: - Update to version neutron-13.0.7.dev48: * Do not initialize snat-ns twice * Fix bug: AttributeError arises while sorting with standard attributes - Update to version neutron-13.0.7.dev44: * ovs agent: signal to plugin if tunnel refresh needed * Mock check if ipv6 is enabled in L3 agent unit tests * Fix resource schemas and releated \`get\_sorts\` test cases * Remove sleep command when retrieving OVS dp - Update to version neutron-13.0.7.dev36: * Remove Floating IP DNS record upon associated port deletion * Trigger router update only when gateway port IP changed * Re-use existing ProcessLauncher from wsgi in RPC workers - Update to version neutron-13.0.7.dev30: * Check SG members instead of ports to skip flow update * Ensure driver error preventing trunk port deletion is logged * [L3] Switch order of processing added and removed router ports - Update to version neutron-13.0.7.dev24: * dhcp-agent: equalize port create\_low/update/delete priority * Catch OVSFWTagNotFound in update\_port\_filter * [OVS] Handle added/removed ports in the same polling iteration * DVR: Ignore DHCP port during DVR host query * Improve "OVSFirewallDriver.process\_trusted\_ports" * List SG rules which belongs to tenant's SG * Fix py3 compatibility - Update to version neutron-13.0.7.dev10: * Define orm relationships after db classes * Add retries to update trunk port - Update to version neutron-13.0.7.dev6: * Allow to kill keepalived state change monitor process - Update to version neutron-13.0.7.dev4: * Always set ovs bridge name in vif:binding-details - Update to version neutron-13.0.7.dev2: * don't clear skb mark when ovs is hw-offload enabled - Update to version neutron-13.0.7.dev1: * Use constraints for docs tox target and cap hacking 13.0.6 - Update to version neutron-13.0.6.dev21: * Set DB retry for quota\_enforcement pecan\_wsgi hook - Update to version neutron-13.0.6.dev20: * [OVS FW] Clean port rules if port not found in ovsdb * Add more condition to check sg member exist - Update to version neutron-13.0.6.dev17: * Fix race condition when getting cmdline - Update to version neutron-13.0.6.dev15: * Run revision bump operations en masse - Update to version neutron-13.0.6.dev13: * Add extra unit test for get\_cmdline\_from\_pid function - Update to version neutron-13.0.6.dev11: * Switch to use cast method in dhcp\_ready\_on\_ports method - Update to version neutron-13.0.6.dev10: * Handle OVSFWPortNotFound and OVSFWTagNotFound in ovs firewall Changes in openstack-neutron: - Update to version neutron-13.0.7.dev48: * Do not initialize snat-ns twice * Fix bug: AttributeError arises while sorting with standard attributes - Update to version neutron-13.0.7.dev44: * ovs agent: signal to plugin if tunnel refresh needed * Mock check if ipv6 is enabled in L3 agent unit tests * Fix resource schemas and releated \`get\_sorts\` test cases * Remove sleep command when retrieving OVS dp - Update to version neutron-13.0.7.dev36: * Remove Floating IP DNS record upon associated port deletion * Trigger router update only when gateway port IP changed * Re-use existing ProcessLauncher from wsgi in RPC workers - Update to version neutron-13.0.7.dev30: * Check SG members instead of ports to skip flow update * Ensure driver error preventing trunk port deletion is logged * [L3] Switch order of processing added and removed router ports - Update to version neutron-13.0.7.dev24: * dhcp-agent: equalize port create\_low/update/delete priority * Catch OVSFWTagNotFound in update\_port\_filter * [OVS] Handle added/removed ports in the same polling iteration * DVR: Ignore DHCP port during DVR host query * Improve "OVSFirewallDriver.process\_trusted\_ports" * List SG rules which belongs to tenant's SG * Fix py3 compatibility - Update neutron-ha-tool to latest version: * Add DHCP agent evacuation (SOC-11046) - Update to version neutron-13.0.7.dev10: * Define orm relationships after db classes * Add retries to update trunk port - Update to version neutron-13.0.7.dev6: * Allow to kill keepalived state change monitor process - Update to version neutron-13.0.7.dev4: * Always set ovs bridge name in vif:binding-details - Update to version neutron-13.0.7.dev2: * don't clear skb mark when ovs is hw-offload enabled - Update to version neutron-13.0.7.dev1: * Use constraints for docs tox target and cap hacking 13.0.6 - Update to version neutron-13.0.6.dev21: * Set DB retry for quota\_enforcement pecan\_wsgi hook - Update to version neutron-13.0.6.dev20: * [OVS FW] Clean port rules if port not found in ovsdb * Add more condition to check sg member exist - Update to version neutron-13.0.6.dev17: * Fix racondition when getting cmdline - Update to version neutron-13.0.6.dev15: * Run revision bump operations en masse - neutron: Remove stop action from ovs-cleanup (bsc#1157482) backport of https://review.opendev.org/#/c/695867/ - Update to version neutron-13.0.6.dev13: * Add extra unit test for get\_cmdline\_from\_pid function - Update to version neutron-13.0.6.dev11: * Switch to use cast method in dhcp\_ready\_on\_ports method - Update to version neutron-13.0.6.dev10: * Handle OVSFWPortNotFound and OVSFWTagNotFound in ovs firewall Changes in openstack-neutron-fwaas: - Update to version neutron-fwaas-13.0.3.dev4: * Fix sorting of filter rules in legacy\_conntrack module - Update to version neutron-fwaas-13.0.3.dev3: * Fix list\_entries for netlink\_lib when running on py3 Changes in openstack-neutron-fwaas: - Update to version neutron-fwaas-13.0.3.dev4: * Fix sorting of filter rules in legacy\_conntrack module - Update to version neutron-fwaas-13.0.3.dev3: * Fix list\_entries for netlink\_lib when running on py3 Changes in openstack-neutron-gbp: - Update to version group-based-policy-5.0.1.dev491: * Refactor static path code - Update to version group-based-policy-5.0.1.dev490: * Support named ip protocols for SecurityGroupRules - Update to version group-based-policy-5.0.1.dev488: * Enable SVI networks with hosts running opflex agent - Update to version group-based-policy-5.0.1.dev486: * Allow both FIP and SNAT on a single port - Update to version group-based-policy-5.0.1.dev485: * Fix active-active AAP RPC query - Update to version group-based-policy-5.0.1.dev484: * [AIM] Add extra provided/consumed contracts to network extension * Active active AAP feature - Update to version group-based-policy-5.0.1.dev481: * Support cache option for legacy GBP driver - Update to version group-based-policy-5.0.1.dev480: * Fix host ID length in VM names table - Update to version group-based-policy-5.0.1.dev479: * Update\_proj\_descr in apic when project description is updated in os - Update to version group-based-policy-5.0.1.dev477: * Fix ambiguity in mapping to domain in port pair workflow Changes in openstack-neutron-vpnaas: - Update to version neutron-vpnaas-13.0.2.dev6: * Add iptables command filter for functional test - Update to version neutron-vpnaas-13.0.2.dev5: * Update UPPER\_CONSTRAINTS\_FILE for stable/rocky Changes in openstack-neutron-vpnaas: - Update to version neutron-vpnaas-13.0.2.dev6: * Add iptables command filter for functional test - Update to version neutron-vpnaas-13.0.2.dev5: * Update UPPER\_CONSTRAINTS\_FILE for stable/rocky Changes in openstack-nova: - Update to version nova-18.2.4.dev63: * Mask the token used to allow access to consoles - Update to version nova-18.2.4.dev61: * Use stable constraint for Tempest pinned stable branches - Update to version nova-18.2.4.dev60: * tox: Stop build \*all\* docs in 'docs' - Update to version nova-18.2.4.dev59: * Block deleting compute services with in-progress migrations * Cache security group driver * Join migration\_context and flavor in Migration.instance - Update to version nova-18.2.4.dev53: * Improve metadata server performance with large security groups - Update to version nova-18.2.4.dev51: * Add functional recreate revert resize test for bug 1852610 * Add functional recreate test for bug 1852610 - Update to version nova-18.2.4.dev47: * Zuul v3: use devstack-plugin-nfs-tempest-full - Update to version nova-18.2.4.dev46: * Add BFV wrinkle to TestNovaManagePlacemenalAllocations * Add --instance option to heal\_allocations * Add --dry-run option to heal\_allocations CLI - Update to version nova-18.2.4.dev40: * Add functional recreate test for bug 1829479 and bug 1817833 - Update to version nova-18.2.4.dev38: * Do not update root\_device\_name during guest config * compute: Use long\_rpc\_timeout in reserve\_block\_device\_name - Update to version nova-18.2.4.dev35: * compute: Take an instance.uuid lock when rebooting - Update to version nova-18.2.4.dev33: * Replace time.sleep(10) with service forced\_down in tests - Update to version nova-18.2.4.dev31: * Nova compute: add in log exception to help debug failures - Update to version nova-18.2.4.dev29: * Fix false ERROR message at compute restart - Update to version nova-18.2.4.dev27: * Fix listing deleted servers with a marker - Update to version nova-18.2.4.dev25: * Add functional regression test for bug 1849409 - Update to version nova-18.2.4.dev23: * Don't delete compute node, when deleting service other than nova-compute Changes in openstack-nova: - Update to version nova-18.2.4.dev63: * Mask the token used to allow access to consoles - Update to version nova-18.2.4.dev61: * Use stable constraint for Tempest pinned stable branches - Update to version nova-18.2.4.dev60: * tox: Stop build \*all\* docs in 'docs' - Update to version nova-18.2.4.dev59: * Block deleting compute services with in-progress migrations * Cache security group driver * Join migration\_context and flavor in Migration.instance - Update to version nova-18.2.4.dev53: * Improve metadata server performance with large security groups - Update to version nova-18.2.4.dev51: * Add functional recreate revert resize test for bug 1852610 * Add functional recreate test for bug 1852610 - Update to version nova-18.2.4.dev47: * Zuul v3: use devstack-plugin-nfs-tempest-full - Update to version nova-18.2.4.dev46: * Add BFV wrinkle to TestNovaManagePlacementHealAllocations * Add --instance option to heal\_allocations * Add --dry-run option to heal\_allocations CLI - Update to version nova-18.2.4.dev40: * Add functional recreate test for bug 1829479 and bug 1817833 - Update to version nova-18.2.4.dev38: * Do not update root\_device\_name during guest config * compute: Use long\_rpc\_timeout in reserve\_block\_device\_name - Update to version nova-18.2.4.dev35: * compute: Take an instance.uuid lock when rebooting - Update to version nova-18.2.4.dev33: * Replace time.sleep(10) with service forced\_down in tests - Update to version nova-18.2.4.dev31: * Nova compute: add in log exception to help debug failures - Update to version nova-18.2.4.dev29: * Fix false ERROR message at compute restart - Update to version nova-18.2.4.dev27: * Fix listing deleted servers with a marker - Update to version nova-18.2.4.dev25: * Add functional regression test for bug 1849409 - Update to version nova-18.2.4.dev23: * Don't delete compute node, when deleting service other than nova-compute Changes in openstack-octavia: - Update to version octavia-3.2.2.dev8: * Fix uncaught DB exception when trying to get a spare amphora - Update to version octavia-3.2.2.dev7: * Fix house keeping graceful shutdown - Update to version octavia-3.2.2.dev5: * Fix pep8 failures on stable/rocky branch - Update to version octavia-3.2.2.dev4: * Use stable upper-constraints.txt in Amphora builds - Update to version octavia-3.2.2.dev3: * Add listener and pool protocol validation - Update to version octavia-3.2.2.dev2* Cap hacking version to minor than 2 3.2.1 - Update to version octavia-3.2.1.dev10: * Accept oslopolicy-policy-generator path arguments - Add patch 0001-Accept-oslopolicy-policy-generator-path-arguments.patch https://review.opendev.org/#/c/698433 - Update to version octavia-3.2.1.dev9: * Fix controller worker graceful shutdown - Update to version octavia-3.2.1.dev7: * Fix a potential race condition with certs-ramfs - Update to version octavia-3.2.1.dev5: * Fix issues with unavailable secrets Changes in openstack-octavia-amphora-image: - Updated updateBuildRequires.pl script for SP4 build - Update image to 0.1.2 to include latest changes - Add keepalived service Changes in openstack-sahara: - Update to version sahara-9.0.2.dev15: * Run sahara-scenario using Python 3 Changes in openstack-sahara: - Update to version sahara-9.0.2.dev15: * Run sahara-scenario using Python 3 Changes in openstack-swift: - Update to version swift-2.19.2.dev48: 2.19.2 (rocky stable backports) * Sharding improvements * The container-replicator now only attempts to fetch shard ranges if the remote indicates that it has shard ranges. Further, it does so with a timeout to prevent the process from hanging in certain cases. * The container-replicator now correctly enqueues container-reconciler work for sharded containers. * S3 API improvements * Fixed an issue where v4 signatures would not be validated against the body of the request, allowing a replay attack if request headers were captured by a malicious third party. Note that unsigned payloads still function normally. * CompleteMultipartUpload requests with a Content-MD5 now work. * Fixed v1 listings that end with a non-ASCII object name. * Multipart object segments are now actually deleted when the multipart object is deleted via the S3 API. * Fixed an issue that caused Delete Multiple Objects requests with large bodies to 400. This was previously fixed in 2.20.0. * Fixed an issue where non-ASCII Keystone EC2 credentials would not get mapped to the correct account. This was previously fixed in 2.20.0. Changes in openstack-swift: - Update to version swift-2.19.2.dev48: 2.19.2 (rocky stable backports) * Sharding improvements * The container-replicator now only attempts to fetch shard ranges if the remote indicates that it has shard ranges. Further, it does so with a timeout to prevent the process from hanging in certain cases. * The container-replicator now correctly enqueues container-reconciler work for sharded containers. * S3 API improvements * Fixed an issue where v4 signatures would not be validated against the body of the request, allowing a replay attack if request headers were captured by a malicious third party. Note that unsigned payloads still function normally. * CompleteMultipartUpload requests with a Content-MD5 now work. * Fixed v1 listings that end with a non-ASCII object name. * Multipart object segments are now actually deleted when the multipart object is deleted via the S3 API. * Fixed an issue that caused Delete Multiple Objects requests with large bodies to 400. This was previously fixed in 2.20.0. * Fixed an issue where non-ASCII Keystone EC2 credentials would not get mapped to the correct account. This was previously fixed in 0.0. Changes in python-amqp: - Added pyOpenSSL build dependency - Update to 2.4.2: - Added support for the Cygwin platform - Correct offset incrementation when parsing bitmaps. - Consequent bitmaps are now parsed correctly. - Removed patches that are already included in 2.4.2 - 0001-Always-treat-SSLError-timeouts-as-socket-timeouts-24.patch - Better call of py.test - Add versions to dependencies - Remove python-sasl from build dependencies - Update to version 2.4.1 * To avoid breaking the API basic_consume() now returns the consumer tag instead of a tuple when nowait is True. * Fix crash in basic_publish when broker does not support connection.blocked capability. * read_frame() is now Python 3 compatible for large payloads. * Support float read_timeout/write_timeout. * Always treat SSLError timeouts as socket timeouts. * Treat EWOULDBLOCK as timeout. - from 2.4.0 * Fix inconsistent frame_handler return value. The function returned by frame_handler is meant to return True once the complete message is received and the callback is called, False otherwise. This fixes the return value for messages with a body split across multiple frames, and heartbeat frames. * Don't default content_encoding to utf-8 for bytes. This is not an acceptable default as the content may not be valid utf-8, and even if it is, the producer likely does not expect the message to be decoded by the consumer. * Fix encoding of messages with multibyte characters. Body length was previously calculated using string length, which may be less than the length of the encoded body when it contains multibyte sequences. This caused the body of the frame to be truncated. * Respect content_encoding when encoding messages. Previously the content_encoding was ignored and messages were always encoded as utf-8. This caused messages to be incorrectly decoded if content_encoding is properly respected when decoding. * Fix AMQP protocol header for AMQP 0-9-1. Previously it was set to a different value for unknown reasons. * Add support for Python 3.7. Change direct SSLSocket instantiation with wrap_socket. * Add support for field type "x" (byte array). * If there is an exception raised on Connection.connect or Connection.close, ensure that the underlying transport socket is closed. Adjust exception message on connection errors as well. * TCP_USER_TIMEOUT has to be excluded from KNOWN_TCP_OPTS in BSD platforms. * Handle negative acknowledgments. * Added integration tests. * Fix basic_consume() with no consumer_tag provided. * Improved empty AMQPError string representation. * Drain events before publish. This is needed to capture out of memory messages for clients that only publish. Otherwise on_blocked is never called. * Don't revive channel when connection is closing. When connection is closing don't raise error when Channel.Close method is received. Changes in python-ironic-lib: - update to version 2.14.2 - Replace openstack.org git:// URLs with https:// - OpenDev Migration Patch - Include partiton name and flags from parted output Changes in python-keystoneauth1: - switch to tracking stable/rocky tarball - disable renderspec - update to version 3.10.1.dev10 * Make tests pass in 2020 * OpenDev Migration Patch * Revert "Change log hashing to SHA256" * import zuul job settings from project-config * Change log hashing to SHA256 * Update UPPER\_CONSTRAINTS\_FILE for stable/rocky * Update .gitreview ftable/rocky Changes in python-keystoneclient: - switch to tracking stable/rocky tarball - disable renderspec - update to version 3.17.0.dev5 * Make tests pass in 2020 * OpenDev Migration Patch * import zuul job settings from project-config * Update UPPER\_CONSTRAINTS\_FILE for stable/rocky * Update .gitreview for stable/rocky Changes in python-keystonemiddleware: - Use version_unconverted for documentation build - Update to version keystonemiddleware-5.2.2.dev3: * Make tests pass in 2022 * Make sure audit middleware use own context Changes in python-ovs: - add 0001-python-c-ext-Fix-memory-leak-in-Parser_finish.patch (bsc#1158581) Changes in supportutils-plugin-suse-openstack-cloud: - Update to version 9.0.1574431436.987b47d: * Add services from SOC/HOS8 * Fix handling of ardana "config" dir and conf files in /opt/stack/service * Fix more failures of censoring passwords * Include configs and logs for neutron HA Changes in rubygem-crowbar-client: - Update to 3.9.1 - Fix repocheck table output (SOC-10718) - Enable restricted commands for Cloud8 (bsc#1117080, CVE-2018-17954) Changes in rubygem-puma: - Add CVE-2019-16770.patch (bsc#1158675, SOC-10999, CVE-2019-16770) This patch fixes a DoS vulnerability a malicious client could use to block a large amount of threads. Changes in venv-openstack-horizon: - replace neutron-lbaas dashboard with octavia dashboard (SOC-10883) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-642=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-642=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): crowbar-core-6.0+git.1582892022.cbd70e833-3.19.3 crowbar-core-branding-upstream-6.0+git.1582892022.cbd70e833-3.19.3 keepalived-2.0.19-3.3.1 keepalived-debuginfo-2.0.19-3.3.1 keepalived-debugsource-2.0.19-3.3.1 python-ovs-2.9.0-3.3.1 python-ovs-debuginfo-2.9.0-3.3.1 python-ovs-debugsource-2.9.0-3.3.1 ruby2.1-rubygem-crowbar-client-3.9.1-3.3.1 ruby2.1-rubygem-puma-2.16.0-4.3.1 ruby2.1-rubygem-puma-debuginfo-2.16.0-4.3.1 rubygem-puma-debugsource-2.16.0-4.3.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): crowbar-ha-6.0+git.1574286261.6fd1a34-3.13.2 crowbar-openstack-6.0+git.1580922461.67fb3c087-3.19.2 crowbar-ui-1.3.0+git.1575896697.a01a3a08-17.1 openstack-barbican-7.0.1~dev24-3.6.4 openstack-barbican-api-7.0.1~dev24-3.6.4 openstack-barbican-keystone-listener-7.0.1~dev24-3.6.4 openstack-barbican-retry-7.0.1~dev24-3.6.4 openstack-barbican-worker-7.0.1~dev24-3.6.4 openstack-ceilometer-11.0.2~dev21-3.10.3 openstack-ceilometer-agent-central-11.0.2~dev21-3.10.3 openstack-ceilometer-agent-compute-11.0.2~dev21-3.10.3 openstack-ceilometer-agent-ipmi-11.0.2~dev21-3.10.3 openstack-ceilometer-agent-notification-11.0.2~dev21-3.10.3 openstack-ceilometer-polling-11.0.2~dev21-3.10.3 openstack-cinder-13.0.9~dev11-3.16.3 openstack-cinder-api-13.0.9~dev11-3.16.3 openstack-cinder-backup-13.0.9~dev11-3.16.3 openstack-cinder-scheduler-13.0.9~dev11-3.16.3 openstack-cinder-volume-13.0.9~dev11-3.16.3 openstack-dashboard-14.1.1~dev1-3.12.2 openstack-dashboard-theme-SUSE-2018.2+git.1555335229.5c8dec9-3.3.1 openstack-designate-7.0.1~dev23-3.13.3 openstack-designate-agent-7.0.1~dev23-3.13.3 openstack-designate-api-7.0.1~dev23-3.13.3 openstack-designate-central-7.0.1~dev23-3.13.3 openstack-designate-producer-7.0.1~dev23-3.13.3 openstack-designate-sink-7.0.1~dev23-3.13.3 openstack-designate-worker-7.0.1~dev23-3.13.3 openstack-heat-11.0.3~dev31-3.13.3 openstack-heat-api-11.0.3~dev31-3.13.3 openstack-heat-api-cfn-11.0.3~dev31-3.13.3 openstack-heat-engine-11.0.3~dev31-3.13.3 openstack-heat-plugin-heat_docker-11.0.3~dev31-3.13.3 openstack-horizon-plugin-designate-ui-7.0.1~dev8-3.6.1 openstack-horizon-plugin-ironic-ui-3.3.1~dev14-3.3.1 openstack-horizon-plugin-neutron-lbaas-ui-5.0.1~dev8-11.1 openstack-horizon-plugin-octavia-ui-2.0.2~dev1-1.3.2 openstack-ironic-11.1.4~dev22-3.13.2 openstack-ironic-api-11.1.4~dev22-3.13.2 openstack-ironic-conductor-11.1.4~dev22-3.13.2 openstack-ironic-python-agent-3.3.3~dev6-3.13.2 openstack-keystone-14.1.1~dev36-3.19.3 openstack-magnum-7.2.1~dev1-3.10.3 openstack-magnum-api-7.2.1~dev1-3.10.3 openstack-magnum-conductor-7.2.1~dev1-3.10.3 openstack-monasca-agent-2.8.1~dev13-3.6.2 openstack-neutron-13.0.7~dev48-3.19.3 openstack-neutron-dhcp-agent-13.0.7~dev48-3.19.3 openstack-neutron-fwaas-13.0.3~dev4-3.9.2 openstack-neutron-gbp-5.0.1~dev491-3.16.1 openstack-neutron-ha-tool-13.0.7~dev48-3.19.3 openstack-neutron-l3-agent-13.0.7~dev48-3.19.3 openstack-neutron-linuxbridge-agent-13.0.7~dev48-3.19.3 openstack-neutron-macvtap-agent-13.0.7~dev48-3.19.3 openstack-neutron-metadata-agent-13.0.7~dev48-3.19.3 openstack-neutron-metering-agent-13.0.7~dev48-3.19.3 openstack-neutron-openvswitch-agent-13.0.7~dev48-3.19.3 openstack-neutron-server-13.0.7~dev48-3.19.3 openstack-neutron-vpnaas-13.0.2~dev6-3.6.2 openstack-neutron-vyatta-agent-13.0.2~dev6-3.6.2 openstack-nova-18.2.4~dev63-3.19.3 openstack-nova-api-18.2.4~dev63-3.19.3 openstack-nova-cells-18.2.4~dev63-3.19.3 openstack-nova-compute-18.2.4~dev63-3.19.3 openstack-nova-conductor-18.2.4~dev63-3.19.3 openstack-nova-console-18.2.4~dev63-3.19.3 openstack-nova-novncproxy-18.2.4~dev63-3.19.3 openstack-nova-placement-api-18.2.4~dev63-3.19.3 openstack-nova-scheduler-18.2.4~dev63-3.19.3 openstack-nova-serialproxy-18.2.4~dev63-3.19.3 openstack-nova-vncproxy-18.2.4~dev63-3.19.3 openstack-octavia-3.2.2~dev8-3.19.1 openstack-octavia-amphora-agent-3.2.2~dev8-3.19.1 openstack-octavia-amphora-image-debugsource-0.1.2-7.6.3 openstack-octavia-amphora-image-x86_64-0.1.2-7.6.3 openstack-octavia-api-3.2.2~dev8-3.19.1 openstack-octavia-health-manager-3.2.2~dev8-3.19.1 openstack-octavia-housekeeping-3.2.2~dev8-3.19.1 openstack-octavia-worker-3.2.2~dev8-3.19.1 openstack-sahara-9.0.2~dev15-3.9.2 openstack-sahara-api-9.0.2~dev15-3.9.2 openstack-sahara-engine-9.0.2~dev15-3.9.2 openstack-swift-2.19.2~dev48-3.3.1 openstack-swift-account-2.19.2~dev48-3.3.1 openstack-swift-container-2.19.2~dev48-3.3.1 openstack-swift-object-2.19.2~dev48-3.3.1 openstack-swift-proxy-2.19.2~dev48-3.3.1 python-amqp-2.4.2-4.3.1 python-barbican-7.0.1~dev24-3.6.4 python-ceilometer-11.0.2~dev21-3.10.3 python-cinder-13.0.9~dev11-3.16.3 python-designate-7.0.1~dev23-3.13.3 python-heat-11.0.3~dev31-3.13.3 python-horizon-14.1.1~dev1-3.12.2 python-horizon-plugin-designate-ui-7.0.1~dev8-3.6.1 python-horizon-plugin-ironic-ui-3.3.1~dev14-3.3.1 python-horizon-plugin-neutron-lbaas-ui-5.0.1~dev8-11.1 python-horizon-plugin-octavia-ui-2.0.2~dev1-1.3.2 python-ironic-11.1.4~dev22-3.13.2 python-ironic-lib-2.14.2-3.3.1 python-keystone-14.1.1~dev36-3.19.3 python-keystoneauth1-3.10.1~dev10-3.3.1 python-keystoneclient-3.17.1~dev5-3.3.1 python-keystoneclient-doc-3.17.1~dev5-3.3.1 python-keystonemiddleware-5.2.2~dev3-14.2 python-magnum-7.2.1~dev1-3.10.3 python-monasca-agent-2.8.1~dev13-3.6.2 python-neutron-13.0.7~dev48-3.19.3 python-neutron-fwaas-13.0.3~dev4-3.9.2 python-neutron-gbp-5.0.1~dev491-3.16.1 python-neutron-vpnaas-13.0.2~dev6-3.6.2 python-nova-18.2.4~dev63-3.19.3 python-octavia-3.2.2~dev8-3.19.1 python-openstack_auth-14.1.1~dev1-3.12.2 python-sahara-9.0.2~dev15-3.9.2 python-swift-2.19.2~dev48-3.3.1 supportutils-plugin-suse-openstack-cloud-9.0.1574431436.987b47d-3.6.1 - SUSE OpenStack Cloud 9 (x86_64): keepalived-2.0.19-3.3.1 keepalived-debuginfo-2.0.19-3.3.1 keepalived-debugsource-2.0.19-3.3.1 python-ovs-2.9.0-3.3.1 python-ovs-debuginfo-2.9.0-3.3.1 python-ovs-debugsource-2.9.0-3.3.1 - SUSE OpenStack Cloud 9 (noarch): ardana-ansible-9.0+git.1581611758.f694f7d-3.16.1 ardana-cinder-9.0+git.1579256229.c8b4b38-3.10.1 ardana-cobbler-9.0+git.1574950066.a3c4be4-3.10.1 ardana-db-9.0+git.1578936438.b9a9b95-3.16.1 ardana-horizon-9.0+git.1575562864.8ed5e10-3.13.1 ardana-input-model-9.0+git.1580403439.d425462-3.13.1 ardana-monasca-9.0+git.1579273481.4b8c46f-3.13.1 ardana-mq-9.0+git.1581024903.8e74867-3.10.1 ardana-nova-9.0+git.1580304673.6c668eb-3.16.1 ardana-octavia-9.0+git.1576074489.62de7e2-3.13.1 ardana-osconfig-9.0+git.1580235830.0dca223-3.13.1 ardana-tempest-9.0+git.1578932816.e299c08-3.10.1 ardana-tls-9.0+git.1575296665.3fdfe45-3.9.1 openstack-barbican-7.0.1~dev24-3.6.4 openstack-barbican-api-7.0.1~dev24-3.6.4 openstack-barbican-keystone-listener-7.0.1~dev24-3.6.4 openstack-barbican-retry-7.0.1~dev24-3.6.4 openstack-barbican-worker-7.0.1~dev24-3.6.4 openstack-ceilometer-11.0.2~dev21-3.10.3 openstack-ceilometer-agent-central-11.0.2~dev21-3.10.3 openstack-ceilometer-agent-compute-11.0.2~dev21-3.10.3 openstack-ceilometer-agent-ipmi-11.0.2~dev21-3.10.3 openstack-ceilometer-agent-notification-11.0.2~dev21-3.10.3 openstack-ceilometer-polling-11.0.2~dev21-3.10.3 openstack-cinder-13.0.9~dev11-3.16.3 openstack-cinder-api-13.0.9~dev11-3.16.3 openstack-cinder-backup-13.0.9~dev11-3.16.3 openstack-cinder-scheduler-13.0.9~dev11-3.16.3 openstack-cinder-volume-13.0.9~dev11-3.16.3 openstack-dashboard-14.1.1~dev1-3.12.2 openstack-dashboard-theme-SUSE-2018.2+git.1555335229.5c8dec9-3.3.1 openstack-designate-7.0.1~dev23-3.13.3 openstack-designate-agent-7.0.1~dev23-3.13.3 openstack-designate-api-7.0.1~dev23-3.13.3 openstack-designate-central-7.0.1~dev23-3.13.3 openstack-designate-producer-7.0.1~dev23-3.13.3 openstack-designate-sink-7.0.1~dev23-3.13.3 openstack-designate-worker-7.0.1~dev23-3.13.3 openstack-heat-11.0.3~dev31-3.13.3 openstack-heat-api-11.0.3~dev31-3.13.3 openstack-heat-api-cfn-11.0.3~dev31-3.13.3 openstack-heat-engine-11.0.3~dev31-3.13.3 openstack-heat-plugin-heat_docker-11.0.3~dev31-3.13.3 openstack-horizon-plugin-designate-ui-7.0.1~dev8-3.6.1 openstack-horizon-plugin-ironic-ui-3.3.1~dev14-3.3.1 openstack-horizon-plugin-neutron-lbaas-ui-5.0.1~dev8-11.1 openstack-horizon-plugin-octavia-ui-2.0.2~dev1-1.3.2 openstack-ironic-11.1.4~dev22-3.13.2 openstack-ironic-api-11.1.4~dev22-3.13.2 openstack-ironic-conductor-11.1.4~dev22-3.13.2 openstack-ironic-python-agent-3.3.3~dev6-3.13.2 openstack-keystone-14.1.1~dev36-3.19.3 openstack-magnum-7.2.1~dev1-3.10.3 openstack-magnum-api-7.2.1~dev1-3.10.3 openstack-magnum-conductor-7.2.1~dev1-3.10.3 openstack-monasca-agent-2.8.1~dev13-3.6.2 openstack-neutron-13.0.7~dev48-3.19.3 openstack-neutron-dhcp-agent-13.0.7~dev48-3.19.3 openstack-neutron-fwaas-13.0.3~dev4-3.9.2 openstack-neutron-gbp-5.0.1~dev491-3.16.1 openstack-neutron-ha-tool-13.0.7~dev48-3.19.3 openstack-neutron-l3-agent-13.0.7~dev48-3.19.3 openstack-neutron-linuxbridge-agent-13.0.7~dev48-3.19.3 openstack-neutron-macvtap-agent-13.0.7~dev48-3.19.3 openstack-neutron-metadata-agent-13.0.7~dev48-3.19.3 openstack-neutron-metering-agent-13.0.7~dev48-3.19.3 openstack-neutron-openvswitch-agent-13.0.7~dev48-3.19.3 openstack-neutron-server-13.0.7~dev48-3.19.3 openstack-neutron-vpnaas-13.0.2~dev6-3.6.2 openstack-neutron-vyatta-agent-13.0.2~dev6-3.6.2 openstack-nova-18.2.4~dev63-3.19.3 openstack-nova-api-18.2.4~dev63-3.19.3 openstack-nova-cells-18.2.4~dev63-3.19.3 openstack-nova-compute-18.2.4~dev63-3.19.3 openstack-nova-conductor-18.2.4~dev63-3.19.3 openstack-nova-console-18.2.4~dev63-3.19.3 openstack-nova-novncproxy-18.2.4~dev63-3.19.3 openstack-nova-placement-api-18.2.4~dev63-3.19.3 openstack-nova-scheduler-18.2.4~dev63-3.19.3 openstack-nova-serialproxy-18.2.4~dev63-3.19.3 openstack-nova-vncproxy-18.2.4~dev63-3.19.3 openstack-octavia-3.2.2~dev8-3.19.1 openstack-octavia-amphora-agent-3.2.2~dev8-3.19.1 openstack-octavia-amphora-image-debugsource-0.1.2-7.6.3 openstack-octavia-amphora-image-x86_64-0.1.2-7.6.3 openstack-octavia-api-3.2.2~dev8-3.19.1 openstack-octavia-health-manager-3.2.2~dev8-3.19.1 openstack-octavia-housekeeping-3.2.2~dev8-3.19.1 openstack-octavia-worker-3.2.2~dev8-3.19.1 openstack-sahara-9.0.2~dev15-3.9.2 openstack-sahara-api-9.0.2~dev15-3.9.2 openstack-sahara-engine-9.0.2~dev15-3.9.2 openstack-swift-2.19.2~dev48-3.3.1 openstack-swift-account-2.19.2~dev48-3.3.1 openstack-swift-container-2.19.2~dev48-3.3.1 openstack-swift-object-2.19.2~dev48-3.3.1 openstack-swift-proxy-2.19.2~dev48-3.3.1 python-amqp-2.4.2-4.3.1 python-barbican-7.0.1~dev24-3.6.4 python-ceilometer-11.0.2~dev21-3.10.3 python-cinder-13.0.9~dev11-3.16.3 python-designate-7.0.1~dev23-3.13.3 python-heat-11.0.3~dev31-3.13.3 python-horizon-14.1.1~dev1-3.12.2 python-horizon-plugin-designate-ui-7.0.1~dev8-3.6.1 python-horizon-plugin-ironic-ui-3.3.1~dev14-3.3.1 python-horizon-plugin-neutron-lbaas-ui-5.0.1~dev8-11.1 python-horizon-plugin-octavia-ui-2.0.2~dev1-1.3.2 python-ironic-11.1.4~dev22-3.13.2 python-ironic-lib-2.14.2-3.3.1 python-keystone-14.1.1~dev36-3.19.3 python-keystoneauth1-3.10.1~dev10-3.3.1 python-keystoneclient-3.17.1~dev5-3.3.1 python-keystoneclient-doc-3.17.1~dev5-3.3.1 python-keystonemiddleware-5.2.2~dev3-14.2 python-magnum-7.2.1~dev1-3.10.3 python-monasca-agent-2.8.1~dev13-3.6.2 python-neutron-13.0.7~dev48-3.19.3 python-neutron-fwaas-13.0.3~dev4-3.9.2 python-neutron-gbp-5.0.1~dev491-3.16.1 python-neutron-vpnaas-13.0.2~dev6-3.6.2 python-nova-18.2.4~dev63-3.19.3 python-octavia-3.2.2~dev8-3.19.1 python-openstack_auth-14.1.1~dev1-3.12.2 python-sahara-9.0.2~dev15-3.9.2 python-swift-2.19.2~dev48-3.3.1 supportutils-plugin-suse-openstack-cloud-9.0.1574431436.987b47d-3.6.1 venv-openstack-barbican-x86_64-7.0.1~dev24-3.15.1 venv-openstack-cinder-x86_64-13.0.9~dev11-3.15.1 venv-openstack-designate-x86_64-7.0.1~dev23-3.15.1 venv-openstack-glance-x86_64-17.0.1~dev30-3.13.1 venv-openstack-heat-x86_64-11.0.3~dev31-3.15.1 venv-openstack-horizon-x86_64-14.1.1~dev1-4.14.2 venv-openstack-ironic-x86_64-11.1.4~dev22-4.11.1 venv-openstack-keystone-x86_64-14.1.1~dev36-3.15.1 venv-openstack-magnum-x86_64-7.2.1~dev1-4.15.1 venv-openstack-manila-x86_64-7.3.1~dev15-3.15.1 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.15.1 venv-openstack-monasca-x86_64-2.7.1~dev10-3.13.1 venv-openstack-neutron-x86_64-13.0.7~dev48-6.15.1 venv-openstack-nova-x86_64-18.2.4~dev63-3.15.1 venv-openstack-octavia-x86_64-3.2.2~dev8-4.15.1 venv-openstack-sahara-x86_64-9.0.2~dev15-3.15.1 venv-openstack-swift-x86_64-2.19.2~dev48-2.10.1 References: https://www.suse.com/security/cve/CVE-2018-17954.html https://www.suse.com/security/cve/CVE-2019-13117.html https://www.suse.com/security/cve/CVE-2019-16770.html https://bugzilla.suse.com/1117080 https://bugzilla.suse.com/1152007 https://bugzilla.suse.com/1154235 https://bugzilla.suse.com/1156305 https://bugzilla.suse.com/1156914 https://bugzilla.suse.com/1157028 https://bugzilla.suse.com/1157206 https://bugzilla.suse.com/1157482 https://bugzilla.suse.com/1158581 https://bugzilla.suse.com/1158675 https://bugzilla.suse.com/1161351 https://bugzilla.suse.com/1161721 From sle-security-updates at lists.suse.com Wed Mar 11 11:32:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Mar 2020 18:32:00 +0100 (CET) Subject: SUSE-SU-2020:0647-1: moderate: Security update for php72 Message-ID: <20200311173200.64099F798@maintenance.suse.de> SUSE Security Update: Security update for php72 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0647-1 Rating: moderate References: #1165280 #1165289 Cross-References: CVE-2020-7062 CVE-2020-7063 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for php72 fixes the following issues: - CVE-2020-7062: Fixed a null pointer dereference when using file upload functionality under specific circumstances (bsc#1165280). - CVE-2020-7063: Fixed an issue where adding files change the permissions to default (bsc#1165289). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-647=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-647=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-647=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): php72-debuginfo-7.2.5-1.40.1 php72-debugsource-7.2.5-1.40.1 php72-devel-7.2.5-1.40.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): php72-debuginfo-7.2.5-1.40.1 php72-debugsource-7.2.5-1.40.1 php72-devel-7.2.5-1.40.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php72-7.2.5-1.40.1 apache2-mod_php72-debuginfo-7.2.5-1.40.1 php72-7.2.5-1.40.1 php72-bcmath-7.2.5-1.40.1 php72-bcmath-debuginfo-7.2.5-1.40.1 php72-bz2-7.2.5-1.40.1 php72-bz2-debuginfo-7.2.5-1.40.1 php72-calendar-7.2.5-1.40.1 php72-calendar-debuginfo-7.2.5-1.40.1 php72-ctype-7.2.5-1.40.1 php72-ctype-debuginfo-7.2.5-1.40.1 php72-curl-7.2.5-1.40.1 php72-curl-debuginfo-7.2.5-1.40.1 php72-dba-7.2.5-1.40.1 php72-dba-debuginfo-7.2.5-1.40.1 php72-debuginfo-7.2.5-1.40.1 php72-debugsource-7.2.5-1.40.1 php72-dom-7.2.5-1.40.1 php72-dom-debuginfo-7.2.5-1.40.1 php72-enchant-7.2.5-1.40.1 php72-enchant-debuginfo-7.2.5-1.40.1 php72-exif-7.2.5-1.40.1 php72-exif-debuginfo-7.2.5-1.40.1 php72-fastcgi-7.2.5-1.40.1 php72-fastcgi-debuginfo-7.2.5-1.40.1 php72-fileinfo-7.2.5-1.40.1 php72-fileinfo-debuginfo-7.2.5-1.40.1 php72-fpm-7.2.5-1.40.1 php72-fpm-debuginfo-7.2.5-1.40.1 php72-ftp-7.2.5-1.40.1 php72-ftp-debuginfo-7.2.5-1.40.1 php72-gd-7.2.5-1.40.1 php72-gd-debuginfo-7.2.5-1.40.1 php72-gettext-7.2.5-1.40.1 php72-gettext-debuginfo-7.2.5-1.40.1 php72-gmp-7.2.5-1.40.1 php72-gmp-debuginfo-7.2.5-1.40.1 php72-iconv-7.2.5-1.40.1 php72-iconv-debuginfo-7.2.5-1.40.1 php72-imap-7.2.5-1.40.1 php72-imap-debuginfo-7.2.5-1.40.1 php72-intl-7.2.5-1.40.1 php72-intl-debuginfo-7.2.5-1.40.1 php72-json-7.2.5-1.40.1 php72-json-debuginfo-7.2.5-1.40.1 php72-ldap-7.2.5-1.40.1 php72-ldap-debuginfo-7.2.5-1.40.1 php72-mbstring-7.2.5-1.40.1 php72-mbstring-debuginfo-7.2.5-1.40.1 php72-mysql-7.2.5-1.40.1 php72-mysql-debuginfo-7.2.5-1.40.1 php72-odbc-7.2.5-1.40.1 php72-odbc-debuginfo-7.2.5-1.40.1 php72-opcache-7.2.5-1.40.1 php72-opcache-debuginfo-7.2.5-1.40.1 php72-openssl-7.2.5-1.40.1 php72-openssl-debuginfo-7.2.5-1.40.1 php72-pcntl-7.2.5-1.40.1 php72-pcntl-debuginfo-7.2.5-1.40.1 php72-pdo-7.2.5-1.40.1 php72-pdo-debuginfo-7.2.5-1.40.1 php72-pgsql-7.2.5-1.40.1 php72-pgsql-debuginfo-7.2.5-1.40.1 php72-phar-7.2.5-1.40.1 php72-phar-debuginfo-7.2.5-1.40.1 php72-posix-7.2.5-1.40.1 php72-posix-debuginfo-7.2.5-1.40.1 php72-pspell-7.2.5-1.40.1 php72-pspell-debuginfo-7.2.5-1.40.1 php72-readline-7.2.5-1.40.1 php72-readline-debuginfo-7.2.5-1.40.1 php72-shmop-7.2.5-1.40.1 php72-shmop-debuginfo-7.2.5-1.40.1 php72-snmp-7.2.5-1.40.1 php72-snmp-debuginfo-7.2.5-1.40.1 php72-soap-7.2.5-1.40.1 php72-soap-debuginfo-7.2.5-1.40.1 php72-sockets-7.2.5-1.40.1 php72-sockets-debuginfo-7.2.5-1.40.1 php72-sodium-7.2.5-1.40.1 php72-sodium-debuginfo-7.2.5-1.40.1 php72-sqlite-7.2.5-1.40.1 php72-sqlite-debuginfo-7.2.5-1.40.1 php72-sysvmsg-7.2.5-1.40.1 php72-sysvmsg-debuginfo-7.2.5-1.40.1 php72-sysvsem-7.2.5-1.40.1 php72-sysvsem-debuginfo-7.2.5-1.40.1 php72-sysvshm-7.2.5-1.40.1 php72-sysvshm-debuginfo-7.2.5-1.40.1 php72-tidy-7.2.5-1.40.1 php72-tidy-debuginfo-7.2.5-1.40.1 php72-tokenizer-7.2.5-1.40.1 php72-tokenizer-debuginfo-7.2.5-1.40.1 php72-wddx-7.2.5-1.40.1 php72-wddx-debuginfo-7.2.5-1.40.1 php72-xmlreader-7.2.5-1.40.1 php72-xmlreader-debuginfo-7.2.5-1.40.1 php72-xmlrpc-7.2.5-1.40.1 php72-xmlrpc-debuginfo-7.2.5-1.40.1 php72-xmlwriter-7.2.5-1.40.1 php72-xmlwriter-debuginfo-7.2.5-1.40.1 php72-xsl-7.2.5-1.40.1 php72-xsl-debuginfo-7.2.5-1.40.1 php72-zip-7.2.5-1.40.1 php72-zip-debuginfo-7.2.5-1.40.1 php72-zlib-7.2.5-1.40.1 php72-zlib-debuginfo-7.2.5-1.40.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php72-pear-7.2.5-1.40.1 php72-pear-Archive_Tar-7.2.5-1.40.1 References: https://www.suse.com/security/cve/CVE-2020-7062.html https://www.suse.com/security/cve/CVE-2020-7063.html https://bugzilla.suse.com/1165280 https://bugzilla.suse.com/1165289 From sle-security-updates at lists.suse.com Wed Mar 11 11:34:57 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Mar 2020 18:34:57 +0100 (CET) Subject: SUSE-SU-2020:0640-1: important: Security update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironi c-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-pumavenv-openstack-swift Message-ID: <20200311173457.4B897F798@maintenance.suse.de> SUSE Security Update: Security update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-ne tworking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-pumavenv-openstack-swift ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0640-1 Rating: important References: #1077717 #1117080 #1117840 #1123191 #1148158 #1152007 #1154235 #1155089 #1155942 #1156305 #1156669 #1156914 #1157028 #1157206 #1157482 #1158675 #1160048 #1160878 #1160883 #1160895 #1160912 #1161351 #1161517 #1162388 Cross-References: CVE-2017-1002201 CVE-2018-17954 CVE-2019-13117 CVE-2019-16770 CVE-2019-18901 CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2758 CVE-2019-2805 CVE-2019-2938 CVE-2019-2974 CVE-2020-2574 CVE-2020-7595 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 14 vulnerabilities and has 10 fixes is now available. Description: This update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-puma, venv-openstack-swift fixes the following issues: Security issues fixed: The update of rubygem-crowbar-client, rubygem-puma fixes the following security issues: - CVE-2018-17954: Fixed an issue where crowbar was leaking the secret admin passwords to all nodes (bsc#1117080). - CVE-2019-16770: Fixed a denial-of-service vulnerability that was exploitable by clients sending extraneous keepalive requests (bsc#1158675). The update of mariadb to 10.2.29 fixes several security issues: - CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388). - CVE-2019-18901: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388). - CVE-2017-1002201: Fixed an issue where special characters did not escpae properly (bsc#1155089) - CVE-2019-2737, CVE-2019-2739, CVE-2019-2740, CVE-2019-2758, CVE-2019-2805, CVE-2019-2938, CVE-2019-2974: Fixed an issue where could lead a remote attacker to cause denial of service (bsc#1156669) Non-security issues fixed: Changes in ardana-cinder: - Update to version 8.0+git.1579279939.ee7da88: * Add option to flatten snapshots when using SES (SOC-11054) - Update to version 8.0+git.1571846011.1a2f62b: * SCRD-4764 move v2.0 endpoints to v3 (SOC-9753) Changes in ardana-cobbler: - Update to version 8.0+git.1575037115.0326803: * Set root device on SLES autoyast templates (SOC-7365) Changes in ardana-designate: - Update to version 8.0+git.1573597788.15b7984: * Update gerrit location (SOC-9140) Changes in ardana-extensions-example: - Switch to new Gerrit Server - Update to version 8.0+git.1534266307.db1ec28: * SCPL-409 Fix .gitreview for stable/pike Changes in ardana-extensions-nsx: - Update to version 8.0+git.1567529036.a41a037: * Update policy json templates for vmware-nsx (SOC-10254) - Switch to new Gerrit Server Changes in ardana-glance: - Update to version 8.0+git.1571846045.ab9e3ea: * SCRD-4764 move v2.0 endpoints to v3 (SOC-9753) Changes in ardana-heat: - Update to version 8.0+git.1571777596.14dce6a: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-input-model: - Update to version 8.0+git.1582147997.b9ed134: * Enable port security extension neutron (SOC-11027) - Update to version 8.0+git.1573658751.38e822a: * Move manila share to controller (SOC-10938) Changes in ardana-ironic: - Update to version 8.0+git.1571845225.006843d: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-keystone: - Update to version 8.0+git.1573147067.09e3ea0: * enable debug and insecure_debug on demand (SOC-10934) Changes in ardana-logging: - Update to version 8.0+git.1572452293.e65d714: * use correct Keystone v3 params bsc#1117840 (SOC-9753) Changes in ardana-monasca: - Update to version 8.0+git.1572527728.9b34bdf: * use correct Keystone v3 params bsc#1117840 (SOC-9753) * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-monasca-transform: - Update to version 8.0+git.1571845965.97714fb: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-mq: - Update to version 8.0+git.1581024906.fbf0be3: * Ensure HA queue sync wait fails (SOC-11083) * Fix HA policy setting comments (SOC-10317, SOC-11082) - Update to version 8.0+git.1580853688.4e72fc1: * Set HA policy accordingly (SOC-10317, SOC-11082) - Update to version 8.0+git.1579014733.a855e3a: * Change the HA policy mirror (SOC-10317) Changes in ardana-neutron: - Update to version 8.0+git.1573050365.ff6fa06: * Kill dhclient before restarting neutron-openvswitch-agent (SOC-9230) - Update to version 8.0+git.1571846086.19cb7eb: * SCRD-4764 move v2.0 endpoints to v3 (SOC-9753) Changes in ardana-nova: - Update to version 8.0+git.1571846125.584d988: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-octavia: - Update to version 8.0+git.1575642049.1f321d0: * Change event_streamer_driver to noop (bsc#1154235) Changes in ardana-osconfig: - Update to version 8.0+git.1581015942.2d21e63: * Adjust 'fs.inotify.max_user_instances' to align with crowbar (bsc#1161351) - Update to version 8.0+git.1580469528.0ac2a8b: * Start OVS services before wicked service at boot (SOC-11067) Changes in ardana-tempest: - Update to version 8.0+git.1579261264.7dd213a: * Create network resources needed by some heat tests (SOC-7028) - Update to version 8.0+git.1573571182.8fa9823: * Restrore designate test (SOC-9753) - Update to version 8.0+git.1571846164.6279bc0: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in crowbar-core: - Update to version 5.0+git.1582968668.1a55c77c5: * Ignore CVE-2020-7595 in CI (bsc#1161517) - Update to version 5.0+git.1582543433.f71d39544: * Fix deployment queue display (SOC-10741) - Update to version 5.0+git.1580209640.80f2ba3d9: * network: start OVS before wickedd (SOC-11067) - Update to version 5.0+git.1579705862.220974047: * dns: add checks to designate migration (SOC-11047) - Update to version 5.0+git.1579271614.eac1c490c: * upgrade: Add the upgrade menu entry (SOC-11053) * upgrade: Fix upgrade link (SOC-11053) - Update to version 5.0+git.1578989446.a2d23b7e1: * Do not log an error for a case that is correct (trivial) - Update to version 5.0+git.1578472131.b88a31055: * apache2: Restart after enabling SSL flag (SOC-11029) - Update to version 5.0+git.1578295229.96952deab: * Avoid nil crash when provisioner attributes are not set (bsc#1160048) - Update to version 5.0+git.1578063264.d0223905b: * Ignore CVE-2019-16770 (SOC-10999) - Update to version 5.0+git.1576053049.a2f4c9820: * upgrade: Remove DRBD specific code from the preparation parts (SOC-10985) - Update to version 5.0+git.1575020613.fc167f4dc: * List XEN nodes when failing precheck (trivial) - Update to version 5.0+git.1574763025.0a6957f37: * Disable installation repository (bsc#1152007) * Disable automatic repo services (bsc#1152007) * Designate: Don't add the admin node to the public network (SOC-10658) - Update to version 5.0+git.1574715523.ee8e58f4b: * upgrade: Check the result after commiting proposal (noref) * upgrade: Do not try to disable services that might not exist (noref) - Update to version 5.0+git.1574667034.76644f658: * [upgrade] Remove existing upgrade directories from nodes (SOC-10956) - Update to version 5.0+git.1574348992.88de970a6: * [upgrade] Wait for keystone to be ready after start (bsc#1157206) - Update to version 5.0+git.1574270784.294f0e830: * upgrade: Ignore Cloud repository during repocheck (bsc#1152007) - Update to version 5.0+git.1574165163.52870c62e: * [upgrade] Call finalize_nodes_upgrade at the very end (bsc#1155942) - Update to version 5.0+git.1574103089.1fbb5a51d: * Ignore CVE-2019-13117 in CI builds (bsc#1157028) * upgrade: Make the time before next upgrade configurable (SOC-10955) * upgrade: Make sure cinder-volume is really stopped (bsc#1156305) - Update to version 5.0+git.1573110008.449237f0d: * Allow pacemaker remotes for upgrade (SOC-10133) * upgrade: Precheck for unsaved proposals (SOC-10912) - Update to version 5.0+git.1572880575.4a6efa3a1: * upgrade: Add a precheck for XEN compute nodes presence (SOC-10495) * upgrade: Reload repo config in repochecks (SOC-10718) - Update to version 5.0+git.1572097431.519baa552: * Ignore CVE-2017-1002201 in CI builds (bsc#1155089) - Update to version 5.0+git.1571210032.8648ab99c: * Revert "Use block-migration when needed" (SOC-10133) Changes in crowbar-ha: - Update to version 5.0+git.1574286229.e0364c3: * Drop g-haproxy location before group deletion (bsc#1156914) Changes in crowbar-openstack: - Update to version 5.0+git.1582911795.5081ef1da: * designate: Mark as user managed (SOC-10233) * Designate: make sure dns-server is active on a non-admin node (SOC-10636) - Update to version 5.0+git.1580549331.ba1e1a0a3: * [5.0] ec2-api: run keystone_register on cluster founder only (SOC-11079) - Update to version 5.0+git.1579182968.f54cfa8f5: * tempest: tempest run filters as templates (SOC-11052) - Update to version 5.0+git.1578515319.fdab3a0b2: * Install openstack client for neutron recipes (SOC-11039) - Update to version 5.0+git.1576764142.8efe58655: * Do not read data from barclamp that has not been saved (SOC-11028) - Update to version 5.0+git.1576666547.b7a0b8814: * Revert "Octavia: Hide UI until complete (SOC-10550)" - Update to version 5.0+git.1576250115.67b80cbca: * [5.0] tempest: Update default image on schema (SOC-11023) - Update to version 5.0+git.1576078873.ecc798ffe: * neutron: Revert remove .openrc creation from neutron cookbooks (SOC-10378) * keystone: Add OS_INTERFACE env var to .openrc (SOC-11006) - Update to version 5.0+git.1574927541.694ac3863: * designate: move keystone resource lookup to convergence (SOC-10887) - Update to version 5.0+git.1574769056.07a7c373e: * designate: declare all mdns servers as master on pool config (SOC-10952) * designate: add support for SSL (SOC-10877) * designate: change default configuration (SOC-10899) - Update to version 5.0+git.1574421761.ace345683: * Add tempest filter for designate (SOC-10288) - Update to version 5.0+git.1574359417.113b616b2: * horizon: install lbaas horizon dashboard (SOC-10883) - Update to version 5.0+git.1572937880.ffb86e88b: * Make sure the input file with ssh key exists (SOC-10133) - Update to version 5.0+git.1571764038.ad48726d6: * mysql: fix WSREP sync race (SOC-10717) * mysql: stop service for mysql_install_db (SOC-10717) * Do not use obsoleted --endpoint-type option with CLI - Update to version 5.0+git.1571323259.7402ef5eb: * [5.0] Tempest: blacklist test_volume_boot_pattern (SOC-10874) - Update to version 5.0+git.1571241534.f4af21325: * rabbitmq: fix migration 200 (SOC-10623) * Fix Cloud 8 no-op migrations (SOC-10623) * neutron-lbaas: remove loadbalancer/pool limit * [5.0] Configurable timeout for Galera pre-sync - Update to version 5.0+git.1571138324.edb9e8b56: * horizon: tighten check for existence of monasca while deploying grafana * monasca: improve detection if monasca-server is available * monasca: install agent before run setup monitors in server * Monasca: Handle node reinstall (jsc#SOC-10440, bsc#1148158 ) - Update to version 5.0+git.1570618886.06022a6ef: * glance: Set barbican auth endpoint (bsc#1123191, SOC-10844) * tempest: Add barbican run_filters from ardana (SOC-10844) * Fix nova tempest tests (SOC-9298, SOC-10844) - Update to version 5.0+git.1570505588.4bdc5aa6f: * No rndc key if no public DNS server (SOC-10835) Changes in crowbar-ui: - Update to version 1.2.0+git.1575896697.a01a3a08: * upgrade: Added missing error title * travis: Stop testing against nodejs4 - Update to version 1.2.0+git.1572871359.50fc6087: * Add title for XEN compute nodes precheck (SOC-10495) Changes in keepalived: - update to 2.0.19 - new BR pkgconfig(libnftnl) to fix nftables support - add nftables to the BR - added patch * linux-4.15.patch - add buildrequires for file-devel - used in the checker to verify scripts - enable json stats and config dump support new BR: pkgconfig(json-c) - enable http regexp support: new BR pcre2-devel - disable dbus instance creation support as it is marked as dangerous - Add BFD build option to keepalived.spec rpm file Issue #1114 identified that the keepalived.spec file was not being generated to build BFD support even if keepalived had been configured to support it. - full changelog https://keepalived.org/changelog.html Changes in mariadb: - update to 10.2.31 GA [bsc#1162388] * Fixes for the following security vulnerabilities: * 10.2.31: CVE-2020-2574 * 10.2.30: none * release notes and changelog: https://mariadb.com/kb/en/library/mariadb-10231-release-notes https://mariadb.com/kb/en/library/mariadb-10231-changelog https://mariadb.com/kb/en/library/mariadb-10230-release-notes https://mariadb.com/kb/en/library/mariadb-10230-changelog - refresh mariadb-10.1.12-deharcode-libdir.patch - remove mariadb-10.2.29-bufferoverflowstrncat.patch (upstreamed) - pack pam_user_map.so module in the /%{_lib}/security directory and user_map.conf configuration file in the /etc/security directory - fix race condition with mysql_upgrade_info status file by moving it to the location owned by root (/var/lib/misc) CVE-2019-18901 [bsc#1160895] - move .run-mysql_upgrade file from $datadir/.run-mysql_upgrade to /var/lib/misc/.mariadb_run_upgrade so the mysql user can't use it for a symlink attack [bsc#1160912] - on BTRFS systems /var/lib/mysql is created as a subvolume with 755 permissions during the system installaion. Fix it to 700 as mysql_install_db doesn't do it [bsc#1077717] - add important options to mariadb.service and mariadb at .service (ProtectSystem, ProtectHome and UMask) [bsc#1160878] - mysql-systemd-helper: use systemd-tmpfiles instead of shell script operations for a cleaner and safer creating of /run/mysql [bsc#1160883] - update to 10.2.29 GA * Fixes for the following security vulnerabilities: * 10.2.29: none * 10.2.28: CVE-2019-2974, CVE-2019-2938 * 10.2.27: none * 10.2.26: CVE-2019-2805, CVE-2019-2740, CVE-2019-2739, CVE-2019-2737, CVE-2019-2758 * release notes and changelog: https://mariadb.com/kb/en/library/mariadb-10229-release-notes https://mariadb.com/kb/en/library/mariadb-10229-changelog https://mariadb.com/kb/en/library/mariadb-10228-release-notes https://mariadb.com/kb/en/library/mariadb-10228-changelog https://mariadb.com/kb/en/library/mariadb-10227-release-notes https://mariadb.com/kb/en/library/mariadb-10227-changelog https://mariadb.com/kb/en/library/mariadb-10226-release-notes https://mariadb.com/kb/en/library/mariadb-10226-changelog - refresh mariadb-10.0.15-logrotate-su.patch mariadb-10.2.4-logrotate.patch - add mariadb-10.2.29-bufferoverflowstrncat.patch to fix "Statement might be overflowing a buffer in strncat" error - tracker bug [bsc#1156669] - add main.gis_notembedded to the skipped tests (fails when latin1 is not set) Changes in openstack-cinder: - Update to version cinder-11.2.3.dev23: * Fix handling of 'cinder\_encryption\_key\_id' image metadata - Update to version cinder-11.2.3.dev21: * Add retry to LVM deactivation - Update to version cinder-11.2.3.dev19: * Fix ceph: only close rbd image after snapshot iteration is finished - Update to version cinder-11.2.3.dev17: * Exclude disabled API versions from listing Changes in openstack-cinder: - Update to version cinder-11.2.3.dev23: * Fix handling of 'cinder\_encryption\_key\_id' image metadata - Update to version cinder-11.2.3.dev21: * Add retry to LVM deactivation - Update to version cinder-11.2.3.dev19: * Fix ceph: only close rbd image after snapshot iteration is finished - Update to version cinder-11.2.3.dev17: * Exclude disabled API versions from listing Changes in openstack-dashboard: - Update to version horizon-12.0.5.dev2: * Use python 2.7 as the default interpreter in tox * OpenDev Migration Patch 12.0.4 Changes in openstack-dashboard-theme-SUSE: - Update to version 2017.2+git.1573629528.6b21fa5: * SCRD-7984 fixed help links Changes in openstack-heat: - Update to version heat-9.0.8.dev22: * Do deepcopy when copying templates - Update to version heat-9.0.8.dev21: * Set stack.thread\_group\_mgr for cancel\_update * Eliminate client race condition in convergence delete * Delete snapshots using contemporary resources - Update to version heat-9.0.8.dev15: * Unskip StackSnapshotRestoreTest - Update to version heat-9.0.8.dev14: * Fix translate tenants in flavor Changes in openstack-heat: - Update to version heat-9.0.8.dev22: * Do deepcopy when copying templates - Update to version heat-9.0.8.dev21: * Set stack.thread\_group\_mgr for cancel\_update * Eliminate client race condition in convergence delete * Delete snapshots using contemporary resources - Update to version heat-9.0.8.dev15: * Unskip StackSnapshotRestoreTest - Update to version heat-9.0.8.dev14: * Fix translate tenants in flavor Changes in openstack-heat-templates: - Update to version 0.0.0+git.1560033670.e3b5a52: * Add example for running Zun container * OpenDev Migration Patch * Replace openstack.org git:// URLs with https:// * Remove docs, deprecated hooks, tests * Update the bugs link to storyboard * Use octavia resources for autoscaling example * Fix the incorrect cirros default password Changes in openstack-horizon-plugin-designate-ui: - Update to version designate-dashboard-5.0.3.dev2: * Fix list zones updated at same time * OpenDev Migration Patch 5.0.2 Changes in openstack-horizon-plugin-neutron-lbaas-ui: - Add _1481_project_ng_loadbalancersv2_panel.pyc file to package (SOC-10883) The .pyc file needs to be removed when the package is uninstalled, otherwise the panel will remain enabled in the dashboard and cause errors. Changes in openstack-ironic: - Update to version ironic-9.1.8.dev8: * Place upper bound on python-dracclient version Changes in openstack-ironic: - Update to version ironic-9.1.8.dev8: * Place upper bound on python-dracclient version Changes in openstack-keystone: - Update to version keystone-12.0.4.dev5: * Import LDAP job into project Changes in openstack-keystone: - Update to version keystone-12.0.4.dev5: * Import LDAP job into project Changes in openstack-monasca-agent: - Added dependency: * fdupes * pwdutils and shadow-utils for useradd/groupadd - added 0001-add-X.509-certificate-check-plugin.patch Changes in openstack-neutron: - Update to version neutron-11.0.9.dev60: * Set DB retry for quota\_enforcement pecan\_wsgi hook - Update to version neutron-11.0.9.dev58: * don't clear skb mark when ovs is hw-offload enabled - Update to version neutron-11.0.9.dev57: * doc: add known limitation about attaching SR-IOV ports - Update to version neutron-11.0.9.dev56: * raise priority of dead vlan drop - Update to version neutron-11.0.9.dev54: * [Unit tests] Skip TestWSGIServer with IPv6 if no IPv6 enabled - Update to version neutron-11.0.9.dev52: * Initialize phys bridges before setup\_rpc Changes in openstack-neutron: - Update neutron-ha-tool to latest version: * Add DHCP agent evacuation (SOC-11046) - Update to version neutron-11.0.9.dev60: * Set DB retry for quota\_enforcement pecan\_wsgi hook - Update to version neutron-11.0.9.dev58: * don't clear skb mark when ovs is hw-offload enabled - neutron: Remove stop action from ovs-cleanup (bsc#1157482) backport of https://review.opendev.org/#/c/695867/ - Update to version neutron-11.0.9.dev57: * doc: add known limitation about attaching SR-IOV ports - Update to version neutron-11.0.9.dev56: * raise priority of dead vlan drop - Update to version neutron-11.0.9.dev54: * [Unit tests] Skip TestWSGIServer with IPv6 if no IPv6 enabled - Update to version neutron-11.0.9.dev52: * Initialize phys bridges before setup\_rpc Changes in openstack-neutron-gbp: - Update to version group-based-policy-7.3.1.dev72: * Refactor static path code - Update to version group-based-policy-7.3.1.dev71: * Support named ip protocols for SecurityGroupRules - Update to version group-based-policy-7.3.1.dev70: * Allow both FIP and SNAT on a single port - Update to version group-based-policy-7.3.1.dev69: * Fix active-active AAP RPC query - Update to version group-based-policy-7.3.1.dev67: * [AIM] Add extra provided/consumed contracts to network extension - Update to version group-based-policy-7.3.1.dev66: * Active active AAP feature - Update to version group-based-policy-7.3.1.dev64: * Support cache option for legacy GBP driver - Update to version group-based-policy-7.3.1.dev63: * Fix host ID length in VM names table - Update to version group-based-policy-7.3.1.dev62: * Update\_proj\_descr in apic when project description is updated in os - Update to version group-based-policy-7.3.1.dev61: * Send port notifications when host\_route is getting updated * Provide a control knob to use the internal EP interface - Update to version group-based-policy-7.3.1.dev57: * Fix pep8 failures seen on submitted patches Changes in openstack-neutron-vsphere: - Update to version networking-vsphere-2.0.1.dev133: * Update to use Agent model from neutron.db.models * Fix neutron-dvs-agent startup errors * OpenDev Migration Patch - Remove 0001-fix-dvs-agent-config.patch as changes had been backported to stable/pike - See https://review.opendev.org/#/c/682482 Changes in openstack-nova: - Update to version nova-16.1.9.dev49: * Use stable constraint for Tempest pinned stable branches - Update to version nova-16.1.9.dev48: * Avoid redundant initialize\_connection on source post live migration * Error out interrupted builds * Skip checking of target\_dev for vhostuser * Functional reproduce for bug 1833581 * Prevent init\_host test to interfere with other tests * Add functional test for resize crash compute restart revert * Move restart\_compute\_service to a common place * lxc: make use of filter python3 compatible * cleanup evacuated instances not on hypervisor * Delete resource providers for all nodes when deleting compute service - Update to version nova-16.1.9.dev30: * Explicitly fail if trying to attach SR-IOV port * Stabilize unshelve notification sample tests - Update to version nova-16.1.9.dev26: * Fix listing deleted servers with a marker * Add functional regression test for bug 1849409 - Update to version nova-16.1.9.dev22: * Hook resource\_tracker to remove stale node information - Update to version nova-16.1.9.dev20: * Workaround missing RequestSpec.instance\_group.uuid * Add regression recreate test for bug 1830747 - Update to version nova-16.1.9.dev16: * Changing scheduler sync event from INFO to DEBUG - Update to version nova-16.1.9.dev14: * Only nil az during shelve offload * Delete instance\_id\_mappings record in instance\_destroy - Update to version nova-16.1.9.dev11: * Revert "openstack server create" to "nova boot" in nova docs * doc: fix and clarify --block-device usage in user docs - Update to version nova-16.1.9.dev8: * Functional reproduce for bug 1852207 Changes in openstack-nova: - Update to version nova-16.1.9.dev49: * Use stable constraint for Tempest pinned stable branches - Update to version nova-16.1.9.dev48: * Avoid redundant initialize\_connection on source post live migration * Error out interrupted builds * Skip checking of target\_dev for vhostuser * Functional reproduce for bug 1833581 * Prevent init\_host test to interfere with other tests * Add functional test for resize crash compute restart revert * Move restart\_compute\_service to a common place * lxc: make use of filter python3 compatible * cleanup evacuated instances not on hypervisor * Delete resource providers for all nodes when deleting compute service - Update to version nova-16.1.9.dev30: * Explicitly fail if trying to attach SR-IOV port * Stabilize unshelve notification sample tests - Update to version nova-16.1.9.dev26: * Fix listing deleted servers with a marker * Add functional regression test for bug 1849409 - Update to version nova-16.1.9.dev22: * Hook resource\_tracker to remove stale node information - Update to version nova-16.1.9.dev20: * Workaround missing RequestSpec.instance\_group.uuid * Add regression recreate test for bug 1830747 - Update to version nova-16.1.9.dev16: * Changing scheduler sync event from INFO to DEBUG - Update to version nova-16.1.9.dev14: * Only nil az during shelve offload * Delete instance\_id\_mappings record in instance\_destroy - Update to version nova-16.1.9.dev11: * Revert "openstack server create" to "nova boot" in nova docs * doc: fix and clarify --block-device usage in user docs - Update to version nova-16.1.9.dev8: * Functional reproduce for bug 1852207 Changes in openstack-octavia: - Update to version octavia-1.0.6.dev3: * Fix urgent amphora two-way auth security bug Changes in openstack-octavia-amphora-image: - Update image to 0.1.2 to include udated keepalived 2.0.19 - Update image to 0.1.1 to include latest changes - Add keepalived service Changes in openstack-resource-agents: - Update to version 1.0+git.1569436425.8b9c49f: * Add a configurable delay to Nova Evacuate calls * OpenDev Migration Patch * NovaEvacuate: fix a syntax error * NovaEvacuate: Support the new split-out IHA fence agents with backwards compatibility * NovaEvacuate: Correctly handle stopped hypervisors * neutron-ha-tool: do not replicate dhcp * NovaCompute: Support parsing host option from /etc/nova/nova.conf.d * NovaCompute: Use variable to avoid calling crudini a second time * NovaEvacuate: Allow debug logging to be turned on easily Changes in openstack-sahara: - Update to version sahara-7.0.5.dev4: * Run sahara-scenario using Python 3 * Enforce python 2 for documentation build * Fix requirements(bandit) * OpenDev Migration Patch 7.0.4 Changes in openstack-sahara: - Update to version sahara-7.0.5.dev4: * Run sahara-scenario using Python 3 * Enforce python 2 for documentation build * Fix requirements (bandit) * OpenDev Migration Patch 7.0.4 Changes in openstack-trove: - Update to version trove-8.0.2.dev2: * Add local bindep.txt * OpenDev Migration Patch 8.0.1 Changes in openstack-trove: - Update to version trove-8.0.2.dev2: * Add local bindep.txt * OpenDev Migration Patch 8.0.1 Changes in python-cinderlm: - Update to version 0.0.2+git.1571845893.27f0b7b: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in python-congressclient: - update to version 1.8.1 - Update .gitreview for stable/pike - Update UPPER_CONSTRAINTS_FILE for stable/pike - import zuul job settings from project-config - Updated from global requirements Changes in python-designateclient: - update to version 2.7.1 - Update .gitreview for stable/pike - Updated from global requirements - import zuul job settings from project-config - Update UPPER_CONSTRAINTS_FILE for stable/pike - server-get/update show wrong values about 'id' and 'update_at' Changes in python-ironic-lib: - update to version 2.10.2 - Replace openstack.org git:// URLs with https:// - Make search for config drive partition case insensitive - Revert "Use dd conv=sparse when writing images to nodes" - Check GPT table with sgdisk insread of partprobe - Avoid tox_install.sh for constraints support - Fix GPT bug with whole disk images - import zuul job settings from project-config Changes in python-networking-cisco: - Update to version networking-cisco-6.1.1.dev65: * Nexus: Add CA Bundle path to https doc * Improve Nexus Ironic related doc and logs * Upgrade release notes to include Tripleo/puppet * Fix socket not closed errors in unit test logs * Add release note about adding support for Rocky OpenStack * Update publish-openstack-python-branch-tarball job * Remove MultiConfigParser from SAF application * More fixes for networking\_cisco rocky support * Remove MultiConfigParser from the device manger config loader * Ensure CFG agent is started after neutron config is written * Removed older version of python added 3.5 * Begin process of supporting neutron Rocky * Typo in tar command in doc install guide * Add cisco providernet extension to Nexus doc * Add missing policy to fix stable/queens unit tests * Pin stestr version (1.1.0) for Mitaka * Fix places in ucsm network driver using .ucsm instead of .ucsms * Fix doc build under python3 * Fix mitaka bug with NeutronWorker missing parameter * Eliminate 30 sec delay for Nexus replay thread * Fix foreign key constraint violation while creating primary key with subnet\_id * Put upper constraint on ncclient version to prevent breakages * Improvements to the networking-cisco zuul jobs * Remove deprecated host/interface map config * Include device manager configuration file when starting config agent * Fix pep8 and other tox environments locally * Add rocky to CI * Add bandit to tox and resolve Nexus SA errors * Deprecate old ML2 Nexus/UCSM documentation file * Secure Nexus https certificates by default - Add tempest_plugin subpackage Changes in python-osc-lib: - update to version 1.7.1 - import zuul job settings from project-config - Update UPPER_CONSTRAINTS_FILE for stable/pike - Updated from global requirements - Update .gitreview for stable/pike - Avoid tox_install.sh for constraints support Changes iython-oslo.context: - update to version 2.17.2 - Fix sphinx-docs job for stable branch - import zuul job settings from project-config Changes in python-oslo.rootwrap: - update to version 5.9.3 - Avoid tox_install.sh for constraints support - Follow the new PTI for document build - import zuul job settings from project-config Changes in python-oslo.serialization: - update to version 2.20.3 - import zuul job settings from project-config - Fix sphinx-docs job for stable branch Changes in python-oslo.service: - update to version 1.25.2 - import zuul job settings from project-config - Fix sphinx-docs job for stable branch Changes in python-stevedore: - update to version 1.25.2 - move doc requirements to doc/requirements.txt - Use stable branch for upper-constraints - remove duplicate sphinx dependency - Avoid tox_install.sh for constraints support - import zuul job settings from project-config Changes in python-taskflow: - update to version 2.14.2 - don't let tox_install.sh error if there is nothing to do - import zuul job settings from project-config - Updated from global requirements - Use doc/requirements.txt Changes in rubygem-crowbar-client: - Update to 3.9.1 - Fix repocheck table output (SOC-10718) - Enable restricted commands for Cloud8 (bsc#1117080, CVE-2018-17954) Changes in rubygem-puma: - Add CVE-2019-16770.patch (bsc#1158675, SOC-10999, CVE-2019-16770) This patch fixes a DoS vulnerability a malicious client could use to block a large amount of threads. Changes in venv-openstack-swift: - Fix lower version numver after inheriting the version from main component (SCRD-8523) - Revert: "Inherit version number of venv from main component (SCRD-8523)" as zypper reports the new version number as older than what is released - Inherit version number of venv from main component (SCRD-8523) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-640=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-640=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-640=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): crowbar-core-5.0+git.1582968668.1a55c77c5-3.35.4 crowbar-core-branding-upstream-5.0+git.1582968668.1a55c77c5-3.35.4 keepalived-2.0.19-3.6.3 keepalived-debuginfo-2.0.19-3.6.3 keepalived-debugsource-2.0.19-3.6.3 mariadb-10.2.31-4.17.3 mariadb-client-10.2.31-4.17.3 mariadb-client-debuginfo-10.2.31-4.17.3 mariadb-debuginfo-10.2.31-4.17.3 mariadb-debugsource-10.2.31-4.17.3 mariadb-galera-10.2.31-4.17.3 mariadb-tools-10.2.31-4.17.3 mariadb-tools-debuginfo-10.2.31-4.17.3 ruby2.1-rubygem-crowbar-client-3.9.1-3.9.3 ruby2.1-rubygem-puma-2.16.0-3.3.3 ruby2.1-rubygem-puma-debuginfo-2.16.0-3.3.3 rubygem-puma-debugsource-2.16.0-3.3.3 - SUSE OpenStack Cloud Crowbar 8 (noarch): crowbar-ha-5.0+git.1574286229.e0364c3-3.29.3 crowbar-openstack-5.0+git.1582911795.5081ef1da-4.34.3 crowbar-ui-1.2.0+git.1575896697.a01a3a08-3.15.3 mariadb-errormessages-10.2.31-4.17.3 openstack-cinder-11.2.3~dev23-3.24.4 openstack-cinder-api-11.2.3~dev23-3.24.4 openstack-cinder-backup-11.2.3~dev23-3.24.4 openstack-cinder-doc-11.2.3~dev23-3.24.3 openstack-cinder-scheduler-11.2.3~dev23-3.24.4 openstack-cinder-volume-11.2.3~dev23-3.24.4 openstack-dashboard-12.0.5~dev2-3.23.4 openstack-dashboard-theme-SUSE-2017.2+git.1573629528.6b21fa5-7.14.3 openstack-heat-9.0.8~dev22-3.27.4 openstack-heat-api-9.0.8~dev22-3.27.4 openstack-heat-api-cfn-9.0.8~dev22-3.27.4 openstack-heat-api-cloudwatch-9.0.8~dev22-3.27.4 openstack-heat-doc-9.0.8~dev22-3.27.3 openstack-heat-engine-9.0.8~dev22-3.27.4 openstack-heat-plugin-heat_docker-9.0.8~dev22-3.27.4 openstack-heat-templates-0.0.0+git.1560033670.e3b5a52-3.12.3 openstack-heat-test-9.0.8~dev22-3.27.4 openstack-horizon-plugin-designate-ui-5.0.3~dev2-3.9.3 openstack-horizon-plugin-neutron-lbaas-ui-3.0.3~dev5-3.14.3 openstack-ironic-9.1.8~dev8-3.24.4 openstack-ironic-api-9.1.8~dev8-3.24.4 openstack-ironic-conductor-9.1.8~dev8-3.24.4 openstack-ironic-doc-9.1.8~dev8-3.24.3 openstack-keystone-12.0.4~dev5-5.30.4 openstack-keystone-doc-12.0.4~dev5-5.30.3 openstack-monasca-agent-2.2.5~dev5-3.15.2 openstack-neutron-11.0.9~dev60-3.27.4 openstack-neutron-dhcp-agent-11.0.9~dev60-3.27.4 openstack-neutron-doc-11.0.9~dev60-3.27.3 openstack-neutron-gbp-7.3.1~dev72-3.12.3 openstack-neutron-ha-tool-11.0.9~dev60-3.27.4 openstack-neutron-l3-agent-11.0.9~dev60-3.27.4 openstack-neutron-linuxbridge-agent-11.0.9~dev60-3.27.4 openstack-neutron-macvtap-agent-11.0.9~dev60-3.27.4 openstack-neutron-metadata-agent-11.0.9~dev60-3.27.4 openstack-neutron-metering-agent-11.0.9~dev60-3.27.4 openstack-neutron-openvswitch-agent-11.0.9~dev60-3.27.4 openstack-neutron-server-11.0.9~dev60-3.27.4 openstack-neutron-vsphere-2.0.1~dev133-3.12.3 openstack-neutron-vsphere-doc-2.0.1~dev133-3.12.3 openstack-neutron-vsphere-dvs-agent-2.0.1~dev133-3.12.3 openstack-neutron-vsphere-ovsvapp-agent-2.0.1~dev133-3.12.3 openstack-nova-16.1.9~dev49-3.32.4 openstack-nova-api-16.1.9~dev49-3.32.4 openstack-nova-cells-16.1.9~dev49-3.32.4 openstack-nova-compute-16.1.9~dev49-3.32.4 openstack-nova-conductor-16.1.9~dev49-3.32.4 openstack-nova-console-16.1.9~dev49-3.32.4 openstack-nova-consoleauth-16.1.9~dev49-3.32.4 openstack-nova-doc-16.1.9~dev49-3.32.3 openstack-nova-novncproxy-16.1.9~dev49-3.32.4 openstack-nova-placement-api-16.1.9~dev49-3.32.4 openstack-nova-scheduler-16.1.9~dev49-3.32.4 openstack-nova-serialproxy-16.1.9~dev49-3.32.4 openstack-nova-vncproxy-16.1.9~dev49-3.32.4 openstack-octavia-1.0.6~dev3-4.21.3 openstack-octavia-amphora-agent-1.0.6~dev3-4.21.3 openstack-octavia-amphora-image-debugsource-0.1.2-3.9.3 openstack-octavia-amphora-image-x86_64-0.1.2-3.9.3 openstack-octavia-api-1.0.6~dev3-4.21.3 openstack-octavia-health-manager-1.0.6~dev3-4.21.3 openstack-octavia-housekeeping-1.0.6~dev3-4.21.3 openstack-octavia-worker-1.0.6~dev3-4.21.3 openstack-resource-agents-1.0+git.1569436425.8b9c49f-3.3.3 openstack-sahara-7.0.5~dev4-3.12.4 openstack-sahara-api-7.0.5~dev4-3.12.4 openstack-sahara-doc-7.0.5~dev4-3.12.3 openstack-sahara-engine-7.0.5~dev4-3.12.4 openstack-trove-8.0.2~dev2-3.12.3 openstack-trove-api-8.0.2~dev2-3.12.3 openstack-trove-conductor-8.0.2~dev2-3.12.3 openstack-trove-doc-8.0.2~dev2-3.12.3 openstack-trove-guestagent-8.0.2~dev2-3.12.3 openstack-trove-taskmanager-8.0.2~dev2-3.12.3 python-cinder-11.2.3~dev23-3.24.4 python-congressclient-1.8.1-3.3.4 python-designateclient-2.7.1-3.3.4 python-designateclient-doc-2.7.1-3.3.4 python-freezegun-0.3.9-1.3.3 python-heat-9.0.8~dev22-3.27.4 python-horizon-12.0.5~dev2-3.23.4 python-horizon-plugin-designate-ui-5.0.3~dev2-3.9.3 python-horizon-plugin-neutron-lbaas-ui-3.0.3~dev5-3.14.3 python-ironic-9.1.8~dev8-3.24.4 python-ironic-lib-2.10.2-3.3.3 python-keystone-12.0.4~dev5-5.30.4 python-monasca-agent-2.2.5~dev5-3.15.2 python-networking-cisco-6.1.1~dev65-3.3.3 python-networking-vsphere-2.0.1~dev133-3.12.3 python-neutron-11.0.9~dev60-3.27.4 python-neutron-gbp-7.3.1~dev72-3.12.3 python-nova-16.1.9~dev49-3.32.4 python-octavia-1.0.6~dev3-4.21.3 python-osc-lib-1.7.1-3.3.3 python-oslo.context-2.17.2-3.3.3 python-oslo.rootwrap-5.9.3-3.3.3 python-oslo.serialization-2.20.3-3.3.3 python-oslo.service-1.25.2-3.3.3 python-sahara-7.0.5~dev4-3.12.4 python-stevedore-1.25.2-3.3.3 python-taskflow-2.14.2-3.3.3 python-trove-8.0.2~dev2-3.12.3 - SUSE OpenStack Cloud 8 (x86_64): keepalived-2.0.19-3.6.3 keepalived-debuginfo-2.0.19-3.6.3 keepalived-debugsource-2.0.19-3.6.3 mariadb-10.2.31-4.17.3 mariadb-client-10.2.31-4.17.3 mariadb-client-debuginfo-10.2.31-4.17.3 mariadb-debuginfo-10.2.31-4.17.3 mariadb-debugsource-10.2.31-4.17.3 mariadb-galera-10.2.31-4.17.3 mariadb-tools-10.2.31-4.17.3 mariadb-tools-debuginfo-10.2.31-4.17.3 - SUSE OpenStack Cloud 8 (noarch): ardana-cinder-8.0+git.1579279939.ee7da88-3.39.3 ardana-cobbler-8.0+git.1575037115.0326803-3.41.3 ardana-designate-8.0+git.1573597788.15b7984-3.17.3 ardana-extensions-example-8.0+git.1534266307.db1ec28-3.3.3 ardana-extensions-nsx-8.0+git.1567529036.a41a037-3.6.4 ardana-glance-8.0+git.1571846045.ab9e3ea-3.20.3 ardana-heat-8.0+git.1571777596.14dce6a-3.15.3 ardana-input-model-8.0+git.1582147997.b9ed134-3.36.3 ardana-ironic-8.0+git.1571845225.006843d-3.9.3 ardana-keystone-8.0+git.1573147067.09e3ea0-3.27.3 ardana-logging-8.0+git.1572452293.e65d714-3.21.3 ardana-monasca-8.0+git.1572527728.9b34bdf-3.21.3 ardana-monasca-transform-8.0+git.1571845965.97714fb-3.12.3 ardana-mq-8.0+git.1581024906.fbf0be3-3.16.3 ardana-neutron-8.0+git.1573050365.ff6fa06-3.36.3 ardana-nova-8.0+git.1571846125.584d988-3.38.3 ardana-octavia-8.0+git.1575642049.1f321d0-3.23.3 ardana-osconfig-8.0+git.1581015942.2d21e63-3.42.3 ardana-tempest-8.0+git.1579261264.7dd213a-3.30.3 mariadb-errormessages-10.2.31-4.17.3 openstack-cinder-11.2.3~dev23-3.24.4 openstack-cinder-api-11.2.3~dev23-3.24.4 openstack-cinder-backup-11.2.3~dev23-3.24.4 openstack-cinder-doc-11.2.3~dev23-3.24.3 openstack-cinder-scheduler-11.2.3~dev23-3.24.4 openstack-cinder-volume-11.2.3~dev23-3.24.4 openstack-dashboard-12.0.5~dev2-3.23.4 openstack-dashboard-theme-SUSE-2017.2+git.1573629528.6b21fa5-7.14.3 openstack-heat-9.0.8~dev22-3.27.4 openstack-heat-api-9.0.8~dev22-3.27.4 openstack-heat-api-cfn-9.0.8~dev22-3.27.4 openstack-heat-api-cloudwatch-9.0.8~dev22-3.27.4 openstack-heat-doc-9.0.8~dev22-3.27.3 openstack-heat-engine-9.0.8~dev22-3.27.4 openstack-heat-plugin-heat_docker-9.0.8~dev22-3.27.4 openstack-heat-templates-0.0.0+git.1560033670.e3b5a52-3.12.3 openstack-heat-test-9.0.8~dev22-3.27.4 openstack-horizon-plugin-designate-ui-5.0.3~dev2-3.9.3 openstack-horizon-plugin-neutron-lbaas-ui-3.0.3~dev5-3.14.3 openstack-ironic-9.1.8~dev8-3.24.4 openstack-ironic-api-9.1.8~dev8-3.24.4 openstack-ironic-conductor-9.1.8~dev8-3.24.4 openstack-ironic-doc-9.1.8~dev8-3.24.3 openstack-keystone-12.0.4~dev5-5.30.4 openstack-keystone-doc-12.0.4~dev5-5.30.3 openstack-monasca-agent-2.2.5~dev5-3.15.2 openstack-neutron-11.0.9~dev60-3.27.4 openstack-neutron-dhcp-agent-11.0.9~dev60-3.27.4 openstack-neutron-doc-11.0.9~dev60-3.27.3 openstack-neutron-gbp-7.3.1~dev72-3.12.3 openstack-neutron-ha-tool-11.0.9~dev60-3.27.4 openstack-neutron-l3-agent-11.0.9~dev60-3.27.4 openstack-neutron-linuxbridge-agent-11.0.9~dev60-3.27.4 openstack-neutron-macvtap-agent-11.0.9~dev60-3.27.4 openstack-neutron-metadata-agent-11.0.9~dev60-3.27.4 openstack-neutron-metering-agent-11.0.9~dev60-3.27.4 openstack-neutron-openvswitch-agent-11.0.9~dev60-3.27.4 openstack-neutron-server-11.0.9~dev60-3.27.4 openstack-neutron-vsphere-2.0.1~dev133-3.12.3 openstack-neutron-vsphere-doc-2.0.1~dev133-3.12.3 openstack-neutron-vsphere-dvs-agent-2.0.1~dev133-3.12.3 openstack-neutron-vsphere-ovsvapp-agent-2.0.1~dev133-3.12.3 openstack-nova-16.1.9~dev49-3.32.4 openstack-nova-api-16.1.9~dev49-3.32.4 openstack-nova-cells-16.1.9~dev49-3.32.4 openstack-nova-compute-16.1.9~dev49-3.32.4 openstack-nova-conductor-16.1.9~dev49-3.32.4 openstack-nova-console-16.1.9~dev49-3.32.4 openstack-nova-consoleauth-16.1.9~dev49-3.32.4 openstack-nova-doc-16.1.9~dev49-3.32.3 openstack-nova-novncproxy-16.1.9~dev49-3.32.4 openstack-nova-placement-api-16.1.9~dev49-3.32.4 openstack-nova-scheduler-16.1.9~dev49-3.32.4 openstack-nova-serialproxy-16.1.9~dev49-3.32.4 openstack-nova-vncproxy-16.1.9~dev49-3.32.4 openstack-octavia-1.0.6~dev3-4.21.3 openstack-octavia-amphora-agent-1.0.6~dev3-4.21.3 openstack-octavia-amphora-image-debugsource-0.1.2-3.9.3 openstack-octavia-amphora-image-x86_64-0.1.2-3.9.3 openstack-octavia-api-1.0.6~dev3-4.21.3 openstack-octavia-health-manager-1.0.6~dev3-4.21.3 openstack-octavia-housekeeping-1.0.6~dev3-4.21.3 openstack-octavia-worker-1.0.6~dev3-4.21.3 openstack-resource-agents-1.0+git.1569436425.8b9c49f-3.3.3 openstack-sahara-7.0.5~dev4-3.12.4 openstack-sahara-api-7.0.5~dev4-3.12.4 openstack-sahara-doc-7.0.5~dev4-3.12.3 openstack-sahara-engine-7.0.5~dev4-3.12.4 openstack-trove-8.0.2~dev2-3.12.3 openstack-trove-api-8.0.2~dev2-3.12.3 openstack-trove-conductor-8.0.2~dev2-3.12.3 openstack-trove-doc-8.0.2~dev2-3.12.3 openstack-trove-guestagent-8.0.2~dev2-3.12.3 openstack-trove-taskmanager-8.0.2~dev2-3.12.3 python-cinder-11.2.3~dev23-3.24.4 python-cinderlm-0.0.2+git.1571845893.27f0b7b-3.9.3 python-congressclient-1.8.1-3.3.4 python-designateclient-2.7.1-3.3.4 python-designateclient-doc-2.7.1-3.3.4 python-freezegun-0.3.9-1.3.3 python-heat-9.0.8~dev22-3.27.4 python-horizon-12.0.5~dev2-3.23.4 python-horizon-plugin-designate-ui-5.0.3~dev2-3.9.3 python-horizon-plugin-neutron-lbaas-ui-3.0.3~dev5-3.14.3 python-ironic-9.1.8~dev8-3.24.4 python-ironic-lib-2.10.2-3.3.3 python-keystone-12.0.4~dev5-5.30.4 python-monasca-agent-2.2.5~dev5-3.15.2 python-networking-cisco-6.1.1~dev65-3.3.3 python-networking-vsphere-2.0.1~dev133-3.12.3 python-neutron-11.0.9~dev60-3.27.4 python-neutron-gbp-7.3.1~dev72-3.12.3 python-nova-16.1.9~dev49-3.32.4 python-octavia-1.0.6~dev3-4.21.3 python-osc-lib-1.7.1-3.3.3 python-oslo.context-2.17.2-3.3.3 python-oslo.rootwrap-5.9.3-3.3.3 python-oslo.serialization-2.20.3-3.3.3 python-oslo.service-1.25.2-3.3.3 python-sahara-7.0.5~dev4-3.12.4 python-stevedore-1.25.2-3.3.3 python-taskflow-2.14.2-3.3.3 python-trove-8.0.2~dev2-3.12.3 venv-openstack-aodh-x86_64-5.1.1~dev7-12.22.2 venv-openstack-barbican-x86_64-5.0.2~dev3-12.23.2 venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.20.2 venv-openstack-cinder-x86_64-11.2.3~dev23-14.23.2 venv-openstack-designate-x86_64-5.0.3~dev7-12.21.2 venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.18.2 venv-openstack-glance-x86_64-15.0.3~dev3-12.21.2 venv-openstack-heat-x86_64-9.0.8~dev22-12.23.2 venv-openstack-horizon-x86_64-12.0.5~dev2-14.28.2 venv-openstack-ironic-x86_64-9.1.8~dev8-12.23.2 venv-openstack-keystone-x86_64-12.0.4~dev5-11.24.2 venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.22.2 venv-openstack-manila-x86_64-5.1.1~dev2-12.25.2 venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.18.2 venv-openstack-monasca-x86_64-2.2.2~dev1-11.20.2 venv-openstack-murano-x86_64-4.0.2~dev2-12.18.2 venv-openstack-neutron-x86_64-11.0.9~dev60-13.26.2 venv-openstack-nova-x86_64-16.1.9~dev49-11.24.2 venv-openstack-octavia-x86_64-1.0.6~dev3-12.23.2 venv-openstack-sahara-x86_64-7.0.5~dev4-11.22.2 venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.16.3 venv-openstack-trove-x86_64-8.0.2~dev2-11.22.2 - HPE Helion Openstack 8 (noarch): ardana-cinder-8.0+git.1579279939.ee7da88-3.39.3 ardana-cobbler-8.0+git.1575037115.0326803-3.41.3 ardana-designate-8.0+git.1573597788.15b7984-3.17.3 ardana-extensions-example-8.0+git.1534266307.db1ec28-3.3.3 ardana-extensions-nsx-8.0+git.1567529036.a41a037-3.6.4 ardana-glance-8.0+git.1571846045.ab9e3ea-3.20.3 ardana-heat-8.0+git.1571777596.14dce6a-3.15.3 ardana-input-model-8.0+git.1582147997.b9ed134-3.36.3 ardana-ironic-8.0+git.1571845225.006843d-3.9.3 ardana-keystone-8.0+git.1573147067.09e3ea0-3.27.3 ardana-logging-8.0+git.1572452293.e65d714-3.21.3 ardana-monasca-8.0+git.1572527728.9b34bdf-3.21.3 ardana-monasca-transform-8.0+git.1571845965.97714fb-3.12.3 ardana-mq-8.0+git.1581024906.fbf0be3-3.16.3 ardana-neutron-8.0+git.1573050365.ff6fa06-3.36.3 ardana-nova-8.0+git.1571846125.584d988-3.38.3 ardana-octavia-8.0+git.1575642049.1f321d0-3.23.3 ardana-osconfig-8.0+git.1581015942.2d21e63-3.42.3 ardana-tempest-8.0+git.1579261264.7dd213a-3.30.3 mariadb-errormessages-10.2.31-4.17.3 openstack-cinder-11.2.3~dev23-3.24.4 openstack-cinder-api-11.2.3~dev23-3.24.4 openstack-cinder-backup-11.2.3~dev23-3.24.4 openstack-cinder-doc-11.2.3~dev23-3.24.3 openstack-cinder-scheduler-11.2.3~dev23-3.24.4 openstack-cinder-volume-11.2.3~dev23-3.24.4 openstack-dashboard-12.0.5~dev2-3.23.4 openstack-heat-9.0.8~dev22-3.27.4 openstack-heat-api-9.0.8~dev22-3.27.4 openstack-heat-api-cfn-9.0.8~dev22-3.27.4 openstack-heat-api-cloudwatch-9.0.8~dev22-3.27.4 openstack-heat-doc-9.0.8~dev22-3.27.3 openstack-heat-engine-9.0.8~dev22-3.27.4 openstack-heat-plugin-heat_docker-9.0.8~dev22-3.27.4 openstack-heat-templates-0.0.0+git.1560033670.e3b5a52-3.12.3 openstack-heat-test-9.0.8~dev22-3.27.4 openstack-horizon-plugin-designate-ui-5.0.3~dev2-3.9.3 openstack-horizon-plugin-neutron-lbaas-ui-3.0.3~dev5-3.14.3 openstack-ironic-9.1.8~dev8-3.24.4 openstack-ironic-api-9.1.8~dev8-3.24.4 openstack-ironic-conductor-9.1.8~dev8-3.24.4 openstack-ironic-doc-9.1.8~dev8-3.24.3 openstack-keystone-12.0.4~dev5-5.30.4 openstack-keystone-doc-12.0.4~dev5-5.30.3 openstack-monasca-agent-2.2.5~dev5-3.15.2 openstack-neutron-11.0.9~dev60-3.27.4 openstack-neutron-dhcp-agent-11.0.9~dev60-3.27.4 openstack-neutron-doc-11.0.9~dev60-3.27.3 openstack-neutron-gbp-7.3.1~dev72-3.12.3 openstack-neutron-ha-tool-11.0.9~dev60-3.27.4 openstack-neutron-l3-agent-11.0.9~dev60-3.27.4 openstack-neutron-linuxbridge-agent-11.0.9~dev60-3.27.4 openstack-neutron-macvtap-agent-11.0.9~dev60-3.27.4 openstack-neutron-metadata-agent-11.0.9~dev60-3.27.4 openstack-neutron-metering-agent-11.0.9~dev60-3.27.4 openstack-neutron-openvswitch-agent-11.0.9~dev60-3.27.4 openstack-neutron-server-11.0.9~dev60-3.27.4 openstack-neutron-vsphere-2.0.1~dev133-3.12.3 openstack-neutron-vsphere-doc-2.0.1~dev133-3.12.3 openstack-neutron-vsphere-dvs-agent-2.0.1~dev133-3.12.3 openstack-neutron-vsphere-ovsvapp-agent-2.0.1~dev133-3.12.3 openstack-nova-16.1.9~dev49-3.32.4 openstack-nova-api-16.1.9~dev49-3.32.4 openstack-nova-cells-16.1.9~dev49-3.32.4 openstack-nova-compute-16.1.9~dev49-3.32.4 openstack-nova-conductor-16.1.9~dev49-3.32.4 openstack-nova-console-16.1.9~dev49-3.32.4 openstack-nova-consoleauth-16.1.9~dev49-3.32.4 openstack-nova-doc-16.1.9~dev49-3.32.3 openstack-nova-novncproxy-16.1.9~dev49-3.32.4 openstack-nova-placement-api-16.1.9~dev49-3.32.4 openstack-nova-scheduler-16.1.9~dev49-3.32.4 openstack-nova-serialproxy-16.1.9~dev49-3.32.4 openstack-nova-vncproxy-16.1.9~dev49-3.32.4 openstack-octavia-1.0.6~dev3-4.21.3 openstack-octavia-amphora-agent-1.0.6~dev3-4.21.3 openstack-octavia-amphora-image-debugsource-0.1.2-3.9.3 openstack-octavia-amphora-image-x86_64-0.1.2-3.9.3 openstack-octavia-api-1.0.6~dev3-4.21.3 openstack-octavia-health-manager-1.0.6~dev3-4.21.3 openstack-octavia-housekeeping-1.0.6~dev3-4.21.3 openstack-octavia-worker-1.0.6~dev3-4.21.3 openstack-resource-agents-1.0+git.1569436425.8b9c49f-3.3.3 openstack-sahara-7.0.5~dev4-3.12.4 openstack-sahara-api-7.0.5~dev4-3.12.4 openstack-sahara-doc-7.0.5~dev4-3.12.3 openstack-sahara-engine-7.0.5~dev4-3.12.4 openstack-trove-8.0.2~dev2-3.12.3 openstack-trove-api-8.0.2~dev2-3.12.3 openstack-trove-conductor-8.0.2~dev2-3.12.3 openstack-trove-doc-8.0.2~dev2-3.12.3 openstack-trove-guestagent-8.0.2~dev2-3.12.3 openstack-trove-taskmanager-8.0.2~dev2-3.12.3 python-cinder-11.2.3~dev23-3.24.4 python-cinderlm-0.0.2+git.1571845893.27f0b7b-3.9.3 python-congressclient-1.8.1-3.3.4 python-designateclient-2.7.1-3.3.4 python-designateclient-doc-2.7.1-3.3.4 python-heat-9.0.8~dev22-3.27.4 python-horizon-12.0.5~dev2-3.23.4 python-horizon-plugin-designate-ui-5.0.3~dev2-3.9.3 python-horizon-plugin-neutron-lbaas-ui-3.0.3~dev5-3.14.3 python-ironic-9.1.8~dev8-3.24.4 python-ironic-lib-2.10.2-3.3.3 python-keystone-12.0.4~dev5-5.30.4 python-monasca-agent-2.2.5~dev5-3.15.2 python-networking-cisco-6.1.1~dev65-3.3.3 python-networking-vsphere-2.0.1~dev133-3.12.3 python-neutron-11.0.9~dev60-3.27.4 python-neutron-gbp-7.3.1~dev72-3.12.3 python-nova-16.1.9~dev49-3.32.4 python-octavia-1.0.6~dev3-4.21.3 python-osc-lib-1.7.1-3.3.3 python-oslo.context-2.17.2-3.3.3 python-oslo.rootwrap-5.9.3-3.3.3 python-oslo.serialization-2.20.3-3.3.3 python-oslo.service-1.25.2-3.3.3 python-sahara-7.0.5~dev4-3.12.4 python-stevedore-1.25.2-3.3.3 python-taskflow-2.14.2-3.3.3 python-trove-8.0.2~dev2-3.12.3 venv-openstack-aodh-x86_64-5.1.1~dev7-12.22.2 venv-openstack-barbican-x86_64-5.0.2~dev3-12.23.2 venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.20.2 venv-openstack-cinder-x86_64-11.2.3~dev23-14.23.2 venv-openstack-designate-x86_64-5.0.3~dev7-12.21.2 venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.18.2 venv-openstack-glance-x86_64-15.0.3~dev3-12.21.2 venv-openstack-heat-x86_64-9.0.8~dev22-12.23.2 venv-openstack-horizon-hpe-x86_64-12.0.5~dev2-14.28.2 venv-openstack-ironic-x86_64-9.1.8~dev8-12.23.2 venv-openstack-keystone-x86_64-12.0.4~dev5-11.24.2 venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.22.2 venv-openstack-manila-x86_64-5.1.1~dev2-12.25.2 venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.18.2 venv-openstack-monasca-x86_64-2.2.2~dev1-11.20.2 venv-openstack-murano-x86_64-4.0.2~dev2-12.18.2 venv-openstack-neutron-x86_64-11.0.9~dev60-13.26.2 venv-openstack-nova-x86_64-16.1.9~dev49-11.24.2 venv-openstack-octavia-x86_64-1.0.6~dev3-12.23.2 venv-openstack-sahara-x86_64-7.0.5~dev4-11.22.2 venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.16.3 venv-openstack-trove-x86_64-8.0.2~dev2-11.22.2 - HPE Helion Openstack 8 (x86_64): keepalived-2.0.19-3.6.3 keepalived-debuginfo-2.0.19-3.6.3 keepalived-debugsource-2.0.19-3.6.3 mariadb-10.2.31-4.17.3 mariadb-client-10.2.31-4.17.3 mariadb-client-debuginfo-10.2.31-4.17.3 mariadb-debuginfo-10.2.31-4.17.3 mariadb-debugsource-10.2.31-4.17.3 mariadb-galera-10.2.31-4.17.3 mariadb-tools-10.2.31-4.17.3 mariadb-tools-debuginfo-10.2.31-4.17.3 References: https://www.suse.com/security/cve/CVE-2017-1002201.html https://www.suse.com/security/cve/CVE-2018-17954.html https://www.suse.com/security/cve/CVE-2019-13117.html https://www.suse.com/security/cve/CVE-2019-16770.html https://www.suse.com/security/cve/CVE-2019-18901.html https://www.suse.com/security/cve/CVE-2019-2737.html https://www.suse.com/security/cve/CVE-2019-2739.html https://www.suse.com/security/cve/CVE-2019-2740.html https://www.suse.com/security/cve/CVE-2019-2758.html https://www.suse.com/security/cve/CVE-2019-2805.html https://www.suse.com/security/cve/CVE-2019-2938.html https://www.suse.com/security/cve/CVE-2019-2974.html https://www.suse.com/security/cve/CVE-2020-2574.html https://www.suse.com/security/cve/CVE-2020-7595.html https://bugzilla.suse.com/1077717 https://bugzilla.suse.com/1117080 https://bugzilla.suse.com/1117840 https://bugzilla.suse.com/1123191 https://bugzilla.suse.com/1148158 https://bugzilla.suse.com/1152007 https://bugzilla.suse.com/1154235 https://bugzilla.suse.com/1155089 https://bugzilla.suse.com/1155942 https://bugzilla.suse.com/1156305 https://bugzilla.suse.com/1156669 https://bugzilla.suse.com/1156914 https://bugzilla.suse.com/1157028 https://bugzilla.suse.com/1157206 https://bugzilla.suse.com/1157482 https://bugzilla.suse.com/1158675 https://bugzilla.suse.com/1160048 https://bugzilla.suse.com/1160878 https://bugzilla.suse.com/1160883 https://bugzilla.suse.com/1160895 https://bugzilla.suse.com/1160912 https://bugzilla.suse.com/1161351 https://bugzilla.suse.com/1161517 https://bugzilla.suse.com/1162388 From sle-security-updates at lists.suse.com Thu Mar 12 08:16:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Mar 2020 15:16:22 +0100 (CET) Subject: SUSE-SU-2020:0649-1: moderate: Security update for the Linux Kernel Message-ID: <20200312141622.F1D41F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0649-1 Rating: moderate References: #1051510 #1061840 #1065600 #1065729 #1071995 #1088810 #1105392 #1111666 #1112178 #1112504 #1114279 #1118338 #1123328 #1133021 #1133147 #1140025 #1154243 #1157424 #1157966 #1158013 #1159271 #1160218 #1160979 #1161360 #1161702 #1161907 #1162109 #1162139 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1163971 #1164069 #1164098 #1164115 #1164314 #1164315 #1164388 #1164471 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 Cross-References: CVE-2020-2732 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP4 ______________________________________________________________________________ An update that solves four vulnerabilities and has 80 fixes is now available. Description: The SUSE Linux Enterprise 12-SP4 kernel-RT was updated to 4.12.14 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8992: Fixed an issue in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069). - CVE-2020-8648: Fixed a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928). - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bsc#1162109). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - Btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - Btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - Btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - Btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - Btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - cdrom: respect device capabilities during opening action (boo#1164632). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: fix mount option display for sec=krb5i (bsc#1161907). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - ext2: check err when partial != NULL (bsc#1163859). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - fix the locking in dcache_readdir() and friends (bsc#1123328). - fscrypt: do not set policy for a dead directory (bsc#1163846). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: sched: correct flower port blocking (git-fixes). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - new helper: lookup_positive_unlocked() (bsc#1159271). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: get default setting of WOL before initializing (bsc#1051510). - README.BRANCH: Update the branch name to cve/linux-4.12 - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - USB: core: fix check for duplicate endpoints (git-fixes). - USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - USB: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - USB: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: legacy: set max_speed to super-speed (bsc#1051510). - USB: gadget: Zero ffs_io_data (bsc#1051510). - USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - USB: serial: ir-usb: fix IrLAP framing (bsc#1051510). - USB: serial: ir-usb: fix link-speed handling (bsc#1051510). - USB: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - USB: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - USB: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP4: zypper in -t patch SUSE-SLE-RT-12-SP4-2020-649=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP4 (x86_64): cluster-md-kmp-rt-4.12.14-8.15.1 dlm-kmp-rt-4.12.14-8.15.1 gfs2-kmp-rt-4.12.14-8.15.1 kernel-rt-4.12.14-8.15.1 kernel-rt-base-4.12.14-8.15.1 kernel-rt-devel-4.12.14-8.15.1 kernel-rt_debug-devel-4.12.14-8.15.1 kernel-syms-rt-4.12.14-8.15.1 ocfs2-kmp-rt-4.12.14-8.15.1 - SUSE Linux Enterprise Real Time Extension 12-SP4 (noarch): kernel-devel-rt-4.12.14-8.15.1 kernel-source-rt-4.12.14-8.15.1 References: https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 From sle-security-updates at lists.suse.com Thu Mar 12 08:35:01 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Mar 2020 15:35:01 +0100 (CET) Subject: SUSE-SU-2020:14312-1: important: Security update for MozillaFirefox Message-ID: <20200312143501.A853AF79E@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14312-1 Rating: important References: #1132665 Cross-References: CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: MozillaFirefox was updated to 68.6.0 ESR (MFSA 2020-09 bsc#1132665) - CVE-2020-6805: Fixed a use-after-free when removing data about origins - CVE-2020-6806: Fixed improper protections against state confusion - CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction - CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully escape website-controlled data potentially leading to command injection - CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init - CVE-2020-6812: Fixed an issue where the names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission - CVE-2020-6814: Fixed multiple memory safety bugs - Fixed an issue with minimizing a window (bsc#1132665). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14312=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-68.6.0-78.64.1 MozillaFirefox-translations-common-68.6.0-78.64.1 MozillaFirefox-translations-other-68.6.0-78.64.1 References: https://www.suse.com/security/cve/CVE-2019-20503.html https://www.suse.com/security/cve/CVE-2020-6805.html https://www.suse.com/security/cve/CVE-2020-6806.html https://www.suse.com/security/cve/CVE-2020-6807.html https://www.suse.com/security/cve/CVE-2020-6811.html https://www.suse.com/security/cve/CVE-2020-6812.html https://www.suse.com/security/cve/CVE-2020-6814.html https://bugzilla.suse.com/1132665 From sle-security-updates at lists.suse.com Thu Mar 12 08:37:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Mar 2020 15:37:50 +0100 (CET) Subject: SUSE-SU-2020:14313-1: important: Security update for ipmitool Message-ID: <20200312143750.2A0E3F798@maintenance.suse.de> SUSE Security Update: Security update for ipmitool ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14313-1 Rating: important References: #1038508 #1163026 Cross-References: CVE-2020-5208 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for ipmitool fixes the following issues: - CVE-2020-5208: Fixed several buffer overflows (bsc#1163026). - Added a missing patch for DDR4 support (bsc#1038508). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-ipmitool-14313=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ipmitool-14313=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): ipmitool-1.8.15-0.30.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): ipmitool-debuginfo-1.8.15-0.30.3.1 ipmitool-debugsource-1.8.15-0.30.3.1 References: https://www.suse.com/security/cve/CVE-2020-5208.html https://bugzilla.suse.com/1038508 https://bugzilla.suse.com/1163026 From sle-security-updates at lists.suse.com Thu Mar 12 14:13:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Mar 2020 21:13:43 +0100 (CET) Subject: SUSE-SU-2020:0659-1: important: Security update for openstack-manila Message-ID: <20200312201343.0A370FC56@maintenance.suse.de> SUSE Security Update: Security update for openstack-manila ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0659-1 Rating: important References: #1165643 Cross-References: CVE-2020-9543 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openstack-manila fixes the following issues: - CVE-2020-9543: Fixed an issue where other project users to view, update, delete, or share resources that do not belong to them, due to a context-free lookup of a UUID (bsc#1165643) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-659=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-659=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): openstack-manila-7.3.1~dev15-4.18.2 openstack-manila-api-7.3.1~dev15-4.18.2 openstack-manila-data-7.3.1~dev15-4.18.2 openstack-manila-scheduler-7.3.1~dev15-4.18.2 openstack-manila-share-7.3.1~dev15-4.18.2 python-manila-7.3.1~dev15-4.18.2 - SUSE OpenStack Cloud 9 (noarch): openstack-manila-7.3.1~dev15-4.18.2 openstack-manila-api-7.3.1~dev15-4.18.2 openstack-manila-data-7.3.1~dev15-4.18.2 openstack-manila-scheduler-7.3.1~dev15-4.18.2 openstack-manila-share-7.3.1~dev15-4.18.2 python-manila-7.3.1~dev15-4.18.2 venv-openstack-manila-x86_64-7.3.1~dev15-3.17.3 References: https://www.suse.com/security/cve/CVE-2020-9543.html https://bugzilla.suse.com/1165643 From sle-security-updates at lists.suse.com Thu Mar 12 14:16:38 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Mar 2020 21:16:38 +0100 (CET) Subject: SUSE-SU-2020:0660-1: important: Security update for openstack-manila Message-ID: <20200312201638.7CD3AFC56@maintenance.suse.de> SUSE Security Update: Security update for openstack-manila ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0660-1 Rating: important References: #1165643 Cross-References: CVE-2020-9543 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openstack-manila fixes the following issues: - CVE-2020-9543: Fixed an issue where other project users to view, update, delete, or share resources that do not belong to them, due to a context-free lookup of a UUID (bsc#1165643) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-660=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-660=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-660=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): openstack-manila-5.1.1~dev2-3.23.1 openstack-manila-api-5.1.1~dev2-3.23.1 openstack-manila-data-5.1.1~dev2-3.23.1 openstack-manila-doc-5.1.1~dev2-3.23.1 openstack-manila-scheduler-5.1.1~dev2-3.23.1 openstack-manila-share-5.1.1~dev2-3.23.1 python-manila-5.1.1~dev2-3.23.1 - SUSE OpenStack Cloud 8 (noarch): openstack-manila-5.1.1~dev2-3.23.1 openstack-manila-api-5.1.1~dev2-3.23.1 openstack-manila-data-5.1.1~dev2-3.23.1 openstack-manila-doc-5.1.1~dev2-3.23.1 openstack-manila-scheduler-5.1.1~dev2-3.23.1 openstack-manila-share-5.1.1~dev2-3.23.1 python-manila-5.1.1~dev2-3.23.1 venv-openstack-manila-x86_64-5.1.1~dev2-12.27.1 - HPE Helion Openstack 8 (noarch): openstack-manila-5.1.1~dev2-3.23.1 openstack-manila-api-5.1.1~dev2-3.23.1 openstack-manila-data-5.1.1~dev2-3.23.1 openstack-manila-doc-5.1.1~dev2-3.23.1 openstack-manila-scheduler-5.1.1~dev2-3.23.1 openstack-manila-share-5.1.1~dev2-3.23.1 python-manila-5.1.1~dev2-3.23.1 venv-openstack-manila-x86_64-5.1.1~dev2-12.27.1 References: https://www.suse.com/security/cve/CVE-2020-9543.html https://bugzilla.suse.com/1165643 From sle-security-updates at lists.suse.com Thu Mar 12 14:19:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Mar 2020 21:19:35 +0100 (CET) Subject: SUSE-SU-2020:0661-1: important: Security update for squid Message-ID: <20200312201935.63AFFFC56@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0661-1 Rating: important References: #1156323 #1156324 #1156326 #1156328 #1156329 #1162687 #1162689 #1162691 Cross-References: CVE-2019-12523 CVE-2019-12526 CVE-2019-12528 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2020-8449 CVE-2020-8450 CVE-2020-8517 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for squid fixes the following issues: - CVE-2019-12528: Fixed an information disclosure flaw in the FTP gateway (bsc#1162689). - CVE-2019-12526: Fixed potential remote code execution during URN processing (bsc#1156326). - CVE-2019-12523,CVE-2019-18676: Fixed multiple improper validations in URI processing (bsc#1156329). - CVE-2019-18677: Fixed Cross-Site Request Forgery in HTTP Request processing (bsc#1156328). - CVE-2019-18678: Fixed incorrect message parsing which could have led to HTTP request splitting issue (bsc#1156323). - CVE-2019-18679: Fixed information disclosure when processing HTTP Digest Authentication (bsc#1156324). - CVE-2020-8449: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687). - CVE-2020-8450: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687). - CVE-2020-8517: Fixed a buffer overflow in ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-661=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-661=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-661=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-661=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-661=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-661=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-661=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-661=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-661=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-661=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-661=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-661=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE OpenStack Cloud 8 (x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE OpenStack Cloud 7 (s390x x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 - HPE Helion Openstack 8 (x86_64): squid-3.5.21-26.20.1 squid-debuginfo-3.5.21-26.20.1 squid-debugsource-3.5.21-26.20.1 References: https://www.suse.com/security/cve/CVE-2019-12523.html https://www.suse.com/security/cve/CVE-2019-12526.html https://www.suse.com/security/cve/CVE-2019-12528.html https://www.suse.com/security/cve/CVE-2019-18676.html https://www.suse.com/security/cve/CVE-2019-18677.html https://www.suse.com/security/cve/CVE-2019-18678.html https://www.suse.com/security/cve/CVE-2019-18679.html https://www.suse.com/security/cve/CVE-2020-8449.html https://www.suse.com/security/cve/CVE-2020-8450.html https://www.suse.com/security/cve/CVE-2020-8517.html https://bugzilla.suse.com/1156323 https://bugzilla.suse.com/1156324 https://bugzilla.suse.com/1156326 https://bugzilla.suse.com/1156328 https://bugzilla.suse.com/1156329 https://bugzilla.suse.com/1162687 https://bugzilla.suse.com/1162689 https://bugzilla.suse.com/1162691 From sle-security-updates at lists.suse.com Thu Mar 12 14:23:15 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Mar 2020 21:23:15 +0100 (CET) Subject: SUSE-SU-2020:0658-1: moderate: Security update for php5 Message-ID: <20200312202315.0B4BCFC56@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0658-1 Rating: moderate References: #1165280 #1165289 Cross-References: CVE-2020-7062 CVE-2020-7063 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for php5 fixes the following issues: - CVE-2020-7062: Fixed a null pointer dereference when using file upload functionality under specific circumstances (bsc#1165280). - CVE-2020-7063: Fixed an issue where adding files change the permissions to default (bsc#1165289). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-658=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-658=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): php5-debuginfo-5.5.14-109.71.1 php5-debugsource-5.5.14-109.71.1 php5-devel-5.5.14-109.71.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php5-5.5.14-109.71.1 apache2-mod_php5-debuginfo-5.5.14-109.71.1 php5-5.5.14-109.71.1 php5-bcmath-5.5.14-109.71.1 php5-bcmath-debuginfo-5.5.14-109.71.1 php5-bz2-5.5.14-109.71.1 php5-bz2-debuginfo-5.5.14-109.71.1 php5-calendar-5.5.14-109.71.1 php5-calendar-debuginfo-5.5.14-109.71.1 php5-ctype-5.5.14-109.71.1 php5-ctype-debuginfo-5.5.14-109.71.1 php5-curl-5.5.14-109.71.1 php5-curl-debuginfo-5.5.14-109.71.1 php5-dba-5.5.14-109.71.1 php5-dba-debuginfo-5.5.14-109.71.1 php5-debuginfo-5.5.14-109.71.1 php5-debugsource-5.5.14-109.71.1 php5-dom-5.5.14-109.71.1 php5-dom-debuginfo-5.5.14-109.71.1 php5-enchant-5.5.14-109.71.1 php5-enchant-debuginfo-5.5.14-109.71.1 php5-exif-5.5.14-109.71.1 php5-exif-debuginfo-5.5.14-109.71.1 php5-fastcgi-5.5.14-109.71.1 php5-fastcgi-debuginfo-5.5.14-109.71.1 php5-fileinfo-5.5.14-109.71.1 php5-fileinfo-debuginfo-5.5.14-109.71.1 php5-fpm-5.5.14-109.71.1 php5-fpm-debuginfo-5.5.14-109.71.1 php5-ftp-5.5.14-109.71.1 php5-ftp-debuginfo-5.5.14-109.71.1 php5-gd-5.5.14-109.71.1 php5-gd-debuginfo-5.5.14-109.71.1 php5-gettext-5.5.14-109.71.1 php5-gettext-debuginfo-5.5.14-109.71.1 php5-gmp-5.5.14-109.71.1 php5-gmp-debuginfo-5.5.14-109.71.1 php5-iconv-5.5.14-109.71.1 php5-iconv-debuginfo-5.5.14-109.71.1 php5-imap-5.5.14-109.71.1 php5-imap-debuginfo-5.5.14-109.71.1 php5-intl-5.5.14-109.71.1 php5-intl-debuginfo-5.5.14-109.71.1 php5-json-5.5.14-109.71.1 php5-json-debuginfo-5.5.14-109.71.1 php5-ldap-5.5.14-109.71.1 php5-ldap-debuginfo-5.5.14-109.71.1 php5-mbstring-5.5.14-109.71.1 php5-mbstring-debuginfo-5.5.14-109.71.1 php5-mcrypt-5.5.14-109.71.1 php5-mcrypt-debuginfo-5.5.14-109.71.1 php5-mysql-5.5.14-109.71.1 php5-mysql-debuginfo-5.5.14-109.71.1 php5-odbc-5.5.14-109.71.1 php5-odbc-debuginfo-5.5.14-109.71.1 php5-opcache-5.5.14-109.71.1 php5-opcache-debuginfo-5.5.14-109.71.1 php5-openssl-5.5.14-109.71.1 php5-openssl-debuginfo-5.5.14-109.71.1 php5-pcntl-5.5.14-109.71.1 php5-pcntl-debuginfo-5.5.14-109.71.1 php5-pdo-5.5.14-109.71.1 php5-pdo-debuginfo-5.5.14-109.71.1 php5-pgsql-5.5.14-109.71.1 php5-pgsql-debuginfo-5.5.14-109.71.1 php5-phar-5.5.14-109.71.1 php5-phar-debuginfo-5.5.14-109.71.1 php5-posix-5.5.14-109.71.1 php5-posix-debuginfo-5.5.14-109.71.1 php5-pspell-5.5.14-109.71.1 php5-pspell-debuginfo-5.5.14-109.71.1 php5-shmop-5.5.14-109.71.1 php5-shmop-debuginfo-5.5.14-109.71.1 php5-snmp-5.5.14-109.71.1 php5-snmp-debuginfo-5.5.14-109.71.1 php5-soap-5.5.14-109.71.1 php5-soap-debuginfo-5.5.14-109.71.1 php5-sockets-5.5.14-109.71.1 php5-sockets-debuginfo-5.5.14-109.71.1 php5-sqlite-5.5.14-109.71.1 php5-sqlite-debuginfo-5.5.14-109.71.1 php5-suhosin-5.5.14-109.71.1 php5-suhosin-debuginfo-5.5.14-109.71.1 php5-sysvmsg-5.5.14-109.71.1 php5-sysvmsg-debuginfo-5.5.14-109.71.1 php5-sysvsem-5.5.14-109.71.1 php5-sysvsem-debuginfo-5.5.14-109.71.1 php5-sysvshm-5.5.14-109.71.1 php5-sysvshm-debuginfo-5.5.14-109.71.1 php5-tokenizer-5.5.14-109.71.1 php5-tokenizer-debuginfo-5.5.14-109.71.1 php5-wddx-5.5.14-109.71.1 php5-wddx-debuginfo-5.5.14-109.71.1 php5-xmlreader-5.5.14-109.71.1 php5-xmlreader-debuginfo-5.5.14-109.71.1 php5-xmlrpc-5.5.14-109.71.1 php5-xmlrpc-debuginfo-5.5.14-109.71.1 php5-xmlwriter-5.5.14-109.71.1 php5-xmlwriter-debuginfo-5.5.14-109.71.1 php5-xsl-5.5.14-109.71.1 php5-xsl-debuginfo-5.5.14-109.71.1 php5-zip-5.5.14-109.71.1 php5-zip-debuginfo-5.5.14-109.71.1 php5-zlib-5.5.14-109.71.1 php5-zlib-debuginfo-5.5.14-109.71.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-109.71.1 References: https://www.suse.com/security/cve/CVE-2020-7062.html https://www.suse.com/security/cve/CVE-2020-7063.html https://bugzilla.suse.com/1165280 https://bugzilla.suse.com/1165289 From sle-security-updates at lists.suse.com Fri Mar 13 05:43:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Mar 2020 12:43:35 +0100 (CET) Subject: SUSE-SU-2020:0667-1: important: Security update for the Linux Kernel Message-ID: <20200313114335.8D310F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0667-1 Rating: important References: #1050549 #1051510 #1061840 #1065600 #1065729 #1071995 #1085030 #1088810 #1105392 #1111666 #1112178 #1112504 #1114279 #1114648 #1118338 #1127682 #1129551 #1133021 #1133147 #1140025 #1142685 #1144162 #1152107 #1153535 #1154243 #1156609 #1157042 #1157158 #1157424 #1157480 #1157966 #1158013 #1159271 #1159955 #1160218 #1160979 #1161360 #1161552 #1161702 #1161907 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1162067 #1162109 #1162139 #1162171 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163206 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1163971 #1164051 #1164098 #1164115 #1164314 #1164315 #1164388 #1164471 #1164598 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 Cross-References: CVE-2019-14895 CVE-2019-16746 CVE-2020-2732 CVE-2020-8428 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP5 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 102 fixes is now available. Description: The SUSE Linux Enterprise 12-SP5 kernel-RT was updated to 4.12.14 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8992: Fixed an issue in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069). - CVE-2020-8648: Fixed a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928). - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). - CVE-2019-16746: There was an issue in net/wireless/nl80211.c where the kernel did not check the length of variable elements in a beacon head, leading to a buffer overflow (bsc#1152107). - CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bsc#1162109). - CVE-2019-14895: Fixed a heap-based buffer overflow in Marvell WiFi chip driver which could have led to denial of service or possibly execute arbitrary code (bsc#1157042). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda: Add JasperLake PCI ID and codec vid (bsc#1111666). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda: Clear RIRB status before reading WP (bsc#1111666). - ALSA: hda - constify and cleanup static NodeID tables (bsc#1111666). - ALSA: hda: constify copied structure (bsc#1111666). - ALSA: hda: Constify snd_kcontrol_new items (bsc#1111666). - ALSA: hda: Constify snd_pci_quirk tables (bsc#1111666). - ALSA: hda: correct kernel-doc parameter descriptions (bsc#1111666). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda: hdmi - add Tigerlake support (bsc#1111666). - ALSA: hda/hdmi - Clean up Intel platform-specific fixup checks (bsc#1111666). - ALSA: hda: hdmi - fix pin setup on Tigerlake (bsc#1111666). - ALSA: hda: More constifications (bsc#1111666). - ALSA: hda: patch_hdmi: remove warnings with empty body (bsc#1111666). - ALSA: hda: patch_realtek: fix empty macro usage in if block (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported for HP cPC (bsc#1111666). - ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too (bsc#1111666). - ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda/realtek - More constifications (bsc#1111666). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: sh: Fix unused variable warnings (bsc#1111666). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Fix endianess in descriptor validation (bsc#1111666). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - ath10k: Correct the DMA direction for management tx buffers (bsc#1111666). - ath10k: pci: Fix comment on ath10k_pci_dump_memory_sram (bsc#1111666). - ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe (bsc#1111666). - ath9k: fix storage endpoint lookup (git-fixes). - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() (bsc#1111666). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 (bsc#1111666). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: skip log replay on orphaned roots (bsc#1161935). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - cdrom: respect device capabilities during opening action (boo#1164632). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix deadlocks in autodisconnect work (bsc#1111666). - cfg80211: fix memory leak in cfg80211_cqm_rssi_update (bsc#1111666). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: fix mount option display for sec=krb5i (bsc#1161907). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: caam/qi2 - fix typo in algorithm's driver name (bsc#1111666). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - Documentation: Document arm64 kpti control (bsc#1162623). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_device_set_cg_state' (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) (bsc#1111666). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'invalid' (bsc#1111666). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc (bsc#1111666). - drm/amd/powerplay: remove set but not used variable 'us_mvdd' (bsc#1111666). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() (bsc#1111666). - drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set (bsc#1111666). - drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV (bsc#1111666). - drm/i915/perf: add missing delay for OA muxes configuration (bsc#1111666). - drm/i915: Sanity check mmap length against object size (bsc#1111666). - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1111666). - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau/bar/gf100: ensure BAR is mapped (bsc#1111666). - drm/nouveau/bar/nv50: check bar1 vmm return value (bsc#1111666). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/nouveau/mmu: qualify vmm during dtor (bsc#1111666). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/rect: Avoid division by zero (bsc#1111666). - drm/rect: update kerneldoc for drm_rect_clip_scaled() (bsc#1111666). - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 (bsc#1111666). - drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model (bsc#1111666). - drm/ttm: ttm_tt_init_fields() can be static (bsc#1111666). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - ext2: check err when partial != NULL (bsc#1163859). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: fix mount failure with quota configured as module (bsc#1164471). - ext4: fix mount failure with quota configured as module (bsc#1164471). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - fscrypt: do not set policy for a dead directory (bsc#1163846). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - hotplug/drc-info: Add code to search ibm,drc-info property (bsc#1157480 ltc#181028). - hv_netvsc: Fix offset usage in netvsc_send_table() (bsc#1164598). - hv_netvsc: Fix send_table offset in case of a host bug (bsc#1164598). - hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1164598). - hv_netvsc: Fix unwanted rx_table reset (bsc#1164598). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs (bsc#1163206). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - init: add arch_call_rest_init to allow stack switching (jsc#SLE-11179). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: clear persistence bit according to device family (bsc#1111666). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - iwlwifi: trans: Clear persistence bit when starting the FW (bsc#1111666). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kabi/severities: Whitelist rpaphp_get_drc_props (bsc#1157480 ltc#181028). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - libnvdimm: Fix devm_nsio_enable() kabi (bsc#1153535). - libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (bsc#1153535). - libnvdimm/pfn: Account for PAGE_SIZE > info-block-size in nd_pfn_init() (bsc#1127682 bsc#1153535 ltc#175033 ltc#181834). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - livepatch: Simplify stack trace retrieval (jsc#SLE-11179). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - mac80211: fix ieee80211_txq_setup_flows() failure path (bsc#1111666). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - mwifiex: delete unused mwifiex_get_intf_num() (bsc#1111666). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - mwifiex: update set_mac_address logic (bsc#1111666). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - net: add sendmsg_locked and sendpage_locked to af_inet6 (bsc#1144162). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: sched: correct flower port blocking (git-fixes). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - orinoco_usb: fix interface sanity check (git-fixes). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI: rpaphp: Add drc-info support for hotplug slot registration (bsc#1157480 ltc#181028). - PCI: rpaphp: Annotate and correctly byte swap DRC properties (bsc#1157480 ltc#181028). - PCI: rpaphp: Avoid a sometimes-uninitialized warning (bsc#1157480 ltc#181028). - PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info (bsc#1157480 ltc#181028). - PCI: rpaphp: Do not rely on firmware feature to imply drc-info support (bsc#1157480 ltc#181028). - PCI: rpaphp: Fix up pointer to first drc-info entry (bsc#1157480 ltc#181028). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: cherryview: Fix irq_valid_mask calculation (bsc#1111666). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Enable support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/papr_scm: Do not enable direct map for a region by default (bsc#1129551). - powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths (bsc#1142685 ltc#179509). - powerpc/pseries: Add cpu DLPAR support for drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Enable support for ibm,drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Fix bad drc_index_start value parsing of drc-info entry (bsc#1157480 ltc#181028). - powerpc/pseries: Fix drc-info mappings of logical cpus to drc-index (bsc#1157480 ltc#181028). - powerpc/pseries: Fix vector5 in ibm architecture vector table (bsc#1157480 ltc#181028). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries: Revert support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - ppp: Adjust indentation into ppp_async_input (git-fixes). - pseries/drc-info: Search DRC properties for CPU indexes (bsc#1157480 ltc#181028). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: get default setting of WOL before initializing (bsc#1051510). - README.BRANCH: Update the branch name to cve/linux-4.12 - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - Revert "ath10k: fix DMA related firmware crashes on multiple devices" (git-fixes). - Revert "Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers" (bsc#1051510). - Revert "locking/pvqspinlock: Do not wait if vCPU is preempted" (bsc#1050549). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Conflict with too old powerpc-utils (jsc#ECO-920, jsc#SLE-11054, jsc#SLE-11322). - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rsi_91x_usb: fix interface sanity check (git-fixes). - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - rtl8xxxu: fix interface sanity check (git-fixes). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - s390: add stack switch helper (jsc#SLE-11179). - s390: add support for virtually mapped kernel stacks (jsc#SLE-11179). - s390: always inline current_stack_pointer() (jsc#SLE-11179). - s390: always inline disabled_wait (jsc#SLE-11179). - s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11179). - s390: clean up stacks setup (jsc#SLE-11179). - s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11179). - s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11179). - s390: fine-tune stack switch helper (jsc#SLE-11179). - s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11179). - s390/ftrace: generate traced function stack frame (jsc#SLE-11178 jsc#SLE-11179). - s390/ftrace: save traced function caller (jsc#SLE-11179). - s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11179). - s390/head64: correct init_task stack setup (jsc#SLE-11179). - s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11179). - s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11179). - s390: kabi workaround for reliable stack tracing (jsc#SLE-11179). - s390/kasan: avoid false positives during stack unwind (jsc#SLE-11179). - s390/kasan: avoid report in get_wchan (jsc#SLE-11179). - s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11179). - s390: preserve kabi for stack unwind API (jsc#SLE-11179). - s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11179). - s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11179). - s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11179). - s390/test_unwind: print verbose unwinding results (jsc#SLE-11179). - s390: unify stack size definitions (jsc#SLE-11179). - s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11179). - s390/unwind: always inline get_stack_pointer (jsc#SLE-11179). - s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11179). - s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11179). - s390/unwind: correct stack switching during unwind (jsc#SLE-11179). - s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11179). - s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11179). - s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11179). - s390/unwind: fix mixing regs and sp (jsc#SLE-11179). - s390/unwind: introduce stack unwind API (jsc#SLE-11179). - s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11179). - s390/unwind: remove stack recursion warning (jsc#SLE-11179). - s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11179). - s390/unwind: start unwinding from reliable state (jsc#SLE-11179). - s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11179). - s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11179). - s390/unwind: unify task is current checks (jsc#SLE-11179). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11179). - stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11179). - stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11179). - stacktrace: Provide common infrastructure (jsc#SLE-11179). - stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11179). - stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11179). - stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11179). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Cleanup stack trace code (jsc#SLE-11179). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - USB: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - USB: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - USB: core: fix check for duplicate endpoints (git-fixes). - USB: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - USB: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - USB: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: legacy: set max_speed to super-speed (bsc#1051510). - USB: gadget: Zero ffs_io_data (bsc#1051510). - USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - USB: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - USB: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - USB: roles: fix a potential use after free (git-fixes). - USB: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - USB: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - USB: serial: ir-usb: fix IrLAP framing (bsc#1051510). - USB: serial: ir-usb: fix link-speed handling (bsc#1051510). - USB: serial: option: Add support for Quectel RM500Q (bsc#1051510). - USB: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - USB: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - USB: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - x86/amd_nb: Add PCI device IDs for family 17h, model 70h (bsc#1163206). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - x86/resctrl: Prevent possible overrun during bitmap operations (bsc#1114648). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xfrm: fix sa selector validation (bsc#1156609). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP5: zypper in -t patch SUSE-SLE-RT-12-SP5-2020-667=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch): kernel-devel-rt-4.12.14-10.5.1 kernel-source-rt-4.12.14-10.5.1 - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64): cluster-md-kmp-rt-4.12.14-10.5.1 dlm-kmp-rt-4.12.14-10.5.1 gfs2-kmp-rt-4.12.14-10.5.1 kernel-rt-4.12.14-10.5.1 kernel-rt-base-4.12.14-10.5.1 kernel-rt-devel-4.12.14-10.5.1 kernel-rt_debug-4.12.14-10.5.1 kernel-rt_debug-devel-4.12.14-10.5.1 kernel-syms-rt-4.12.14-10.5.1 ocfs2-kmp-rt-4.12.14-10.5.1 References: https://www.suse.com/security/cve/CVE-2019-14895.html https://www.suse.com/security/cve/CVE-2019-16746.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1127682 https://bugzilla.suse.com/1129551 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144162 https://bugzilla.suse.com/1152107 https://bugzilla.suse.com/1153535 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1156609 https://bugzilla.suse.com/1157042 https://bugzilla.suse.com/1157158 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157480 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163206 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164598 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 From sle-security-updates at lists.suse.com Fri Mar 13 08:13:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Mar 2020 15:13:46 +0100 (CET) Subject: SUSE-SU-2020:0668-1: moderate: Security update for glibc Message-ID: <20200313141346.E9FDFFCEF@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0668-1 Rating: moderate References: #1163184 #1164505 #1165784 Cross-References: CVE-2020-10029 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-668=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-668=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-668=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x x86_64): glibc-debugsource-2.26-13.39.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): glibc-html-2.26-13.39.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): glibc-32bit-debuginfo-2.26-13.39.1 glibc-devel-static-32bit-2.26-13.39.1 glibc-locale-base-32bit-2.26-13.39.1 glibc-locale-base-32bit-debuginfo-2.26-13.39.1 glibc-profile-32bit-2.26-13.39.1 glibc-utils-32bit-2.26-13.39.1 glibc-utils-32bit-debuginfo-2.26-13.39.1 glibc-utils-src-debugsource-2.26-13.39.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.26-13.39.1 glibc-debugsource-2.26-13.39.1 glibc-devel-static-2.26-13.39.1 glibc-utils-2.26-13.39.1 glibc-utils-debuginfo-2.26-13.39.1 glibc-utils-src-debugsource-2.26-13.39.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (x86_64): glibc-32bit-debuginfo-2.26-13.39.1 glibc-devel-32bit-2.26-13.39.1 glibc-devel-32bit-debuginfo-2.26-13.39.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): glibc-2.26-13.39.1 glibc-debuginfo-2.26-13.39.1 glibc-debugsource-2.26-13.39.1 glibc-devel-2.26-13.39.1 glibc-devel-debuginfo-2.26-13.39.1 glibc-extra-2.26-13.39.1 glibc-extra-debuginfo-2.26-13.39.1 glibc-locale-2.26-13.39.1 glibc-locale-base-2.26-13.39.1 glibc-locale-base-debuginfo-2.26-13.39.1 glibc-profile-2.26-13.39.1 nscd-2.26-13.39.1 nscd-debuginfo-2.26-13.39.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): glibc-32bit-2.26-13.39.1 glibc-32bit-debuginfo-2.26-13.39.1 glibc-locale-base-32bit-2.26-13.39.1 glibc-locale-base-32bit-debuginfo-2.26-13.39.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): glibc-i18ndata-2.26-13.39.1 glibc-info-2.26-13.39.1 References: https://www.suse.com/security/cve/CVE-2020-10029.html https://bugzilla.suse.com/1163184 https://bugzilla.suse.com/1164505 https://bugzilla.suse.com/1165784 From sle-security-updates at lists.suse.com Fri Mar 13 11:14:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Mar 2020 18:14:19 +0100 (CET) Subject: SUSE-SU-2020:0671-1: moderate: Security update for SUSE Manager Server 4.0 Message-ID: <20200313171420.00F61F79E@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0671-1 Rating: moderate References: #1083326 #1085414 #1121640 #1123274 #1137248 #1140332 #1144176 #1152673 #1152795 #1153269 #1154246 #1154590 #1154599 #1155281 #1155372 #1156751 #1157317 #1157346 #1157447 #1157700 #1157975 #1158178 #1158181 #1158283 #1158480 #1158564 #1158672 #1158697 #1158754 #1158818 #1158899 #1158943 #1159012 #1159023 #1159076 #1159184 #1159492 #1159553 #1160184 #1160940 #1161755 #1161862 #1162609 #1162683 #1164120 #1164309 #1164452 #1164649 #1164875 #1165541 #1165927 #1166061 #1166388 Cross-References: CVE-2018-1077 CVE-2020-1693 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that solves two vulnerabilities and has 51 fixes is now available. Description: This update fixes the following issues: branch-network-formula: - Update formula to include terminal naming and identification image-sync-formula: - Prevent installing xdelta3 package and disable delta functionality on SLE12 branch servers (bsc#1159553) mgr-osad: - Take care that osad is not disabled nor deactivated during update (bsc#1157700, bsc#1158697) patterns-suse-manager: - Add recommends for virtualization-host-formula to suma_server pattern - Add recommends for virtualization-host-formula to retail prometheus-formula: - Bugfix: disabled fields not enabled when checkbox is checked pxe-default-image-sle15: - Adapt to new kiwi version to fix pre registration in the bare-metal image (bsc#1153269) pxe-formula: - Add support for new features in terminal naming - Remove branch_id from pxe form, moved to branch-network form py26-compat-salt: - Replace pycrypto with M2Crypto as dependency for SLE15+ python-susemanager-retail: - Add support for terminal naming block - Add delta support for SLE15 tar.xz bundles redstone-xmlrpc: - Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693) - Do not download external entities (1555429, bsc#1085414, CVE-2018-1077) salt-netapi-client: - Version 0.17.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.17.0 spacecmd: - Bugfix: attempt to purge SSM when it is empty (bsc#1155372) spacewalk-admin: - Spell correctly "successful" and "successfully" spacewalk-backend: - Fix mgrcfg-client python3 breakage (bsc#1164309) - Update doc link to point to new documentation server - Prevent timestamp format exception on mgr-inter-sync while processing comps (bsc#1157346) - When downloading repo metadata, don't add "/" to the repo url if it already ends with one (bsc#1158899) - Use HTTP proxy settings when fetching the mirrorlist on spacewalk-repo-sync (bsc#1159076) - Enhance suseProducts via ISS to fix SP migration on slave server (bsc#1159184) - Prevent a traceback when reposyncing openSUSE 15.1 (bsc#1158672) - Close config files after reading them (bsc#1158283) - Associate VMs and systems with the same machine ID at bootstrap (bsc#1144176) spacewalk-certs-tools: - Add 'start_event_grains' minion option to configfile when generated by bootstrap script - Forbid multiple activation keys for salt minions during bootstrap (bsc#1164452) - Add additional minion options to configfile when generated by bootstrap script (bsc#1159492) - Change the order to check the version correctly for RES (bsc#1152795) spacewalk-client-tools: - Spell correctly "successful" and "successfully" system-lock-formula: - Clarified terms along documentation and product (bsc#1166061) spacewalk-java: - Feat: enable Salt system lock when CaaSP node is onboarded and add depedency to 'system-lock-formula' (bsc#1165541) - Support non discoverable fqdns via custom grain (bsc#1155281) - Handle the non-existent requested grains gracefully - Get the machineid grain from the minion startup event - Use term 'patch' instead of 'errata' (bsc#1164649) - Enable provisioning API with salt and bootstrap entitled systems - Fix a problem with removing the monitoring entitlement from a system - Improve performance when adding systems to system groups (bsc#1158754) - Migrate pillar and formula data on minion id change (bsc#1161755) - Change doc links pointing to new documentation server - Call saltutil.sync_all before calling highstate (bsc#1152673) - Exclude base products from PAYG (Pay-As-You-Go) instances when doing subscription matching - Show additional headers and dependencies for deb packages - Show adequate message on saving formulas that change only pillar data - Fix mgr-sync add channel when fromdir is configured (bsc#1160184) - Handle not found re-activation key (bsc#1159012) - Write a list of formulas sorted by execution order (bsc#1083326) - Use channel name from product tree instead of constructing it (bsc#1157317) - Read the subscriptions from the output instead of input (bsc#1140332) - Rename rhncfg-actions to mgr-cfg-actions in UI advice (bsc#1137248) - Fix container image import (bsc#1154246) - Add missing permission checks on formula api (bsc#1123274) - Generate metadata with empty vendor (bsc#1158480) - Remove undefined variable from redhat_register snippet - Add a method in API to check if the provided session key is a valid one. - Associate VMs and systems with the same machine ID at bootstrap (bsc#1144176) - Fix minion id when applying engine-events state (bsc#1158181) - Remove unnecessary WARN log entries from Kubernetes integration - Fix for pillar not being refreshed when CaaSP pattern is detected upon software profile update (bsc#1166061) spacewalk-search: - Make rhn-search log to correct file (bsc#1156751) spacewalk-setup: - Spell correctly "successful" and "successfully" - create AJP connector for tomcat if it does not exist (bsc#1165927, bsc#1166388) spacewalk-utils: - Spell "successfully" correctly spacewalk-web: - Don't validate mandatory fields that are not visible (bsc#1158943) - Fix count of changes to build (bsc#1160940) - Report merge_subscriptions message in a readable way (bsc#1140332) - Fix ordering by date (bsc#1158818) subscription-matcher: - Add missing library for SLE15 SP2 (slf4j-log4j12) - Make the code usable with Math3 on SLES - Use log4j12 package on newer SLE versions - Aggregate stackable subscriptions with same parameters - Implement new "swap move" used in optaplanner (bsc#1140332) - Enable aarch64 builds, except for SLE < 15 susemanager: - Add missing python libraries to RES8/RHEL8/CentOS 8 boostrap repos (bsc#1164875) - Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862) - Add bootstrap-repo data for SLE15 SP2 Family - Fix documentation URL in installer (bsc#1154590) - Update requirements to match documented values (bsc#1154599) susemanager-doc-indexes: - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage susemanager-docs_en: - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage susemanager-schema: - Add new 'payg' attribute to rhnServer table - Enable re-activation keys for salt managed systems (bsc#1159012) - Generate metadata with empty vendor (bsc#1158480) - Fix rhnActionVirtDelete when migrating from 3.2 to 4.0 (bsc#1158178) susemanager-sls: - Install dmidecode before HW profile update when missing - Add mgr_start_event_grains.sls to update minion config - Add 'product' custom state module to handle installation of SUSE products at client side (bsc#1157447) - Support reading of pillar data for minions from multiple files (bsc#1158754) - Do not workaround util.syncmodules for SSH minions (bsc#1162609) - Force to run util.synccustomall when triggering action chains on SSH minions (bsc#1162683). - Add custom 'is_payg_instance' grain when instance is PAYG and not BYOS. - Adapt sls file for pre-downloading in Ubuntu minions - Sort formulas by execution order (bsc#1083326) - Split remove_traditional_stack into two parts. One for all systems and another for clients not being a Uyuni Server or Proxy (bsc#1121640) - Change the order to check the version correctly for RES (bsc#1152795) - Do not break Servers registering to a Server - Remove the virt-poller cache when applying Virtualization entitlement - Force HTTP request timeout on public cloud grain (bsc#1157975) susemanager-sync-data: - Add OES 2018 SP2 (bsc#1161862) - Rename RHEL 8 Base product - Change channel family name according to SCC data How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-671=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64): patterns-suma_retail-4.0-9.10.2 patterns-suma_server-4.0-9.10.2 susemanager-4.0.22-3.20.3 susemanager-tools-4.0.22-3.20.3 - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): branch-network-formula-0.1.1580471316.1839544-3.10.2 image-sync-formula-0.1.1579102150.4716559-3.11.2 mgr-osa-dispatcher-4.0.11-3.9.2 prometheus-formula-0.1-4.7.2 pxe-default-image-sle15-4.0.1-20200305173027 pxe-formula-0.1.1580384994.6076a7e-3.11.2 py26-compat-salt-2016.11.10-10.11.2 python3-mgr-osa-common-4.0.11-3.9.2 python3-mgr-osa-dispatcher-4.0.11-3.9.2 python3-spacewalk-backend-libs-4.0.30-3.23.3 python3-spacewalk-certs-tools-4.0.15-3.15.2 python3-spacewalk-client-tools-4.0.12-3.13.2 python3-susemanager-retail-1.0.1580471316.1839544-3.13.2 redstone-xmlrpc-1.1_20071120-0.11.3.2 salt-netapi-client-0.17.0-4.3.2 spacecmd-4.0.18-3.13.2 spacewalk-admin-4.0.9-3.6.2 spacewalk-backend-4.0.30-3.23.3 spacewalk-backend-app-4.0.30-3.23.3 spacewalk-backend-applet-4.0.30-3.23.3 spacewalk-backend-config-files-4.0.30-3.23.3 spacewalk-backend-config-files-common-4.0.30-3.23.3 spacewalk-backend-config-files-tool-4.0.30-3.23.3 spacewalk-backend-iss-4.0.30-3.23.3 spacewalk-backend-iss-export-4.0.30-3.23.3 spacewalk-backend-package-push-server-4.0.30-3.23.3 spacewalk-backend-server-4.0.30-3.23.3 spacewalk-backend-sql-4.0.30-3.23.3 spacewalk-backend-sql-postgresql-4.0.30-3.23.3 spacewalk-backend-tools-4.0.30-3.23.3 spacewalk-backend-xml-export-libs-4.0.30-3.23.3 spacewalk-backend-xmlrpc-4.0.30-3.23.3 spacewalk-base-4.0.19-3.18.3 spacewalk-base-minimal-4.0.19-3.18.3 spacewalk-base-minimal-config-4.0.19-3.18.3 spacewalk-certs-tools-4.0.15-3.15.2 spacewalk-client-tools-4.0.12-3.13.2 spacewalk-html-4.0.19-3.18.3 spacewalk-java-4.0.31-3.23.1 spacewalk-java-config-4.0.31-3.23.1 spacewalk-java-lib-4.0.31-3.23.1 spacewalk-java-postgresql-4.0.31-3.23.1 spacewalk-search-4.0.9-3.11.2 spacewalk-setup-4.0.13-3.11.1 spacewalk-taskomatic-4.0.31-3.23.1 spacewalk-utils-4.0.16-3.15.2 subscription-matcher-0.25-3.3.2 susemanager-doc-indexes-4.0-10.18.2 susemanager-docs_en-4.0-10.18.2 susemanager-docs_en-pdf-4.0-10.18.2 susemanager-retail-tools-1.0.1580471316.1839544-3.13.2 susemanager-schema-4.0.18-3.17.2 susemanager-sls-4.0.24-3.17.2 susemanager-sync-data-4.0.16-3.15.2 susemanager-web-libs-4.0.19-3.18.3 system-lock-formula-0.2-4.5.1 virtualization-host-formula-0.2-4.3.2 References: https://www.suse.com/security/cve/CVE-2018-1077.html https://www.suse.com/security/cve/CVE-2020-1693.html https://bugzilla.suse.com/1083326 https://bugzilla.suse.com/1085414 https://bugzilla.suse.com/1121640 https://bugzilla.suse.com/1123274 https://bugzilla.suse.com/1137248 https://bugzilla.suse.com/1140332 https://bugzilla.suse.com/1144176 https://bugzilla.suse.com/1152673 https://bugzilla.suse.com/1152795 https://bugzilla.suse.com/1153269 https://bugzilla.suse.com/1154246 https://bugzilla.suse.com/1154590 https://bugzilla.suse.com/1154599 https://bugzilla.suse.com/1155281 https://bugzilla.suse.com/1155372 https://bugzilla.suse.com/1156751 https://bugzilla.suse.com/1157317 https://bugzilla.suse.com/1157346 https://bugzilla.suse.com/1157447 https://bugzilla.suse.com/1157700 https://bugzilla.suse.com/1157975 https://bugzilla.suse.com/1158178 https://bugzilla.suse.com/1158181 https://bugzilla.suse.com/1158283 https://bugzilla.suse.com/1158480 https://bugzilla.suse.com/1158564 https://bugzilla.suse.com/1158672 https://bugzilla.suse.com/1158697 https://bugzilla.suse.com/1158754 https://bugzilla.suse.com/1158818 https://bugzilla.suse.com/1158899 https://bugzilla.suse.com/1158943 https://bugzilla.suse.com/1159012 https://bugzilla.suse.com/1159023 https://bugzilla.suse.com/1159076 https://bugzilla.suse.com/1159184 https://bugzilla.suse.com/1159492 https://bugzilla.suse.com/1159553 https://bugzilla.suse.com/1160184 https://bugzilla.suse.com/1160940 https://bugzilla.suse.com/1161755 https://bugzilla.suse.com/1161862 https://bugzilla.suse.com/1162609 https://bugzilla.suse.com/1162683 https://bugzilla.suse.com/1164120 https://bugzilla.suse.com/1164309 https://bugzilla.suse.com/1164452 https://bugzilla.suse.com/1164649 https://bugzilla.suse.com/1164875 https://bugzilla.suse.com/1165541 https://bugzilla.suse.com/1165927 https://bugzilla.suse.com/1166061 https://bugzilla.suse.com/1166388 From sle-security-updates at lists.suse.com Fri Mar 13 11:32:01 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Mar 2020 18:32:01 +0100 (CET) Subject: SUSE-SU-2020:0684-1: moderate: Security update for salt Message-ID: <20200313173201.EC881F79E@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0684-1 Rating: moderate References: #1135656 #1153611 #1157465 #1158940 #1159118 #1160931 #1162327 #1162504 #1165425 Cross-References: CVE-2019-17361 CVE-2019-18897 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has 7 fixes is now available. Description: This update for salt fixes the following issues: - Avoid possible user escalation upgrading salt-master (bsc#1157465) (CVE-2019-18897) - Fix unit tests failures in test_batch_async tests - Batch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327) - RHEL/CentOS 8 uses platform-python instead of python3 - New configuration option for selection of grains in the minion start event. - Fix 'os_family' grain for Astra Linux Common Edition - Fix for salt-api NET API where unauthenticated attacker could run arbitrary code (CVE-2019-17361) (bsc#1162504) - Adds disabled parameter to mod_repo in aptpkg module Move token with atomic operation Bad API token files get deleted (bsc#1160931) - Support for Btrfs and XFS in parted and mkfs added - Adds list_downloaded for apt Module to enable pre-downloading support Adds virt.(pool|network)_get_xml functions - Various libvirt updates: * Add virt.pool_capabilities function * virt.pool_running improvements * Add virt.pool_deleted state * virt.network_define allow adding IP configuration - virt: adding kernel boot parameters to libvirt xml - Fix to scheduler when data['run'] does not exist (bsc#1159118) - Fix virt states to not fail on VMs already stopped - Fix applying of attributes for returner rawfile_json (bsc#1158940) - xfs: do not fail if type is not present (bsc#1153611) - Fix errors when running virt.get_hypervisor function - Align virt.full_info fixes with upstream Salt - Fix for log checking in x509 test - Read repo info without using interpolation (bsc#1135656) - Limiting M2Crypto to >= SLE15 - Replacing pycrypto with M2Crypto (bsc#1165425) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-684=1 - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-684=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-684=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): salt-api-2019.2.0-6.24.1 salt-cloud-2019.2.0-6.24.1 salt-master-2019.2.0-6.24.1 salt-proxy-2019.2.0-6.24.1 salt-ssh-2019.2.0-6.24.1 salt-standalone-formulas-configuration-2019.2.0-6.24.1 salt-syndic-2019.2.0-6.24.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): salt-fish-completion-2019.2.0-6.24.1 - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python2-salt-2019.2.0-6.24.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): python3-salt-2019.2.0-6.24.1 salt-2019.2.0-6.24.1 salt-doc-2019.2.0-6.24.1 salt-minion-2019.2.0-6.24.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): salt-bash-completion-2019.2.0-6.24.1 salt-zsh-completion-2019.2.0-6.24.1 References: https://www.suse.com/security/cve/CVE-2019-17361.html https://www.suse.com/security/cve/CVE-2019-18897.html https://bugzilla.suse.com/1135656 https://bugzilla.suse.com/1153611 https://bugzilla.suse.com/1157465 https://bugzilla.suse.com/1158940 https://bugzilla.suse.com/1159118 https://bugzilla.suse.com/1160931 https://bugzilla.suse.com/1162327 https://bugzilla.suse.com/1162504 https://bugzilla.suse.com/1165425 From sle-security-updates at lists.suse.com Fri Mar 13 11:40:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Mar 2020 18:40:05 +0100 (CET) Subject: SUSE-SU-2020:0686-1: important: Security update for MozillaFirefox Message-ID: <20200313174005.6A077F798@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0686-1 Rating: important References: #1132665 #1166238 Cross-References: CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: MozillaFirefox was updated to 68.6.0 ESR (MFSA 2020-09 bsc#1132665 bsc#1166238) - CVE-2020-6805: Fixed a use-after-free when removing data about origins - CVE-2020-6806: Fixed improper protections against state confusion - CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction - CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully escape website-controlled data potentially leading to command injection - CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init - CVE-2020-6812: Fixed an issue where the names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission - CVE-2020-6814: Fixed multiple memory safety bugs - Fixed an issue with minimizing a window (bsc#1132665). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP2-2020-686=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-686=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-686=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-686=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.6.0-3.75.1 MozillaFirefox-debuginfo-68.6.0-3.75.1 MozillaFirefox-debugsource-68.6.0-3.75.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (x86_64): MozillaFirefox-buildsymbols-68.6.0-3.75.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (s390x): MozillaFirefox-devel-68.6.0-3.75.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.6.0-3.75.1 MozillaFirefox-debuginfo-68.6.0-3.75.1 MozillaFirefox-debugsource-68.6.0-3.75.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): MozillaFirefox-buildsymbols-68.6.0-3.75.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): MozillaFirefox-devel-68.6.0-3.75.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.0-3.75.1 MozillaFirefox-debuginfo-68.6.0-3.75.1 MozillaFirefox-debugsource-68.6.0-3.75.1 MozillaFirefox-translations-common-68.6.0-3.75.1 MozillaFirefox-translations-other-68.6.0-3.75.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.6.0-3.75.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.0-3.75.1 MozillaFirefox-debuginfo-68.6.0-3.75.1 MozillaFirefox-debugsource-68.6.0-3.75.1 MozillaFirefox-translations-common-68.6.0-3.75.1 MozillaFirefox-translations-other-68.6.0-3.75.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.6.0-3.75.1 References: https://www.suse.com/security/cve/CVE-2019-20503.html https://www.suse.com/security/cve/CVE-2020-6805.html https://www.suse.com/security/cve/CVE-2020-6806.html https://www.suse.com/security/cve/CVE-2020-6807.html https://www.suse.com/security/cve/CVE-2020-6811.html https://www.suse.com/security/cve/CVE-2020-6812.html https://www.suse.com/security/cve/CVE-2020-6814.html https://bugzilla.suse.com/1132665 https://bugzilla.suse.com/1166238 From sle-security-updates at lists.suse.com Fri Mar 13 11:59:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Mar 2020 18:59:06 +0100 (CET) Subject: SUSE-SU-2020:0670-1: moderate: Recommended update for SUSE Manager Server 3.2 Message-ID: <20200313175906.4C0F5F79E@maintenance.suse.de> SUSE Security Update: Recommended update for SUSE Manager Server 3.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0670-1 Rating: moderate References: #1165927 #1166388 Affected Products: SUSE Manager Server 3.2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update fixes the following issues: spacewalk-setup: - Create AJP connector for tomcat if it does not exist (bsc#1165927, bsc#1166388) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-670=1 Package List: - SUSE Manager Server 3.2 (noarch): spacewalk-setup-2.8.7.9-3.22.1 References: https://bugzilla.suse.com/1165927 https://bugzilla.suse.com/1166388 From sle-security-updates at lists.suse.com Fri Mar 13 12:02:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Mar 2020 19:02:02 +0100 (CET) Subject: SUSE-SU-2020:0671-1: moderate: Security update for SUSE Manager Server 4.0 Message-ID: <20200313180202.CD9ADFCEF@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0671-1 Rating: moderate References: #1083326 #1085414 #1121640 #1123274 #1137248 #1140332 #1144176 #1152673 #1152795 #1153269 #1154246 #1154590 #1154599 #1155281 #1155372 #1156751 #1157317 #1157346 #1157447 #1157700 #1157975 #1158178 #1158181 #1158283 #1158480 #1158564 #1158672 #1158697 #1158754 #1158818 #1158899 #1158943 #1159012 #1159023 #1159076 #1159184 #1159492 #1159553 #1160184 #1160940 #1161755 #1161862 #1162609 #1162683 #1164120 #1164309 #1164452 #1164649 #1164875 #1165425 #1165541 #1165927 #1166061 #1166388 Cross-References: CVE-2018-1077 CVE-2019-16769 CVE-2020-1693 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 ______________________________________________________________________________ An update that solves three vulnerabilities and has 51 fixes is now available. Description: This update fixes the following issues: branch-network-formula: - Update formula to include terminal naming and identification image-sync-formula: - Prevent installing xdelta3 package and disable delta functionality on SLE12 branch servers (bsc#1159553) mgr-osad: - Take care that osad is not disabled nor deactivated during update (bsc#1157700, bsc#1158697) patterns-suse-manager: - Add recommends for virtualization-host-formula to suma_server pattern - Add recommends for virtualization-host-formula to retail prometheus-formula: - Bugfix: disabled fields not enabled when checkbox is checked pxe-default-image-sle15: - Adapt to new kiwi version to fix pre registration in the bare-metal image (bsc#1153269) pxe-formula: - Add support for new features in terminal naming - Remove branch_id from pxe form, moved to branch-network form py26-compat-salt: - Replace pycrypto with M2Crypto as dependency for SLE15+ python-susemanager-retail: - Add support for terminal naming block - Add delta support for SLE15 tar.xz bundles redstone-xmlrpc: - Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693) - Do not download external entities (1555429, bsc#1085414, CVE-2018-1077) salt-netapi-client: - Version 0.17.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.17.0 spacecmd: - Bugfix: attempt to purge SSM when it is empty (bsc#1155372) spacewalk-admin: - Spell correctly "successful" and "successfully" spacewalk-backend: - Fix mgrcfg-client python3 breakage (bsc#1164309) - Update doc link to point to new documentation server - Prevent timestamp format exception on mgr-inter-sync while processing comps (bsc#1157346) - When downloading repo metadata, don't add "/" to the repo url if it already ends with one (bsc#1158899) - Use HTTP proxy settings when fetching the mirrorlist on spacewalk-repo-sync (bsc#1159076) - Enhance suseProducts via ISS to fix SP migration on slave server (bsc#1159184) - Prevent a traceback when reposyncing openSUSE 15.1 (bsc#1158672) - Close config files after reading them (bsc#1158283) - Associate VMs and systems with the same machine ID at bootstrap (bsc#1144176) spacewalk-certs-tools: - Add 'start_event_grains' minion option to configfile when generated by bootstrap script - Forbid multiple activation keys for salt minions during bootstrap (bsc#1164452) - Add additional minion options to configfile when generated by bootstrap script (bsc#1159492) - Change the order to check the version correctly for RES (bsc#1152795) spacewalk-client-tools: - Spell correctly "successful" and "successfully" system-lock-formula: - Clarified terms along documentation and product (bsc#1166061) spacewalk-java: - Feat: enable Salt system lock when CaaSP node is onboarded and add depedency to 'system-lock-formula' (bsc#1165541) - Support non discoverable fqdns via custom grain (bsc#1155281) - Handle the non-existent requested grains gracefully - Get the machineid grain from the minion startup event - Use term 'patch' instead of 'errata' (bsc#1164649) - Enable provisioning API with salt and bootstrap entitled systems - Fix a problem with removing the monitoring entitlement from a system - Improve performance when adding systems to system groups (bsc#1158754) - Migrate pillar and formula data on minion id change (bsc#1161755) - Change doc links pointing to new documentation server - Call saltutil.sync_all before calling highstate (bsc#1152673) - Exclude base products from PAYG (Pay-As-You-Go) instances when doing subscription matching - Show additional headers and dependencies for deb packages - Show adequate message on saving formulas that change only pillar data - Fix mgr-sync add channel when fromdir is configured (bsc#1160184) - Handle not found re-activation key (bsc#1159012) - Write a list of formulas sorted by execution order (bsc#1083326) - Use channel name from product tree instead of constructing it (bsc#1157317) - Read the subscriptions from the output instead of input (bsc#1140332) - Rename rhncfg-actions to mgr-cfg-actions in UI advice (bsc#1137248) - Fix container image import (bsc#1154246) - Add missing permission checks on formula api (bsc#1123274) - Generate metadata with empty vendor (bsc#1158480) - Remove undefined variable from redhat_register snippet - Add a method in API to check if the provided session key is a valid one. - Associate VMs and systems with the same machine ID at bootstrap (bsc#1144176) - Fix minion id when applying engine-events state (bsc#1158181) - Remove unnecessary WARN log entries from Kubernetes integration - Fix for pillar not being refreshed when CaaSP pattern is detected upon software profile update (bsc#1166061) spacewalk-search: - Make rhn-search log to correct file (bsc#1156751) spacewalk-setup: - Spell correctly "successful" and "successfully" - create AJP connector for tomcat if it does not exist (bsc#1165927, bsc#1166388) spacewalk-utils: - Spell "successfully" correctly spacewalk-web: - Don't validate mandatory fields that are not visible (bsc#1158943) - Fix count of changes to build (bsc#1160940) - Report merge_subscriptions message in a readable way (bsc#1140332) - Fix ordering by date (bsc#1158818) subscription-matcher: - Add missing library for SLE15 SP2 (slf4j-log4j12) - Make the code usable with Math3 on SLES - Use log4j12 package on newer SLE versions - Aggregate stackable subscriptions with same parameters - Implement new "swap move" used in optaplanner (bsc#1140332) - Enable aarch64 builds, except for SLE < 15 susemanager: - Add missing python libraries to RES8/RHEL8/CentOS 8 boostrap repos (bsc#1164875) - Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862) - Add bootstrap-repo data for SLE15 SP2 Family - Fix documentation URL in installer (bsc#1154590) - Update requirements to match documented values (bsc#1154599) susemanager-doc-indexes: - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage susemanager-docs_en: - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage susemanager-schema: - Add new 'payg' attribute to rhnServer table - Enable re-activation keys for salt managed systems (bsc#1159012) - Generate metadata with empty vendor (bsc#1158480) - Fix rhnActionVirtDelete when migrating from 3.2 to 4.0 (bsc#1158178) susemanager-sls: - Install dmidecode before HW profile update when missing - Add mgr_start_event_grains.sls to update minion config - Add 'product' custom state module to handle installation of SUSE products at client side (bsc#1157447) - Support reading of pillar data for minions from multiple files (bsc#1158754) - Do not workaround util.syncmodules for SSH minions (bsc#1162609) - Force to run util.synccustomall when triggering action chains on SSH minions (bsc#1162683). - Add custom 'is_payg_instance' grain when instance is PAYG and not BYOS. - Adapt sls file for pre-downloading in Ubuntu minions - Sort formulas by execution order (bsc#1083326) - Split remove_traditional_stack into two parts. One for all systems and another for clients not being a Uyuni Server or Proxy (bsc#1121640) - Change the order to check the version correctly for RES (bsc#1152795) - Do not break Servers registering to a Server - Remove the virt-poller cache when applying Virtualization entitlement - Force HTTP request timeout on public cloud grain (bsc#1157975) susemanager-sync-data: - Add OES 2018 SP2 (bsc#1161862) - Rename RHEL 8 Base product - Change channel family name according to SCC data How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-671=1 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.0-2020-671=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64): patterns-suma_retail-4.0-9.10.2 patterns-suma_server-4.0-9.10.2 susemanager-4.0.22-3.20.3 susemanager-tools-4.0.22-3.20.3 - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): branch-network-formula-0.1.1580471316.1839544-3.10.2 image-sync-formula-0.1.1579102150.4716559-3.11.2 mgr-osa-dispatcher-4.0.11-3.9.2 prometheus-formula-0.1-4.7.2 pxe-default-image-sle15-4.0.1-20200305173027 pxe-formula-0.1.1580384994.6076a7e-3.11.2 py26-compat-salt-2016.11.10-10.11.2 python3-mgr-osa-common-4.0.11-3.9.2 python3-mgr-osa-dispatcher-4.0.11-3.9.2 python3-spacewalk-backend-libs-4.0.30-3.23.3 python3-spacewalk-certs-tools-4.0.15-3.15.2 python3-spacewalk-client-tools-4.0.12-3.13.2 python3-susemanager-retail-1.0.1580471316.1839544-3.13.2 redstone-xmlrpc-1.1_20071120-0.11.3.2 salt-netapi-client-0.17.0-4.3.2 spacecmd-4.0.18-3.13.2 spacewalk-admin-4.0.9-3.6.2 spacewalk-backend-4.0.30-3.23.3 spacewalk-backend-app-4.0.30-3.23.3 spacewalk-backend-applet-4.0.30-3.23.3 spacewalk-backend-config-files-4.0.30-3.23.3 spacewalk-backend-config-files-common-4.0.30-3.23.3 spacewalk-backend-config-files-tool-4.0.30-3.23.3 spacewalk-backend-iss-4.0.30-3.23.3 spacewalk-backend-iss-export-4.0.30-3.23.3 spacewalk-backend-package-push-server-4.0.30-3.23.3 spacewalk-backend-server-4.0.30-3.23.3 spacewalk-backend-sql-4.0.30-3.23.3 spacewalk-backend-sql-postgresql-4.0.30-3.23.3 spacewalk-backend-tools-4.0.30-3.23.3 spacewalk-backend-xml-export-libs-4.0.30-3.23.3 spacewalk-backend-xmlrpc-4.0.30-3.23.3 spacewalk-base-4.0.19-3.18.3 spacewalk-base-minimal-4.0.19-3.18.3 spacewalk-base-minimal-config-4.0.19-3.18.3 spacewalk-certs-tools-4.0.15-3.15.2 spacewalk-client-tools-4.0.12-3.13.2 spacewalk-html-4.0.19-3.18.3 spacewalk-java-4.0.31-3.23.1 spacewalk-java-config-4.0.31-3.23.1 spacewalk-java-lib-4.0.31-3.23.1 spacewalk-java-postgresql-4.0.31-3.23.1 spacewalk-search-4.0.9-3.11.2 spacewalk-setup-4.0.13-3.11.1 spacewalk-taskomatic-4.0.31-3.23.1 spacewalk-utils-4.0.16-3.15.2 subscription-matcher-0.25-3.3.2 susemanager-doc-indexes-4.0-10.18.2 susemanager-docs_en-4.0-10.18.2 susemanager-docs_en-pdf-4.0-10.18.2 susemanager-retail-tools-1.0.1580471316.1839544-3.13.2 susemanager-schema-4.0.18-3.17.2 susemanager-sls-4.0.24-3.17.2 susemanager-sync-data-4.0.16-3.15.2 susemanager-web-libs-4.0.19-3.18.3 system-lock-formula-0.2-4.5.1 virtualization-host-formula-0.2-4.3.2 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (ppc64le s390x x86_64): patterns-suma_proxy-4.0-9.10.2 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (noarch): mgr-osad-4.0.11-3.9.2 python3-mgr-osa-common-4.0.11-3.9.2 python3-mgr-osad-4.0.11-3.9.2 python3-spacewalk-backend-libs-4.0.30-3.23.3 python3-spacewalk-certs-tools-4.0.15-3.15.2 python3-spacewalk-check-4.0.12-3.13.2 python3-spacewalk-client-setup-4.0.12-3.13.2 python3-spacewalk-client-tools-4.0.12-3.13.2 spacecmd-4.0.18-3.13.2 spacewalk-backend-4.0.30-3.23.3 spacewalk-base-minimal-4.0.19-3.18.3 spacewalk-base-minimal-config-4.0.19-3.18.3 spacewalk-certs-tools-4.0.15-3.15.2 spacewalk-check-4.0.12-3.13.2 spacewalk-client-setup-4.0.12-3.13.2 spacewalk-client-tools-4.0.12-3.13.2 supportutils-plugin-susemanager-client-4.0.3-3.3.2 supportutils-plugin-susemanager-proxy-4.0.3-3.3.2 References: https://www.suse.com/security/cve/CVE-2018-1077.html https://www.suse.com/security/cve/CVE-2019-16769.html https://www.suse.com/security/cve/CVE-2020-1693.html https://bugzilla.suse.com/1083326 https://bugzilla.suse.com/1085414 https://bugzilla.suse.com/1121640 https://bugzilla.suse.com/1123274 https://bugzilla.suse.com/1137248 https://bugzilla.suse.com/1140332 https://bugzilla.suse.com/1144176 https://bugzilla.suse.com/1152673 https://bugzilla.suse.com/1152795 https://bugzilla.suse.com/1153269 https://bugzilla.suse.com/1154246 https://bugzilla.suse.com/1154590 https://bugzilla.suse.com/1154599 https://bugzilla.suse.com/1155281 https://bugzilla.suse.com/1155372 https://bugzilla.suse.com/1156751 https://bugzilla.suse.com/1157317 https://bugzilla.suse.com/1157346 https://bugzilla.suse.com/1157447 https://bugzilla.suse.com/1157700 https://bugzilla.suse.com/1157975 https://bugzilla.suse.com/1158178 https://bugzilla.suse.com/1158181 https://bugzilla.suse.com/1158283 https://bugzilla.suse.com/1158480 https://bugzilla.suse.com/1158564 https://bugzilla.suse.com/1158672 https://bugzilla.suse.com/1158697 https://bugzilla.suse.com/1158754 https://bugzilla.suse.com/1158818 https://bugzilla.suse.com/1158899 https://bugzilla.suse.com/1158943 https://bugzilla.suse.com/1159012 https://bugzilla.suse.com/1159023 https://bugzilla.suse.com/1159076 https://bugzilla.suse.com/1159184 https://bugzilla.suse.com/1159492 https://bugzilla.suse.com/1159553 https://bugzilla.suse.com/1160184 https://bugzilla.suse.com/1160940 https://bugzilla.suse.com/1161755 https://bugzilla.suse.com/1161862 https://bugzilla.suse.com/1162609 https://bugzilla.suse.com/1162683 https://bugzilla.suse.com/1164120 https://bugzilla.suse.com/1164309 https://bugzilla.suse.com/1164452 https://bugzilla.suse.com/1164649 https://bugzilla.suse.com/1164875 https://bugzilla.suse.com/1165425 https://bugzilla.suse.com/1165541 https://bugzilla.suse.com/1165927 https://bugzilla.suse.com/1166061 https://bugzilla.suse.com/1166388 From sle-security-updates at lists.suse.com Fri Mar 13 12:21:38 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Mar 2020 19:21:38 +0100 (CET) Subject: SUSE-SU-2020:0688-1: moderate: Security update for the Linux Kernel Message-ID: <20200313182138.22294FCEF@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0688-1 Rating: moderate References: #1050549 #1051510 #1061840 #1065600 #1065729 #1071995 #1088810 #1105392 #1111666 #1112178 #1112504 #1114279 #1118338 #1133021 #1133147 #1140025 #1142685 #1144162 #1157424 #1157480 #1157966 #1158013 #1159271 #1160218 #1160979 #1161360 #1161702 #1161907 #1162557 #1162617 #1162618 #1162619 #1162623 #1162928 #1162943 #1163206 #1163383 #1163384 #1163762 #1163774 #1163836 #1163840 #1163841 #1163842 #1163843 #1163844 #1163845 #1163846 #1163849 #1163850 #1163851 #1163852 #1163853 #1163855 #1163856 #1163857 #1163858 #1163859 #1163860 #1163861 #1163862 #1163863 #1163867 #1163869 #1163880 #1163971 #1164051 #1164069 #1164098 #1164115 #1164314 #1164315 #1164388 #1164471 #1164598 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 Cross-References: CVE-2020-2732 CVE-2020-8648 CVE-2020-8992 Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has 84 fixes is now available. Description: The SUSE Linux Enterprise 15-SP1 kernel-RT was updated to 4.12.14 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8992: Fixed an issue in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069). - CVE-2020-8648: Fixed a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928). - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). The following non-security bugs were fixed: - ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510). - ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510). - ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510). - ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557). - ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557). - ACPI / watchdog: Set default timeout in probe (bsc#1162557). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Add JasperLake PCI ID and codec vid (bsc#1111666). - ALSA: hda: Clear RIRB status before reading WP (bsc#1111666). - ALSA: hda: hdmi - add Tigerlake support (bsc#1111666). - ALSA: hda/hdmi - Clean up Intel platform-specific fixup checks (bsc#1111666). - ALSA: hda: hdmi - fix pin setup on Tigerlake (bsc#1111666). - ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666). - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes). - ALSA: seq: Avoid concurrent access to queue flags (git-fixes). - ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Fix endianess in descriptor validation (bsc#1111666). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: sun8i-codec: Fix setting DAI data format (git-fixes). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840). - blk-mq: make sure that line break can be printed (bsc#1164098). - Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510). - Btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943). - Btrfs: fix infinite loop during fsync after rename operations (bsc#1163383). - Btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384). - cdrom: respect device capabilities during opening action (boo#1164632). - chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849). - cifs: fix mount option display for sec=krb5i (bsc#1161907). - clk: mmp2: Fix the order of timer mux parents (bsc#1051510). - clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510). - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510). - clk: tegra: Mark fuse clock as critical (bsc#1051510). - clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - Documentation: Document arm64 kpti control (bsc#1162623). - drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero (bsc#1111666). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147). - ext2: check err when partial != NULL (bsc#1163859). - ext4: check for directory entries too close to block end (bsc#1163861). - ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841). - ext4: fix checksum errors with indexed dirs (bsc#1160979). - ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842). - ext4: fix mount failure with quota configured as module (bsc#1164471). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843). - ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - fscrypt: do not set policy for a dead directory (bsc#1163846). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/open.c: allow opening only regular files during execve() (bsc#1163845). - ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes). - ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - gtp: avoid zero size hashtable (networking-stable-20_01_01). - gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01). - gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01). - gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01). - hotplug/drc-info: Add code to search ibm,drc-info property (bsc#1157480 ltc#181028). - hv_netvsc: Fix offset usage in netvsc_send_table() (bsc#1164598). - hv_netvsc: Fix send_table offset in case of a host bug (bsc#1164598). - hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1164598). - hv_netvsc: Fix unwanted rx_table reset (bsc#1164598). - hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs (bsc#1163206). - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510). - iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617). - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510). - iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510). - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862). - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836). - jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860). - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863). - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880). - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852). - kabi/severities: Whitelist rpaphp_get_drc_props (bsc#1157480 ltc#181028). - kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510). - kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360). - KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840). - KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840). - KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840). - KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510). - mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - media: af9005: uninitialized variable printked (bsc#1051510). - media: cec: CEC 2.0-only bcast messages were ignored (git-fixes). - media: digitv: do not continue if remote control state can't be read (bsc#1051510). - media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510). - media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes). - media: gspca: zero usb_buf (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov6650: Fix crop rectangle alignment not passed back (git-fixes). - media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes). - media: pulse8-cec: fix lost cec_transmit_attempt_done() call. - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - mfd: da9062: Fix watchdog compatible string (bsc#1051510). - mfd: dln2: More sanity checking for endpoints (bsc#1051510). - mfd: rn5t618: Mark ADC control register volatile (bsc#1051510). - mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510). - mod_devicetable: fix PHY module format (networking-stable-19_12_28). - mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851). - net: add sendmsg_locked and sendpage_locked to af_inet6 (bsc#1144162). - net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28). - net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01). - net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28). - net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28). - net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28). - net: sched: correct flower port blocking (git-fixes). - net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28). - new helper: lookup_positive_unlocked() (bsc#1159271). - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774). - PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI: rpaphp: Add drc-info support for hotplug slot registration (bsc#1157480 ltc#181028). - PCI: rpaphp: Annotate and correctly byte swap DRC properties (bsc#1157480 ltc#181028). - PCI: rpaphp: Avoid a sometimes-uninitialized warning (bsc#1157480 ltc#181028). - PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info (bsc#1157480 ltc#181028). - PCI: rpaphp: Do not rely on firmware feature to imply drc-info support (bsc#1157480 ltc#181028). - PCI: rpaphp: Fix up pointer to first drc-info entry (bsc#1157480 ltc#181028). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279). - perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315). - powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086). - powerpc: Enable support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths (bsc#1142685 ltc#179509). - powerpc/pseries: Add cpu DLPAR support for drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729). - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729). - powerpc/pseries: Enable support for ibm,drc-info property (bsc#1157480 ltc#181028). - powerpc/pseries: Fix bad drc_index_start value parsing of drc-info entry (bsc#1157480 ltc#181028). - powerpc/pseries: Fix drc-info mappings of logical cpus to drc-index (bsc#1157480 ltc#181028). - powerpc/pseries: Fix vector5 in ibm architecture vector table (bsc#1157480 ltc#181028). - powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729). - powerpc/pseries: Revert support for ibm,drc-info devtree property (bsc#1157480 ltc#181028). - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729). - powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510). - pseries/drc-info: Search DRC properties for CPU indexes (bsc#1157480 ltc#181028). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes). - pwm: Remove set but not set variable 'pwm' (git-fixes). - pxa168fb: Fix the function used to release some memory in an error (bsc#1114279) - qede: Fix multicast mac configuration (networking-stable-19_12_28). - qmi_wwan: Add support for Quectel RM500Q (bsc#1051510). - quota: Check that quota is not dirty before release (bsc#1163858). - quota: fix livelock in dquot_writeback_dquots (bsc#1163857). - r8152: get default setting of WOL before initializing (bsc#1051510). - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - reiserfs: Fix memory leak of journal device string (bsc#1163867). - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869). - Revert "locking/pvqspinlock: Do not wait if vCPU is preempted" (bsc#1050549). - rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field) - rpm/kernel-binary.spec.in: Conflict with too old powerpc-utils (jsc#ECO-920, jsc#SLE-11054, jsc#SLE-11322). - rpm/kernel-binary.spec.in: Replace Novell with SUSE - rtc: cmos: Stop using shared IRQ (bsc#1051510). - rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424). - scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424). - sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510). - soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510). - staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510). - staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01). - tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes). - tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes). - tracing: Fix tracing_stat return values in error handling paths (git-fixes). - tracing: Fix very unlikely race of registering two stat tracers (git-fixes). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850). - ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856). - ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855). - ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844). - udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01). - USB: core: fix check for duplicate endpoints (git-fixes). - USB: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes). - USB: gadget: legacy: set max_speed to super-speed (bsc#1051510). - USB: gadget: Zero ffs_io_data (bsc#1051510). - USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usbip: Fix error path of vhci_recv_ret_submit() (git-fixes). - USB: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes). - USB: serial: option: add Telit ME910G1 0x110a composition (git-fixes). - USB: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes). - usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510). - vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01). - watchdog: max77620_wdt: fix potential build errors (bsc#1051510). - watchdog: rn5t618_wdt: fix module aliases (bsc#1051510). - watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557). - wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510). - wireless: wext: avoid gcc -O3 warning (bsc#1051510). - x86/amd_nb: Add PCI device IDs for family 17h, model 70h (bsc#1163206). - x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/intel_rdt: Split resource group removal in two (bsc#1112178). - x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178). - x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279). - xen/balloon: Support xend-based toolstack take two (bsc#1065600). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP1: zypper in -t patch SUSE-SLE-Module-RT-15-SP1-2020-688=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-688=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP1 (noarch): kernel-devel-rt-4.12.14-14.20.1 kernel-source-rt-4.12.14-14.20.1 - SUSE Linux Enterprise Module for Realtime 15-SP1 (x86_64): cluster-md-kmp-rt-4.12.14-14.20.1 cluster-md-kmp-rt-debuginfo-4.12.14-14.20.1 dlm-kmp-rt-4.12.14-14.20.1 dlm-kmp-rt-debuginfo-4.12.14-14.20.1 gfs2-kmp-rt-4.12.14-14.20.1 gfs2-kmp-rt-debuginfo-4.12.14-14.20.1 kernel-rt-4.12.14-14.20.1 kernel-rt-base-4.12.14-14.20.1 kernel-rt-base-debuginfo-4.12.14-14.20.1 kernel-rt-debuginfo-4.12.14-14.20.1 kernel-rt-debugsource-4.12.14-14.20.1 kernel-rt-devel-4.12.14-14.20.1 kernel-rt-devel-debuginfo-4.12.14-14.20.1 kernel-rt_debug-debuginfo-4.12.14-14.20.1 kernel-rt_debug-debugsource-4.12.14-14.20.1 kernel-rt_debug-devel-4.12.14-14.20.1 kernel-rt_debug-devel-debuginfo-4.12.14-14.20.1 kernel-syms-rt-4.12.14-14.20.1 ocfs2-kmp-rt-4.12.14-14.20.1 ocfs2-kmp-rt-debuginfo-4.12.14-14.20.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): cluster-md-kmp-rt_debug-4.12.14-14.20.1 cluster-md-kmp-rt_debug-debuginfo-4.12.14-14.20.1 dlm-kmp-rt_debug-4.12.14-14.20.1 dlm-kmp-rt_debug-debuginfo-4.12.14-14.20.1 gfs2-kmp-rt_debug-4.12.14-14.20.1 gfs2-kmp-rt_debug-debuginfo-4.12.14-14.20.1 kernel-rt-debuginfo-4.12.14-14.20.1 kernel-rt-debugsource-4.12.14-14.20.1 kernel-rt-extra-4.12.14-14.20.1 kernel-rt-extra-debuginfo-4.12.14-14.20.1 kernel-rt-livepatch-devel-4.12.14-14.20.1 kernel-rt_debug-4.12.14-14.20.1 kernel-rt_debug-base-4.12.14-14.20.1 kernel-rt_debug-base-debuginfo-4.12.14-14.20.1 kernel-rt_debug-debuginfo-4.12.14-14.20.1 kernel-rt_debug-debugsource-4.12.14-14.20.1 kernel-rt_debug-extra-4.12.14-14.20.1 kernel-rt_debug-extra-debuginfo-4.12.14-14.20.1 kernel-rt_debug-livepatch-devel-4.12.14-14.20.1 kselftests-kmp-rt-4.12.14-14.20.1 kselftests-kmp-rt-debuginfo-4.12.14-14.20.1 kselftests-kmp-rt_debug-4.12.14-14.20.1 kselftests-kmp-rt_debug-debuginfo-4.12.14-14.20.1 ocfs2-kmp-rt_debug-4.12.14-14.20.1 ocfs2-kmp-rt_debug-debuginfo-4.12.14-14.20.1 reiserfs-kmp-rt-4.12.14-14.20.1 reiserfs-kmp-rt-debuginfo-4.12.14-14.20.1 reiserfs-kmp-rt_debug-4.12.14-14.20.1 reiserfs-kmp-rt_debug-debuginfo-4.12.14-14.20.1 References: https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8992.html https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1133147 https://bugzilla.suse.com/1140025 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144162 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157480 https://bugzilla.suse.com/1157966 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160979 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161907 https://bugzilla.suse.com/1162557 https://bugzilla.suse.com/1162617 https://bugzilla.suse.com/1162618 https://bugzilla.suse.com/1162619 https://bugzilla.suse.com/1162623 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162943 https://bugzilla.suse.com/1163206 https://bugzilla.suse.com/1163383 https://bugzilla.suse.com/1163384 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163774 https://bugzilla.suse.com/1163836 https://bugzilla.suse.com/1163840 https://bugzilla.suse.com/1163841 https://bugzilla.suse.com/1163842 https://bugzilla.suse.com/1163843 https://bugzilla.suse.com/1163844 https://bugzilla.suse.com/1163845 https://bugzilla.suse.com/1163846 https://bugzilla.suse.com/1163849 https://bugzilla.suse.com/1163850 https://bugzilla.suse.com/1163851 https://bugzilla.suse.com/1163852 https://bugzilla.suse.com/1163853 https://bugzilla.suse.com/1163855 https://bugzilla.suse.com/1163856 https://bugzilla.suse.com/1163857 https://bugzilla.suse.com/1163858 https://bugzilla.suse.com/1163859 https://bugzilla.suse.com/1163860 https://bugzilla.suse.com/1163861 https://bugzilla.suse.com/1163862 https://bugzilla.suse.com/1163863 https://bugzilla.suse.com/1163867 https://bugzilla.suse.com/1163869 https://bugzilla.suse.com/1163880 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164098 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164314 https://bugzilla.suse.com/1164315 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164598 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 From sle-security-updates at lists.suse.com Fri Mar 13 14:17:26 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Mar 2020 21:17:26 +0100 (CET) Subject: SUSE-SU-2020:0693-1: moderate: Security update for wireshark Message-ID: <20200313201726.28AE7FC56@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0693-1 Rating: moderate References: #1093733 #1094301 #1101776 #1101777 #1101786 #1101788 #1101791 #1101794 #1101800 #1101802 #1101804 #1101810 #1106514 #1111647 #1117740 #1121231 #1121232 #1121233 #1121234 #1121235 #1127367 #1127369 #1127370 #1131941 #1131945 #1136021 #1141980 #1150690 #1156288 #1158505 #1161052 #1165241 #1165710 #957624 Cross-References: CVE-2018-11354 CVE-2018-11355 CVE-2018-11356 CVE-2018-11357 CVE-2018-11358 CVE-2018-11359 CVE-2018-11360 CVE-2018-11361 CVE-2018-11362 CVE-2018-12086 CVE-2018-14339 CVE-2018-14340 CVE-2018-14341 CVE-2018-14342 CVE-2018-14343 CVE-2018-14344 CVE-2018-14367 CVE-2018-14368 CVE-2018-14369 CVE-2018-14370 CVE-2018-16056 CVE-2018-16057 CVE-2018-16058 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628 CVE-2019-10894 CVE-2019-10895 CVE-2019-10896 CVE-2019-10897 CVE-2019-10898 CVE-2019-10899 CVE-2019-10900 CVE-2019-10901 CVE-2019-10902 CVE-2019-10903 CVE-2019-13619 CVE-2019-16319 CVE-2019-19553 CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-5721 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214 CVE-2020-7044 CVE-2020-9428 CVE-2020-9429 CVE-2020-9430 CVE-2020-9431 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 59 vulnerabilities is now available. Description: This update for wireshark and libmaxminddb fixes the following issues: Update wireshark to new major version 3.2.2 and introduce libmaxminddb for GeoIP support (bsc#1156288). New features include: - Added support for 111 new protocols, including WireGuard, LoRaWAN, TPM 2.0, 802.11ax and QUIC - Improved support for existing protocols, like HTTP/2 - Improved analytics and usability functionalities Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-693=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-693=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-693=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-693=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-693=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-693=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-693=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libmaxminddb-debugsource-1.4.2-1.3.1 libmaxminddb-devel-1.4.2-1.3.1 libmaxminddb0-1.4.2-1.3.1 libmaxminddb0-debuginfo-1.4.2-1.3.1 libspandsp2-0.0.6-3.2.1 libspandsp2-debuginfo-0.0.6-3.2.1 libwireshark13-3.2.2-3.35.2 libwireshark13-debuginfo-3.2.2-3.35.2 libwiretap10-3.2.2-3.35.2 libwiretap10-debuginfo-3.2.2-3.35.2 libwsutil11-3.2.2-3.35.2 libwsutil11-debuginfo-3.2.2-3.35.2 mmdblookup-1.4.2-1.3.1 wireshark-3.2.2-3.35.2 wireshark-debuginfo-3.2.2-3.35.2 wireshark-debugsource-3.2.2-3.35.2 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libmaxminddb0-32bit-1.4.2-1.3.1 libmaxminddb0-32bit-debuginfo-1.4.2-1.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libmaxminddb-debugsource-1.4.2-1.3.1 libmaxminddb-devel-1.4.2-1.3.1 libmaxminddb0-1.4.2-1.3.1 libmaxminddb0-debuginfo-1.4.2-1.3.1 libspandsp2-0.0.6-3.2.1 libspandsp2-debuginfo-0.0.6-3.2.1 libwireshark13-3.2.2-3.35.2 libwireshark13-debuginfo-3.2.2-3.35.2 libwiretap10-3.2.2-3.35.2 libwiretap10-debuginfo-3.2.2-3.35.2 libwsutil11-3.2.2-3.35.2 libwsutil11-debuginfo-3.2.2-3.35.2 mmdblookup-1.4.2-1.3.1 wireshark-3.2.2-3.35.2 wireshark-debuginfo-3.2.2-3.35.2 wireshark-debugsource-3.2.2-3.35.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libspandsp2-32bit-0.0.6-3.2.1 libspandsp2-32bit-debuginfo-0.0.6-3.2.1 spandsp-debugsource-0.0.6-3.2.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): spandsp-doc-0.0.6-3.2.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libspandsp2-0.0.6-3.2.1 libspandsp2-debuginfo-0.0.6-3.2.1 spandsp-debugsource-0.0.6-3.2.1 spandsp-devel-0.0.6-3.2.1 wireshark-debuginfo-3.2.2-3.35.2 wireshark-debugsource-3.2.2-3.35.2 wireshark-devel-3.2.2-3.35.2 wireshark-ui-qt-3.2.2-3.35.2 wireshark-ui-qt-debuginfo-3.2.2-3.35.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libmaxminddb-debugsource-1.4.2-1.3.1 libmaxminddb-devel-1.4.2-1.3.1 libmaxminddb0-1.4.2-1.3.1 libmaxminddb0-debuginfo-1.4.2-1.3.1 libspandsp2-0.0.6-3.2.1 libspandsp2-debuginfo-0.0.6-3.2.1 libwireshark13-3.2.2-3.35.2 libwireshark13-debuginfo-3.2.2-3.35.2 libwiretap10-3.2.2-3.35.2 libwiretap10-debuginfo-3.2.2-3.35.2 libwsutil11-3.2.2-3.35.2 libwsutil11-debuginfo-3.2.2-3.35.2 mmdblookup-1.4.2-1.3.1 wireshark-3.2.2-3.35.2 wireshark-debuginfo-3.2.2-3.35.2 wireshark-debugsource-3.2.2-3.35.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libmaxminddb0-32bit-1.4.2-1.3.1 libmaxminddb0-32bit-debuginfo-1.4.2-1.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libmaxminddb-debugsource-1.4.2-1.3.1 libmaxminddb-devel-1.4.2-1.3.1 libmaxminddb0-1.4.2-1.3.1 libmaxminddb0-debuginfo-1.4.2-1.3.1 libspandsp2-0.0.6-3.2.1 libspandsp2-debuginfo-0.0.6-3.2.1 libwireshark13-3.2.2-3.35.2 libwireshark13-debuginfo-3.2.2-3.35.2 libwiretap10-3.2.2-3.35.2 libwiretap10-debuginfo-3.2.2-3.35.2 libwsutil11-3.2.2-3.35.2 libwsutil11-debuginfo-3.2.2-3.35.2 mmdblookup-1.4.2-1.3.1 wireshark-3.2.2-3.35.2 wireshark-debuginfo-3.2.2-3.35.2 wireshark-debugsource-3.2.2-3.35.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libmaxminddb0-32bit-1.4.2-1.3.1 libmaxminddb0-32bit-debuginfo-1.4.2-1.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libmaxminddb-debugsource-1.4.2-1.3.1 libmaxminddb-devel-1.4.2-1.3.1 libmaxminddb0-1.4.2-1.3.1 libmaxminddb0-debuginfo-1.4.2-1.3.1 libspandsp2-0.0.6-3.2.1 libspandsp2-debuginfo-0.0.6-3.2.1 libwireshark13-3.2.2-3.35.2 libwireshark13-debuginfo-3.2.2-3.35.2 libwiretap10-3.2.2-3.35.2 libwiretap10-debuginfo-3.2.2-3.35.2 libwsutil11-3.2.2-3.35.2 libwsutil11-debuginfo-3.2.2-3.35.2 mmdblookup-1.4.2-1.3.1 wireshark-3.2.2-3.35.2 wireshark-debuginfo-3.2.2-3.35.2 wireshark-debugsource-3.2.2-3.35.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libmaxminddb0-32bit-1.4.2-1.3.1 libmaxminddb0-32bit-debuginfo-1.4.2-1.3.1 References: https://www.suse.com/security/cve/CVE-2018-11354.html https://www.suse.com/security/cve/CVE-2018-11355.html https://www.suse.com/security/cve/CVE-2018-11356.html https://www.suse.com/security/cve/CVE-2018-11357.html https://www.suse.com/security/cve/CVE-2018-11358.html https://www.suse.com/security/cve/CVE-2018-11359.html https://www.suse.com/security/cve/CVE-2018-11360.html https://www.suse.com/security/cve/CVE-2018-11361.html https://www.suse.com/security/cve/CVE-2018-11362.html https://www.suse.com/security/cve/CVE-2018-12086.html https://www.suse.com/security/cve/CVE-2018-14339.html https://www.suse.com/security/cve/CVE-2018-14340.html https://www.suse.com/security/cve/CVE-2018-14341.html https://www.suse.com/security/cve/CVE-2018-14342.html https://www.suse.com/security/cve/CVE-2018-14343.html https://www.suse.com/security/cve/CVE-2018-14344.html https://www.suse.com/security/cve/CVE-2018-14367.html https://www.suse.com/security/cve/CVE-2018-14368.html https://www.suse.com/security/cve/CVE-2018-14369.html https://www.suse.com/security/cve/CVE-2018-14370.html https://www.suse.com/security/cve/CVE-2018-16056.html https://www.suse.com/security/cve/CVE-2018-16057.html https://www.suse.com/security/cve/CVE-2018-16058.html https://www.suse.com/security/cve/CVE-2018-18225.html https://www.suse.com/security/cve/CVE-2018-18226.html https://www.suse.com/security/cve/CVE-2018-18227.html https://www.suse.com/security/cve/CVE-2018-19622.html https://www.suse.com/security/cve/CVE-2018-19623.html https://www.suse.com/security/cve/CVE-2018-19624.html https://www.suse.com/security/cve/CVE-2018-19625.html https://www.suse.com/security/cve/CVE-2018-19626.html https://www.suse.com/security/cve/CVE-2018-19627.html https://www.suse.com/security/cve/CVE-2018-19628.html https://www.suse.com/security/cve/CVE-2019-10894.html https://www.suse.com/security/cve/CVE-2019-10895.html https://www.suse.com/security/cve/CVE-2019-10896.html https://www.suse.com/security/cve/CVE-2019-10897.html https://www.suse.com/security/cve/CVE-2019-10898.html https://www.suse.com/security/cve/CVE-2019-10899.html https://www.suse.com/security/cve/CVE-2019-10900.html https://www.suse.com/security/cve/CVE-2019-10901.html https://www.suse.com/security/cve/CVE-2019-10902.html https://www.suse.com/security/cve/CVE-2019-10903.html https://www.suse.com/security/cve/CVE-2019-13619.html https://www.suse.com/security/cve/CVE-2019-16319.html https://www.suse.com/security/cve/CVE-2019-19553.html https://www.suse.com/security/cve/CVE-2019-5716.html https://www.suse.com/security/cve/CVE-2019-5717.html https://www.suse.com/security/cve/CVE-2019-5718.html https://www.suse.com/security/cve/CVE-2019-5719.html https://www.suse.com/security/cve/CVE-2019-5721.html https://www.suse.com/security/cve/CVE-2019-9208.html https://www.suse.com/security/cve/CVE-2019-9209.html https://www.suse.com/security/cve/CVE-2019-9214.html https://www.suse.com/security/cve/CVE-2020-7044.html https://www.suse.com/security/cve/CVE-2020-9428.html https://www.suse.com/security/cve/CVE-2020-9429.html https://www.suse.com/security/cve/CVE-2020-9430.html https://www.suse.com/security/cve/CVE-2020-9431.html https://bugzilla.suse.com/1093733 https://bugzilla.suse.com/1094301 https://bugzilla.suse.com/1101776 https://bugzilla.suse.com/1101777 https://bugzilla.suse.com/1101786 https://bugzilla.suse.com/1101788 https://bugzilla.suse.com/1101791 https://bugzilla.suse.com/1101794 https://bugzilla.suse.com/1101800 https://bugzilla.suse.com/1101802 https://bugzilla.suse.com/1101804 https://bugzilla.suse.com/1101810 https://bugzilla.suse.com/1106514 https://bugzilla.suse.com/1111647 https://bugzilla.suse.com/1117740 https://bugzilla.suse.com/1121231 https://bugzilla.suse.com/1121232 https://bugzilla.suse.com/1121233 https://bugzilla.suse.com/1121234 https://bugzilla.suse.com/1121235 https://bugzilla.suse.com/1127367 https://bugzilla.suse.com/1127369 https://bugzilla.suse.com/1127370 https://bugzilla.suse.com/1131941 https://bugzilla.suse.com/1131945 https://bugzilla.suse.com/1136021 https://bugzilla.suse.com/1141980 https://bugzilla.suse.com/1150690 https://bugzilla.suse.com/1156288 https://bugzilla.suse.com/1158505 https://bugzilla.suse.com/1161052 https://bugzilla.suse.com/1165241 https://bugzilla.suse.com/1165710 https://bugzilla.suse.com/957624 From sle-security-updates at lists.suse.com Sat Mar 14 07:02:23 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 14 Mar 2020 14:02:23 +0100 (CET) Subject: SUSE-CU-2020:85-1: Security update of suse/sle15 Message-ID: <20200314130223.40E9DFC56@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:85-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.164 Container Release : 4.22.164 Severity : moderate Type : security References : 1163184 1164505 1165784 1166334 1166510 CVE-2020-10029 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:690-1 Released: Fri Mar 13 17:09:28 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1166334 This update for suse-build-key fixes the following issues: - created a new security at suse.de communication key (bsc#1166334) From sle-security-updates at lists.suse.com Sat Mar 14 07:05:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 14 Mar 2020 14:05:56 +0100 (CET) Subject: SUSE-CU-2020:86-1: Security update of suse/sle15 Message-ID: <20200314130556.F39A1F79E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:86-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.181 Container Release : 6.2.181 Severity : moderate Type : security References : 1163184 1164505 1165784 1166334 1166510 CVE-2020-10029 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:690-1 Released: Fri Mar 13 17:09:28 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1166334 This update for suse-build-key fixes the following issues: - created a new security at suse.de communication key (bsc#1166334) From sle-security-updates at lists.suse.com Mon Mar 16 11:13:48 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Mar 2020 18:13:48 +0100 (CET) Subject: SUSE-SU-2020:0697-1: moderate: Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman Message-ID: <20200316171348.6B7EEF79E@maintenance.suse.de> SUSE Security Update: Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0697-1 Rating: moderate References: #1155217 #1160460 #1164390 Cross-References: CVE-2019-18466 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 SUSE Linux Enterprise Module for Containers 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues: podman was updated to 1.8.0: - CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the host when copying a symlink in the container that included a glob operator (#3829 bsc#1155217) - The name of the cni-bridge in the default config changed from "cni0" to "podman-cni0" with podman-1.6.0. Add a %trigger to rename the bridge in the system to the new default if it exists. The trigger is only excuted when updating podman-cni-config from something older than 1.6.0. This is mainly needed for SLE where we're updating from 1.4.4 to 1.8.0 (bsc#1160460). Update podman to v1.8.0 (bsc#1160460): * Features - The podman system service command has been added, providing a preview of Podman's new Docker-compatible API. This API is still very new, and not yet ready for production use, but is available for early testing - Rootless Podman now uses Rootlesskit for port forwarding, which should greatly improve performance and capabilities - The podman untag command has been added to remove tags from images without deleting them - The podman inspect command on images now displays previous names they used - The podman generate systemd command now supports a --new option to generate service files that create and run new containers instead of managing existing containers - Support for --log-opt tag= to set logging tags has been added to the journald log driver - Added support for using Seccomp profiles embedded in images for podman run and podman create via the new --seccomp-policy CLI flag - The podman play kube command now honors pull policy * Bugfixes - Fixed a bug where the podman cp command would not copy the contents of directories when paths ending in /. were given - Fixed a bug where the podman play kube command did not properly locate Seccomp profiles specified relative to localhost - Fixed a bug where the podman info command for remote Podman did not show registry information - Fixed a bug where the podman exec command did not support having input piped into it - Fixed a bug where the podman cp command with rootless Podman on CGroups v2 systems did not properly determine if the container could be paused while copying - Fixed a bug where the podman container prune --force command could possible remove running containers if they were started while the command was running - Fixed a bug where Podman, when run as root, would not properly configure slirp4netns networking when requested - Fixed a bug where podman run --userns=keep-id did not work when the user had a UID over 65535 - Fixed a bug where rootless podman run and podman create with the --userns=keep-id option could change permissions on /run/user/$UID and break KDE - Fixed a bug where rootless Podman could not be run in a systemd service on systems using CGroups v2 - Fixed a bug where podman inspect would show CPUShares as 0, instead of the default (1024), when it was not explicitly set - Fixed a bug where podman-remote push would segfault - Fixed a bug where image healthchecks were not shown in the output of podman inspect - Fixed a bug where named volumes created with containers from pre-1.6.3 releases of Podman would be autoremoved with their containers if the --rm flag was given, even if they were given names - Fixed a bug where podman history was not computing image sizes correctly - Fixed a bug where Podman would not error on invalid values to the --sort flag to podman images - Fixed a bug where providing a name for the image made by podman commit was mandatory, not optional as it should be - Fixed a bug where the remote Podman client would append an extra " to %PATH - Fixed a bug where the podman build command would sometimes ignore the -f option and build the wrong Containerfile - Fixed a bug where the podman ps --filter command would only filter running containers, instead of all containers, if --all was not passed - Fixed a bug where the podman load command on compressed images would leave an extra copy on disk - Fixed a bug where the podman restart command would not properly clean up the network, causing it to function differently from podman stop; podman start - Fixed a bug where setting the --memory-swap flag to podman create and podman run to -1 (to indicate unlimited) was not supported * Misc - Initial work on version 2 of the Podman remote API has been merged, but is still in an alpha state and not ready for use. Read more here - Many formatting corrections have been made to the manpages - The changes to address (#5009) may cause anonymous volumes created by Podman versions 1.6.3 to 1.7.0 to not be removed when their container is removed - Updated vendored Buildah to v1.13.1 - Updated vendored containers/storage to v1.15.8 - Updated vendored containers/image to v5.2.0 - Add apparmor-abstractions as required runtime dependency to have `tunables/global` available. - fixed the --force flag for the "container prune" command. (https://github.com/containers/libpod/issues/4844) Update podman to v1.7.0 * Features - Added support for setting a static MAC address for containers - Added support for creating macvlan networks with podman network create, allowing Podman containers to be attached directly to networks the host is connected to - The podman image prune and podman container prune commands now support the --filter flag to filter what will be pruned, and now prompts for confirmation when run without --force (#4410 and #4411) - Podman now creates CGroup namespaces by default on systems using CGroups v2 (#4363) - Added the podman system reset command to remove all Podman files and perform a factory reset of the Podman installation - Added the --history flag to podman images to display previous names used by images (#4566) - Added the --ignore flag to podman rm and podman stop to not error when requested containers no longer exist - Added the --cidfile flag to podman rm and podman stop to read the IDs of containers to be removed or stopped from a file - The podman play kube command now honors Seccomp annotations (#3111) - The podman play kube command now honors RunAsUser, RunAsGroup, and selinuxOptions - The output format of the podman version command has been changed to better match docker version when using the --format flag - Rootless Podman will no longer initialize containers/storage twice, removing a potential deadlock preventing Podman commands from running while an image was being pulled (#4591) - Added tmpcopyup and notmpcopyup options to the --tmpfs and --mount type=tmpfs flags to podman create and podman run to control whether the content of directories are copied into tmpfs filesystems mounted over them - Added support for disabling detaching from containers by setting empty detach keys via --detach-keys="" - The podman build command now supports the --pull and --pull-never flags to control when images are pulled during a build - The podman ps -p command now shows the name of the pod as well as its ID (#4703) - The podman inspect command on containers will now display the command used to create the container - The podman info command now displays information on registry mirrors (#4553) * Bugfixes - Fixed a bug where Podman would use an incorrect runtime directory as root, causing state to be deleted after root logged out and making Podman in systemd services not function properly - Fixed a bug where the --change flag to podman import and podman commit was not being parsed properly in many cases - Fixed a bug where detach keys specified in libpod.conf were not used by the podman attach and podman exec commands, which always used the global default ctrl-p,ctrl-q key combination (#4556) - Fixed a bug where rootless Podman was not able to run podman pod stats even on CGroups v2 enabled systems (#4634) - Fixed a bug where rootless Podman would fail on kernels without the renameat2 syscall (#4570) - Fixed a bug where containers with chained network namespace dependencies (IE, container A using --net container=B and container B using --net container=C) would not properly mount /etc/hosts and /etc/resolv.conf into the container (#4626) - Fixed a bug where podman run with the --rm flag and without -d could, when run in the background, throw a 'container does not exist' error when attempting to remove the container after it exited - Fixed a bug where named volume locks were not properly reacquired after a reboot, potentially leading to deadlocks when trying to start containers using the volume (#4605 and #4621) - Fixed a bug where Podman could not completely remove containers if sent SIGKILL during removal, leaving the container name unusable without the podman rm --storage command to complete removal (#3906) - Fixed a bug where checkpointing containers started with --rm was allowed when --export was not specified (the container, and checkpoint, would be removed after checkpointing was complete by --rm) (#3774) - Fixed a bug where the podman pod prune command would fail if containers were present in the pods and the --force flag was not passed (#4346) - Fixed a bug where containers could not set a static IP or static MAC address if they joined a non-default CNI network (#4500) - Fixed a bug where podman system renumber would always throw an error if a container was mounted when it was run - Fixed a bug where podman container restore would fail with containers using a user namespace - Fixed a bug where rootless Podman would attempt to use the journald events backend even on systems without systemd installed - Fixed a bug where podman history would sometimes not properly identify the IDs of layers in an image (#3359) - Fixed a bug where containers could not be restarted when Conmon v2.0.3 or later was used - Fixed a bug where Podman did not check image OS and Architecture against the host when starting a container - Fixed a bug where containers in pods did not function properly with the Kata OCI runtime (#4353) - Fixed a bug where `podman info --format '{{ json . }}' would not produce JSON output (#4391) - Fixed a bug where Podman would not verify if files passed to --authfile existed (#4328) - Fixed a bug where podman images --digest would not always print digests when they were available - Fixed a bug where rootless podman run could hang due to a race with reading and writing events - Fixed a bug where rootless Podman would print warning-level logs despite not be instructed to do so (#4456) - Fixed a bug where podman pull would attempt to fetch from remote registries when pulling an unqualified image using the docker-daemon transport (#4434) - Fixed a bug where podman cp would not work if STDIN was a pipe - Fixed a bug where podman exec could stop accepting input if anything was typed between the command being run and the exec session starting (#4397) - Fixed a bug where podman logs --tail 0 would print all lines of a container's logs, instead of no lines (#4396) - Fixed a bug where the timeout for slirp4netns was incorrectly set, resulting in an extremely long timeout (#4344) - Fixed a bug where the podman stats command would print CPU utilizations figures incorrectly (#4409) - Fixed a bug where the podman inspect --size command would not print the size of the container's read/write layer if the size was 0 (#4744) - Fixed a bug where the podman kill command was not properly validating signals before use (#4746) - Fixed a bug where the --quiet and --format flags to podman ps could not be used at the same time - Fixed a bug where the podman stop command was not stopping exec sessions when a container was created without a PID namespace (--pid=host) - Fixed a bug where the podman pod rm --force command was not removing anonymous volumes for containers that were removed - Fixed a bug where the podman checkpoint command would not export all changes to the root filesystem of the container if performed more than once on the same container (#4606) - Fixed a bug where containers started with --rm would not be automatically removed on being stopped if an exec session was running inside the container (#4666) * Misc - The fixes to runtime directory path as root can cause strange behavior if an upgrade is performed while containers are running - Updated vendored Buildah to v1.12.0 - Updated vendored containers/storage library to v1.15.4 - Updated vendored containers/image library to v5.1.0 - Kata Containers runtimes (kata-runtime, kata-qemu, and kata-fc) are now present in the default libpod.conf, but will not be available unless Kata containers is installed on the system - Podman previously did not allow the creation of containers with a memory limit lower than 4MB. This restriction has been removed, as the crun runtime can create containers with significantly less memory Update podman to v1.6.4 - Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher - Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers - Suppress spurious log messages when running rootless Podman - Update vendored containers/storage to v1.13.6 - Fix a deadlock related to writing events - Do not use the journald event logger when it is not available Update podman to v1.6.2 * Features - Added a --runtime flag to podman system migrate to allow the OCI runtime for all containers to be reset, to ease transition to the crun runtime on CGroups V2 systems until runc gains full support - The podman rm command can now remove containers in broken states which previously could not be removed - The podman info command, when run without root, now shows information on UID and GID mappings in the rootless user namespace - Added podman build --squash-all flag, which squashes all layers (including those of the base image) into one layer - The --systemd flag to podman run and podman create now accepts a string argument and allows a new value, always, which forces systemd support without checking if the the container entrypoint is systemd * Bugfixes - Fixed a bug where the podman top command did not work on systems using CGroups V2 (#4192) - Fixed a bug where rootless Podman could double-close a file, leading to a panic - Fixed a bug where rootless Podman could fail to retrieve some containers while refreshing the state - Fixed a bug where podman start --attach --sig-proxy=false would still proxy signals into the container - Fixed a bug where Podman would unconditionally use a non-default path for authentication credentials (auth.json), breaking podman login integration with skopeo and other tools using the containers/image library - Fixed a bug where podman ps --format=json and podman images --format=json would display null when no results were returned, instead of valid JSON - Fixed a bug where podman build --squash was incorrectly squashing all layers into one, instead of only new layers - Fixed a bug where rootless Podman would allow volumes with options to be mounted (mounting volumes requires root), creating an inconsistent state where volumes reported as mounted but were not (#4248) - Fixed a bug where volumes which failed to unmount could not be removed (#4247) - Fixed a bug where Podman incorrectly handled some errors relating to unmounted or missing containers in containers/storage - Fixed a bug where podman stats was broken on systems running CGroups V2 when run rootless (#4268) - Fixed a bug where the podman start command would print the short container ID, instead of the full ID - Fixed a bug where containers created with an OCI runtime that is no longer available (uninstalled or removed from the config file) would not appear in podman ps and could not be removed via podman rm - Fixed a bug where containers restored via podman container restore --import would retain the CGroup path of the original container, even if their container ID changed; thus, multiple containers created from the same checkpoint would all share the same CGroup * Misc - The default PID limit for containers is now set to 4096. It can be adjusted back to the old default (unlimited) by passing --pids-limit 0 to podman create and podman run - The podman start --attach command now automatically attaches STDIN if the container was created with -i - The podman network create command now validates network names using the same regular expression as container and pod names - The --systemd flag to podman run and podman create will now only enable systemd mode when the binary being run inside the container is /sbin/init, /usr/sbin/init, or ends in systemd (previously detected any path ending in init or systemd) - Updated vendored Buildah to 1.11.3 - Updated vendored containers/storage to 1.13.5 - Updated vendored containers/image to 4.0.1 Update podman to v1.6.1 * Features - The podman network create, podman network rm, podman network inspect, and podman network ls commands have been added to manage CNI networks used by Podman - The podman volume create command can now create and mount volumes with options, allowing volumes backed by NFS, tmpfs, and many other filesystems - Podman can now run containers without CGroups for better integration with systemd by using the --cgroups=disabled flag with podman create and podman run. This is presently only supported with the crun OCI runtime - The podman volume rm and podman volume inspect commands can now refer to volumes by an unambiguous partial name, in addition to full name (e.g. podman volume rm myvol to remove a volume named myvolume) (#3891) - The podman run and podman create commands now support the --pull flag to allow forced re-pulling of images (#3734) - Mounting volumes into a container using --volume, --mount, and --tmpfs now allows the suid, dev, and exec mount options (the inverse of nosuid, nodev, noexec) (#3819) - Mounting volumes into a container using --mount now allows the relabel=Z and relabel=z options to relabel mounts. - The podman push command now supports the --digestfile option to save a file containing the pushed digest - Pods can now have their hostname set via podman pod create --hostname or providing Pod YAML with a hostname set to podman play kube (#3732) - The podman image sign command now supports the --cert-dir flag - The podman run and podman create commands now support the --security-opt label=filetype:$LABEL flag to set the SELinux label for container files - The remote Podman client now supports healthchecks * Bugfixes - Fixed a bug where remote podman pull would panic if a Varlink connection was not available (#4013) - Fixed a bug where podman exec would not properly set terminal size when creating a new exec session (#3903) - Fixed a bug where podman exec would not clean up socket symlinks on the host (#3962) - Fixed a bug where Podman could not run systemd in containers that created a CGroup namespace - Fixed a bug where podman prune -a would attempt to prune images used by Buildah and CRI-O, causing errors (#3983) - Fixed a bug where improper permissions on the ~/.config directory could cause rootless Podman to use an incorrect directory for storing some files - Fixed a bug where the bash completions for podman import threw errors - Fixed a bug where Podman volumes created with podman volume create would not copy the contents of their mountpoint the first time they were mounted into a container (#3945) - Fixed a bug where rootless Podman could not run podman exec when the container was not run inside a CGroup owned by the user (#3937) - Fixed a bug where podman play kube would panic when given Pod YAML without a securityContext (#3956) - Fixed a bug where Podman would place files incorrectly when storage.conf configuration items were set to the empty string (#3952) - Fixed a bug where podman build did not correctly inherit Podman's CGroup configuration, causing crashed on CGroups V2 systems (#3938) - Fixed a bug where remote podman run --rm would exit before the container was completely removed, allowing race conditions when removing container resources (#3870) - Fixed a bug where rootless Podman would not properly handle changes to /etc/subuid and /etc/subgid after a container was launched - Fixed a bug where rootless Podman could not include some devices in a container using the --device flag (#3905) - Fixed a bug where the commit Varlink API would segfault if provided incorrect arguments (#3897) - Fixed a bug where temporary files were not properly cleaned up after a build using remote Podman (#3869) - Fixed a bug where podman remote cp crashed instead of reporting it was not yet supported (#3861) - Fixed a bug where podman exec would run as the wrong user when execing into a container was started from an image with Dockerfile USER (or a user specified via podman run --user) (#3838) - Fixed a bug where images pulled using the oci: transport would be improperly named - Fixed a bug where podman varlink would hang when managed by systemd due to SD_NOTIFY support conflicting with Varlink (#3572) - Fixed a bug where mounts to the same destination would sometimes not trigger a conflict, causing a race as to which was actually mounted - Fixed a bug where podman exec --preserve-fds caused Podman to hang (#4020) - Fixed a bug where removing an unmounted container that was unmounted might sometimes not properly clean up the container (#4033) - Fixed a bug where the Varlink server would freeze when run in a systemd unit file (#4005) - Fixed a bug where Podman would not properly set the $HOME environment variable when the OCI runtime did not set it - Fixed a bug where rootless Podman would incorrectly print warning messages when an OCI runtime was not found (#4012) - Fixed a bug where named volumes would conflict with, instead of overriding, tmpfs filesystems added by the --read-only-tmpfs flag to podman create and podman run - Fixed a bug where podman cp would incorrectly make the target directory when copying to a symlink which pointed to a nonexistent directory (#3894) - Fixed a bug where remote Podman would incorrectly read STDIN when the -i flag was not set (#4095) - Fixed a bug where podman play kube would create an empty pod when given an unsupported YAML type (#4093) - Fixed a bug where podman import --change improperly parsed CMD (#4000) - Fixed a bug where rootless Podman on systems using CGroups V2 would not function with the cgroupfs CGroups manager - Fixed a bug where rootless Podman could not correctly identify the DBus session address, causing containers to fail to start (#4162) - Fixed a bug where rootless Podman with slirp4netns networking would fail to start containers due to mount leaks * Misc - Significant changes were made to Podman volumes in this release. If you have pre-existing volumes, it is strongly recommended to run podman system renumber after upgrading. - Version 0.8.1 or greater of the CNI Plugins is now required for Podman - Version 2.0.1 or greater of Conmon is strongly recommended - Updated vendored Buildah to v1.11.2 - Updated vendored containers/storage library to v1.13.4 - Improved error messages when trying to create a pod with no name via podman play kube - Improved error messages when trying to run podman pause or podman stats on a rootless container on a system without CGroups V2 enabled - TMPDIR has been set to /var/tmp by default to better handle large temporary files - podman wait has been optimized to detect stopped containers more rapidly - Podman containers now include a ContainerManager annotation indicating they were created by libpod - The podman info command now includes information about slirp4netns and fuse-overlayfs if they are available - Podman no longer sets a default size of 65kb for tmpfs filesystems - The default Podman CNI network has been renamed in an attempt to prevent conflicts with CRI-O when both are run on the same system. This should only take effect on system restart - The output of podman volume inspect has been more closely matched to docker volume inspect - Add katacontainers as a recommended package, and include it as an additional OCI runtime in the configuration. Update podman to v1.5.1 * Features - The hostname of pods is now set to the pod's name * Bugfixes - Fixed a bug where podman run and podman create did not honor the --authfile option (#3730) - Fixed a bug where containers restored with podman container restore --import would incorrectly duplicate the Conmon PID file of the original container - Fixed a bug where podman build ignored the default OCI runtime configured in libpod.conf - Fixed a bug where podman run --rm (or force-removing any running container with podman rm --force) were not retrieving the correct exit code (#3795) - Fixed a bug where Podman would exit with an error if any configured hooks directory was not present - Fixed a bug where podman inspect and podman commit would not use the correct CMD for containers run with podman play kube - Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801) - Fixed a bug where the podman events command with the --since or --until options could take a very long time to complete * Misc - Rootless Podman will now inherit OCI runtime configuration from the root configuration (#3781) - Podman now properly sets a user agent while contacting registries (#3788) - Add zsh completion for podman commands Update podman to v1.5.0 * Features - Podman containers can now join the user namespaces of other containers with --userns=container:$ID, or a user namespace at an arbitary path with --userns=ns:$PATH - Rootless Podman can experimentally squash all UIDs and GIDs in an image to a single UID and GID (which does not require use of the newuidmap and newgidmap executables) by passing --storage-opt ignore_chown_errors - The podman generate kube command now produces YAML for any bind mounts the container has created (#2303) - The podman container restore command now features a new flag, --ignore-static-ip, that can be used with --import to import a single container with a static IP multiple times on the same host - Added the ability for podman events to output JSON by specifying --format=json - If the OCI runtime or conmon binary cannot be found at the paths specified in libpod.conf, Podman will now also search for them in the calling user's path - Added the ability to use podman import with URLs (#3609) - The podman ps command now supports filtering names using regular expressions (#3394) - Rootless Podman containers with --privileged set will now mount in all host devices that the user can access - The podman create and podman run commands now support the --env-host flag to forward all environment variables from the host into the container - Rootless Podman now supports healthchecks (#3523) - The format of the HostConfig portion of the output of podman inspect on containers has been improved and synced with Docker - Podman containers now support CGroup namespaces, and can create them by passing --cgroupns=private to podman run or podman create - The podman create and podman run commands now support the --ulimit=host flag, which uses any ulimits currently set on the host for the container - The podman rm and podman rmi commands now use different exit codes to indicate 'no such container' and 'container is running' errors - Support for CGroups V2 through the crun OCI runtime has been greatly improved, allowing resource limits to be set for rootless containers when the CGroups V2 hierarchy is in use * Bugfixes - Fixed a bug where a race condition could cause podman restart to fail to start containers with ports - Fixed a bug where containers restored from a checkpoint would not properly report the time they were started at - Fixed a bug where podman search would return at most 25 results, even when the maximum number of results was set higher - Fixed a bug where podman play kube would not honor capabilities set in imported YAML (#3689) - Fixed a bug where podman run --env, when passed a single key (to use the value from the host), would set the environment variable in the container even if it was not set on the host (#3648) - Fixed a bug where podman commit --changes would not properly set environment variables - Fixed a bug where Podman could segfault while working with images with no history - Fixed a bug where podman volume rm could remove arbitrary volumes if given an ambiguous name (#3635) - Fixed a bug where podman exec invocations leaked memory by not cleaning up files in tmpfs - Fixed a bug where the --dns and --net=container flags to podman run and podman create were not mutually exclusive (#3553) - Fixed a bug where rootless Podman would be unable to run containers when less than 5 UIDs were available - Fixed a bug where containers in pods could not be removed without removing the entire pod (#3556) - Fixed a bug where Podman would not properly clean up all CGroup controllers for created cgroups when using the cgroupfs CGroup driver - Fixed a bug where Podman containers did not properly clean up files in tmpfs, resulting in a memory leak as containers stopped - Fixed a bug where healthchecks from images would not use default settings for interval, retries, timeout, and start period when they were not provided by the image (#3525) - Fixed a bug where healthchecks using the HEALTHCHECK CMD format where not properly supported (#3507) - Fixed a bug where volume mounts using relative source paths would not be properly resolved (#3504) - Fixed a bug where podman run did not use authorization credentials when a custom path was specified (#3524) - Fixed a bug where containers checkpointed with podman container checkpoint did not properly set their finished time - Fixed a bug where running podman inspect on any container not created with podman run or podman create (for example, pod infra containers) would result in a segfault (#3500) - Fixed a bug where healthcheck flags for podman create and podman run were incorrectly named (#3455) - Fixed a bug where Podman commands would fail to find targets if a partial ID was specified that was ambiguous between a container and pod (#3487) - Fixed a bug where restored containers would not have the correct SELinux label - Fixed a bug where Varlink endpoints were not working properly if more was not correctly specified - Fixed a bug where the Varlink PullImage endpoint would crash if an error occurred (#3715) - Fixed a bug where the --mount flag to podman create and podman run did not allow boolean arguments for its ro and rw options (#2980) - Fixed a bug where pods did not properly share the UTS namespace, resulting in incorrect behavior from some utilities which rely on hostname (#3547) - Fixed a bug where Podman would unconditionally append ENTRYPOINT to CMD during podman commit (and when reporting CMD in podman inspect) (#3708) - Fixed a bug where podman events with the journald events backend would incorrectly print 6 previous events when only new events were requested (#3616) - Fixed a bug where podman port would exit prematurely when a port number was specified (#3747) - Fixed a bug where passing . as an argument to the --dns-search flag to podman create and podman run was not properly clearing DNS search domains in the container * Misc - Updated vendored Buildah to v1.10.1 - Updated vendored containers/image to v3.0.2 - Updated vendored containers/storage to v1.13.1 - Podman now requires conmon v2.0.0 or higher - The podman info command now displays the events logger being in use - The podman inspect command on containers now includes the ID of the pod a container has joined and the PID of the container's conmon process - The -v short flag for podman --version has been re-added - Error messages from podman pull should be significantly clearer - The podman exec command is now available in the remote client - The podman-v1.5.0.tar.gz file attached is podman packaged for MacOS. It can be installed using Homebrew. - Update libpod.conf to support latest path discovery feature for `runc` and `conmon` binaries. conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331): fuse-overlayfs was updated to v0.7.6 (bsc#1160460) - do not look in lower layers for the ino if there is no origin xattr set - attempt to use the file path if the operation on the fd fails with ENXIO - do not expose internal xattrs through listxattr and getxattr - fix fallocate for deleted files. - ignore O_DIRECT. It causes issues with libfuse not using an aligned buffer, causing write(2) to fail with EINVAL. - on copyup, do not copy the opaque xattr. - fix a wrong lookup for whiteout files, that could happen on a double unlink. - fix possible segmentation fault in direct_fsync() - use the data store to create missing whiteouts - after a rename, force a directory reload - introduce inodes cache - correctly read inode for unix sockets - avoid hash map lookup when possible - use st_dev for the ino key - check whether writeback is supported - set_attrs: don't require write to S_IFREG - ioctl: do not reuse fi->fh for directories - fix skip whiteout deletion optimization - store the new mode after chmod - support fuse writeback cache and enable it by default - add option to disable fsync - add option to disable xattrs - add option to skip ino number check in lower layers - fix fd validity check - fix memory leak - fix read after free - fix type for flistxattr return - fix warnings reported by lgtm.com - enable parallel dirops cni was updated to 0.7.1: - Set correct CNI version for 99-loopback.conf Update to version 0.7.1 (bsc#1160460): * Library changes: + invoke : ensure custom envs of CNIArgs are prepended to process envs + add GetNetworkListCachedResult to CNI interface + delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance * Documentation & Convention changes: + Update cnitool documentation for spec v0.4.0 + Add cni-route-override to CNI plugin list Update to version 0.7.0: * Spec changes: + Use more RFC2119 style language in specification (must, should...) + add notes about ADD/DEL ordering + Make the container ID required and unique. + remove the version parameter from ADD and DEL commands. + Network interface name matters + be explicit about optional and required structure members + add CHECK method + Add a well-known error for "try again" + SPEC.md: clarify meaning of 'routes' * Library changes: + pkg/types: Makes IPAM concrete type + libcni: return error if Type is empty + skel: VERSION shouldn't block on stdin + non-pointer instances of types.Route now correctly marshal to JSON + libcni: add ValidateNetwork and ValidateNetworkList functions + pkg/skel: return error if JSON config has no network name + skel: add support for plugin version string + libcni: make exec handling an interface for better downstream testing + libcni: api now takes a Context to allow operations to be timed out or cancelled + types/version: add helper to parse PrevResult + skel: only print about message, not errors + skel,invoke,libcni: implementation of CHECK method + cnitool: Honor interface name supplied via CNI_IFNAME environment variable. + cnitool: validate correct number of args + Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0 + add PrintTo method to Result interface + Return a better error when the plugin returns none - Install sleep binary into CNI plugin directory cni-plugins was updated to 0.8.4: Update to version 0.8.4 (bsc#1160460): * add support for mips64le * Add missing cniVersion in README example * bump go-iptables module to v0.4.5 * iptables: add idempotent functions * portmap doesn't fail if chain doesn't exist * fix portmap port forward flakiness * Add Bruce Ma and Piotr Skarmuk as owners Update to version 0.8.3: * Enhancements: * static: prioritize the input sources for IPs (#400). * tuning: send gratuitous ARP in case of MAC address update (#403). * bandwidth: use uint64 for Bandwidth value (#389). * ptp: only override DNS conf if DNS settings provided (#388). * loopback: When prevResults are not supplied to loopback plugin, create results to return (#383). * loopback support CNI CHECK and result cache (#374). * Better input validation: * vlan: add MTU validation to loadNetConf (#405). * macvlan: add MTU validation to loadNetConf (#404). * bridge: check vlan id when loading net conf (#394). * Bugfixes: * bugfix: defer after err check, or it may panic (#391). * portmap: Fix dual-stack support (#379). * firewall: don't return error in DEL if prevResult is not found (#390). * bump up libcni back to v0.7.1 (#377). * Docs: * contributing doc: revise test script name to run (#396). * contributing doc: describe cnitool installation (#397). Update plugins to v0.8.2 + New features: * Support "args" in static and tuning * Add Loopback DSR support, allow l2tunnel networks to be used with the l2bridge plugin * host-local: return error if same ADD request is seen twice * bandwidth: fix collisions * Support ips capability in static and mac capability in tuning * pkg/veth: Make host-side veth name configurable + Bug fixes: * Fix: failed to set bridge addr: could not add IP address to "cni0": file exists * host-device: revert name setting to make retries idempotent (#357). * Vendor update go-iptables. Vendor update go-iptables to obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10 * Update go.mod & go.sub * Remove link Down/Up in MAC address change to prevent route flush (#364). * pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall error message is "invalid argument" not "file exists" * bump containernetworking/cni to v0.7.1 Updated plugins to v0.8.1: + Bugs: * bridge: fix ipMasq setup to use correct source address * fix compilation error on 386 * bandwidth: get bandwidth interface in host ns through container interface + Improvements: * host-device: add pciBusID property Updated plugins to v0.8.0: + New plugins: * bandwidth - limit incoming and outgoing bandwidth * firewall - add containers to firewall rules * sbr - convert container routes to source-based routes * static - assign a fixed IP address * win-bridge, win-overlay: Windows plugins + Plugin features / changelog: * CHECK Support * macvlan: - Allow to configure empty ipam for macvlan - Make master config optional * bridge: - Add vlan tag to the bridge cni plugin - Allow the user to assign VLAN tag - L2 bridge Implementation. * dhcp: - Include Subnet Mask option parameter in DHCPREQUEST - Add systemd unit file to activate socket with systemd - Add container ifName to the dhcp clientID, making the clientID value * flannel: - Pass through runtimeConfig to delegate * host-local: - host-local: add ifname to file tracking IP address used * host-device: - Support the IPAM in the host-device - Handle empty netns in DEL for loopback and host-device * tuning: - adds 'ip link' command related feature into tuning + Bug fixes & minor changes * Correctly DEL on ipam failure for all plugins * Fix bug on ip revert if cmdAdd fails on macvlan and host-device * host-device: Ensure device is down before rename * Fix -hostprefix option * some DHCP servers expect to request for explicit router options * bridge: release IP in case of error * change source of ipmasq rule from ipn to ip from version v0.7.5: + This release takes a minor change to the portmap plugin: * Portmap: append, rather than prepend, entry rules + This fixes a potential issue where firewall rules may be bypassed by port mapping Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-697=1 - SUSE Linux Enterprise Module for Containers 15-SP1: zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-697=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (x86_64): cni-0.7.1-3.3.1 cni-plugins-0.8.4-3.3.1 - SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64): cni-0.7.1-3.3.1 cni-plugins-0.8.4-3.3.1 conmon-2.0.10-3.3.1 conmon-debuginfo-2.0.10-3.3.1 fuse-overlayfs-0.7.6-3.6.1 fuse-overlayfs-debuginfo-0.7.6-3.6.1 fuse-overlayfs-debugsource-0.7.6-3.6.1 podman-1.8.0-4.14.1 - SUSE Linux Enterprise Module for Containers 15-SP1 (noarch): podman-cni-config-1.8.0-4.14.1 References: https://www.suse.com/security/cve/CVE-2019-18466.html https://bugzilla.suse.com/1155217 https://bugzilla.suse.com/1160460 https://bugzilla.suse.com/1164390 From sle-security-updates at lists.suse.com Mon Mar 16 14:13:48 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Mar 2020 21:13:48 +0100 (CET) Subject: SUSE-SU-2020:0699-1: Security update for ovmf Message-ID: <20200316201348.064CDFC56@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0699-1 Rating: low References: #1153072 #1163927 #1163959 #1163969 Cross-References: CVE-2019-14553 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ovmf fixes the following issues: Security issues fixed: - CVE-2019-14563: Fixed a memory corruption caused by insufficient numeric truncation (bsc#1163959). - CVE-2019-14553: Fixed the TLS certification verification in HTTPS-over-IPv6 boot sequences (bsc#1153072). - CVE-2019-14559: Fixed a remotely exploitable memory leak in the ARP handling code (bsc#1163927). - CVE-2019-14575: Fixed an insufficient signature check in the DxeImageVerificationHandler (bsc#1163969). - Enabled HTTPS-over-IPv6 (bsc#1153072). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-699=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-699=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-3.23.1 ovmf-tools-2017+git1510945757.b2662641d5-3.23.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.23.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-3.23.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-3.23.1 ovmf-tools-2017+git1510945757.b2662641d5-3.23.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.23.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-3.23.1 References: https://www.suse.com/security/cve/CVE-2019-14553.html https://www.suse.com/security/cve/CVE-2019-14559.html https://www.suse.com/security/cve/CVE-2019-14563.html https://www.suse.com/security/cve/CVE-2019-14575.html https://bugzilla.suse.com/1153072 https://bugzilla.suse.com/1163927 https://bugzilla.suse.com/1163959 https://bugzilla.suse.com/1163969 From sle-security-updates at lists.suse.com Tue Mar 17 08:15:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Mar 2020 15:15:09 +0100 (CET) Subject: SUSE-SU-2020:14323-1: moderate: Security update for librsvg Message-ID: <20200317141509.9D11EFCEC@maintenance.suse.de> SUSE Security Update: Security update for librsvg ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14323-1 Rating: moderate References: #1083232 #1094213 #1162501 #977985 #977986 #987877 Cross-References: CVE-2015-7558 CVE-2016-4348 CVE-2016-6163 CVE-2018-1000041 CVE-2019-20446 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has one errata is now available. Description: This update for librsvg fixes the following issues: - CVE-2019-20446: Fixed an issue where a crafted SVG file with nested patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. - CVE-2015-7558: librsvg allowed context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document (bsc#977985). - CVE-2016-6163: svg pattern linking to non-pattern fallback leads to invalid memory access, allowing to cause DoS (bsc#987877). - CVE-2018-1000041: Fixed leaking credentials via SVG files that reference UNC paths (bsc#1083232) - CVE-2016-4348: Fixed a denial of service parsing SVGs with circular definitions _rsvg_css_normalize_font_size() function (bsc#977986) - Fixed a stack exhaustion with circular references in elements. - Fixed a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG "use" elements in malicious SVGs. This updated also removes the the Mozilla plugin package. Firefox can render SVG on its own and the plugin interface is obsolete. This update for libcroco fixes the following issue: - Fixed an issue where librsvg was throwing a segmentation fault (bsc#1094213). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-librsvg-14323=1 Package List: - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): libcroco-debuginfo-0.6.1-122.6.1 libcroco-debugsource-0.6.1-122.6.1 librsvg-debuginfo-2.26.0-2.6.8.3 librsvg-debugsource-2.26.0-2.6.8.3 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): librsvg-debuginfo-32bit-2.26.0-2.6.8.3 References: https://www.suse.com/security/cve/CVE-2015-7558.html https://www.suse.com/security/cve/CVE-2016-4348.html https://www.suse.com/security/cve/CVE-2016-6163.html https://www.suse.com/security/cve/CVE-2018-1000041.html https://www.suse.com/security/cve/CVE-2019-20446.html https://bugzilla.suse.com/1083232 https://bugzilla.suse.com/1094213 https://bugzilla.suse.com/1162501 https://bugzilla.suse.com/977985 https://bugzilla.suse.com/977986 https://bugzilla.suse.com/987877 From sle-security-updates at lists.suse.com Tue Mar 17 11:15:18 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Mar 2020 18:15:18 +0100 (CET) Subject: SUSE-SU-2020:0706-1: moderate: Security update for apache2-mod_auth_openidc Message-ID: <20200317171518.3C550FCEC@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_auth_openidc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0706-1 Rating: moderate References: #1164459 Cross-References: CVE-2019-20479 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2019-20479: Fixed an open redirect issue in URLs with slash and backslash (bsc#1164459). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-706=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-706=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-mod_auth_openidc-2.4.0-3.11.1 apache2-mod_auth_openidc-debuginfo-2.4.0-3.11.1 apache2-mod_auth_openidc-debugsource-2.4.0-3.11.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): apache2-mod_auth_openidc-2.4.0-3.11.1 apache2-mod_auth_openidc-debuginfo-2.4.0-3.11.1 apache2-mod_auth_openidc-debugsource-2.4.0-3.11.1 References: https://www.suse.com/security/cve/CVE-2019-20479.html https://bugzilla.suse.com/1164459 From sle-security-updates at lists.suse.com Tue Mar 17 11:18:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Mar 2020 18:18:10 +0100 (CET) Subject: SUSE-SU-2020:0705-1: moderate: Security update for apache2-mod_auth_openidc Message-ID: <20200317171810.34FC0FCEC@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_auth_openidc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0705-1 Rating: moderate References: #1164459 Cross-References: CVE-2019-20479 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2019-20479: Fixed an open redirect issue in URLs with slash and backslash (bsc#1164459). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-705=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le x86_64): apache2-mod_auth_openidc-2.3.8-3.7.1 apache2-mod_auth_openidc-debuginfo-2.3.8-3.7.1 apache2-mod_auth_openidc-debugsource-2.3.8-3.7.1 References: https://www.suse.com/security/cve/CVE-2019-20479.html https://bugzilla.suse.com/1164459 From sle-security-updates at lists.suse.com Wed Mar 18 05:35:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Mar 2020 12:35:42 +0100 (CET) Subject: SUSE-CU-2020:92-1: Security update of caasp/v4/curl Message-ID: <20200318113542.13984FCB3@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/curl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:92-1 Container Tags : caasp/v4/curl:7.60.0 , caasp/v4/curl:7.60.0-rev1 , caasp/v4/curl:7.60.0-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1047002 1049825 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120689 1121051 1121197 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128383 1128598 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132721 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136717 1137053 1137624 1137977 1138869 1138939 1139083 1139083 1139459 1139795 1139937 1139939 1140039 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149429 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1152101 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155298 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159814 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1161215 1161216 1161218 1161219 1161220 1161436 1161779 1162108 1162518 1163184 1163922 1164505 1164562 1164950 1165784 1166510 353876 859480 915402 918346 943457 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-17740 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-20843 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-15903 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-1712 CVE-2020-8013 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/curl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Tue Feb 25 13:27:04 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) From sle-security-updates at lists.suse.com Wed Mar 18 05:41:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Mar 2020 12:41:41 +0100 (CET) Subject: SUSE-CU-2020:93-1: Security update of caasp/v4/k8s-sidecar Message-ID: <20200318114141.A8EF2F3F6@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/k8s-sidecar ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:93-1 Container Tags : caasp/v4/k8s-sidecar:0.1.75 , caasp/v4/k8s-sidecar:0.1.75-rev1 , caasp/v4/k8s-sidecar:0.1.75-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1027282 1029377 1029902 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1040164 1042670 1044840 1045723 1047002 1049825 1051143 1063675 1065270 1070853 1071321 1072183 1073313 1076519 1076696 1079761 1080919 1081750 1081947 1081947 1082293 1082318 1083158 1083507 1084671 1084812 1084842 1084934 1085196 1086001 1086367 1086367 1087550 1088004 1088009 1088052 1088279 1088358 1088524 1088573 1089640 1089761 1090047 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1094814 1094814 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1097595 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1101820 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1103678 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107030 1107030 1107066 1107067 1107116 1107121 1107617 1107640 1107941 1109197 1109252 1109663 1109847 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111499 1111622 1111657 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120644 1120644 1120689 1121051 1121197 1121446 1121563 1121563 1121753 1122000 1122191 1122191 1122417 1122669 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128323 1128383 1128598 1129071 1129346 1129346 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1130840 1130840 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132663 1132721 1132900 1133452 1133452 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136184 1136717 1137001 1137053 1137624 1137832 1137942 1137977 1138459 1138459 1138869 1138939 1139083 1139083 1139459 1139795 1139937 1139939 1139959 1140039 1140631 1140647 1141059 1141093 1141113 1141853 1141853 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145003 1145023 1145521 1145554 1145716 1146027 1146415 1146415 1146853 1146854 1146866 1146947 1148517 1148788 1148987 1149121 1149121 1149145 1149332 1149429 1149495 1149496 1149511 1149792 1149792 1149792 1149955 1149955 1150003 1150137 1150250 1150595 1150734 1150895 1151023 1151023 1151377 1151481 1151490 1151490 1151582 1152101 1152755 1153165 1153238 1153238 1153351 1153557 1153936 1154019 1154036 1154037 1154217 1154256 1154295 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155298 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1155951 1156158 1156213 1156482 1157198 1157278 1157292 1157323 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159018 1159035 1159082 1159622 1159814 1160039 1160160 1160463 1160571 1160594 1160595 1160735 1160764 1160970 1161056 1161110 1161179 1161215 1161216 1161218 1161219 1161220 1161225 1161436 1161770 1161779 1162093 1162108 1162224 1162367 1162423 1162518 1162825 1163184 1163922 1164505 1164562 1164950 1165784 1166510 353876 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 859480 871152 885662 885882 915402 917607 918346 942751 943457 951166 953659 960273 983582 984751 985177 985348 985657 989523 991901 CVE-2009-5155 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2015-0247 CVE-2015-1572 CVE-2016-0772 CVE-2016-1000110 CVE-2016-10739 CVE-2016-3189 CVE-2016-5636 CVE-2016-5699 CVE-2017-10790 CVE-2017-17740 CVE-2017-18207 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000802 CVE-2018-1000858 CVE-2018-10360 CVE-2018-1060 CVE-2018-1061 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-10903 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-14647 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16428 CVE-2018-16429 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18074 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20406 CVE-2018-20406 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-20843 CVE-2018-20852 CVE-2018-20852 CVE-2018-6954 CVE-2018-9251 CVE-2019-10160 CVE-2019-10160 CVE-2019-11236 CVE-2019-11324 CVE-2019-12290 CVE-2019-12450 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13012 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14853 CVE-2019-14859 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-15903 CVE-2019-15903 CVE-2019-16056 CVE-2019-16056 CVE-2019-16168 CVE-2019-16935 CVE-2019-16935 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5010 CVE-2019-5010 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9636 CVE-2019-9636 CVE-2019-9674 CVE-2019-9740 CVE-2019-9936 CVE-2019-9937 CVE-2019-9947 CVE-2019-9947 CVE-2020-10029 CVE-2020-1712 CVE-2020-8013 CVE-2020-8492 PM-1350 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 SLE-9426 ----------------------------------------------------------------- The container caasp/v4/k8s-sidecar was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1887-1 Released: Wed Sep 12 12:34:28 2018 Summary: Recommended update for python-websocket-client Type: recommended Severity: moderate References: 1076519 This update for python-websocket-client fixes the following issues: - Use systems ca bundle file by default. (bsc#1076519) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2170-1 Released: Mon Oct 8 10:31:14 2018 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1107030 This update for python3 fixes the following issues: - Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2430-1 Released: Wed Oct 24 13:05:18 2018 Summary: Security update for python-cryptography Type: security Severity: moderate References: 1101820,CVE-2018-10903 This update for python-cryptography fixes the following issues: - CVE-2018-10903: The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries could have caused key leakage (bsc#1101820). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2644-1 Released: Mon Nov 12 20:40:15 2018 Summary: Recommended update for glib2-branding Type: recommended Severity: low References: 1097595 This update for glib2-branding provides the following fix: - Recommend sound-theme-freedesktop on SLE. (bsc#1097595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2780-1 Released: Mon Nov 26 17:46:10 2018 Summary: Security update for glib2 Type: security Severity: moderate References: 1107116,1107121,1111499,CVE-2018-16428,CVE-2018-16429 This update for glib2 fixes the following issues: Security issues fixed: - CVE-2018-16428: Do not do a NULL pointer dereference (crash). Avoid that, at the cost of introducing a new translatable error message (bsc#1107121). - CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116). Non-security issue fixed: - various GVariant parsing issues have been resolved (bsc#1111499) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2873-1 Released: Fri Dec 7 13:27:36 2018 Summary: Recommended update for python-cffi Type: recommended Severity: moderate References: 1111657 This update for python-cffi fixes the following issues: - Fix the testsuite of python-cffi like upstream to solve corruption at build (bsc#1111657) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:215-1 Released: Thu Jan 31 15:59:57 2019 Summary: Security update for python3 Type: security Severity: important References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:251-1 Released: Wed Feb 6 11:22:43 2019 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1090047 This update for glib2 provides the following fix: - Enable systemtap. (fate#326393, bsc#1090047) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:966-1 Released: Wed Apr 17 12:20:13 2019 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1128323 This update for python-rpm-macros fixes the following issues: The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323) * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. * Actually make pytest into function to capture arguments as well * Add pytest definitions. * Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fix an issue with epoch printing having too many \ * add epoch while printing 'Provides:' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:971-1 Released: Wed Apr 17 14:43:26 2019 Summary: Security update for python3 Type: security Severity: important References: 1129346,CVE-2019-9636 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1352-1 Released: Fri May 24 14:41:44 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1130840,1133452,CVE-2019-9947 This update for python3 to version 3.6.8 fixes the following issues: Security issue fixed: - CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840). Non-security issue fixed: - Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1487-1 Released: Thu Jun 13 09:40:56 2019 Summary: Security update for python-requests Type: security Severity: moderate References: 1111622,CVE-2018-18074 This update for python-requests to version 2.20.1 fixes the following issues: Security issue fixed: - CVE-2018-18074: Fixed an information disclosure vulnerability of the HTTP Authorization header (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1594-1 Released: Fri Jun 21 10:17:15 2019 Summary: Security update for glib2 Type: security Severity: important References: 1103678,1137001,CVE-2019-12450 This update for glib2 fixes the following issues: Security issue fixed: - CVE-2019-12450: Fixed an improper file permission when copy operation takes place (bsc#1137001). Other issue addressed: - glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there was a connection thus giving false positives to PackageKit (bsc#1103678) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1833-1 Released: Fri Jul 12 17:53:51 2019 Summary: Security update for glib2 Type: security Severity: moderate References: 1139959,CVE-2019-13012 This update for glib2 fixes the following issues: Security issue fixed: - CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2050-1 Released: Tue Aug 6 09:42:37 2019 Summary: Security update for python3 Type: security Severity: important References: 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: - Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2332-1 Released: Mon Sep 9 10:17:16 2019 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740 This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2422-1 Released: Fri Sep 20 16:36:43 2019 Summary: Recommended update for python-urllib3 Type: recommended Severity: moderate References: 1150895 This update for python-urllib3 fixes the following issues: - Add missing dependency on python-six (bsc#1150895) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2483-1 Released: Fri Sep 27 14:16:23 2019 Summary: Optional update for python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate. Type: optional Severity: low References: 1088358 This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2645-1 Released: Fri Oct 11 17:11:23 2019 Summary: Recommended update for python-cryptography Type: recommended Severity: moderate References: 1149792 This update for python-cryptography fixes the following issues: - Adds compatibility to openSSL 1.1.1d (bsc#1149792) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2802-1 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2891-1 Released: Mon Nov 4 17:47:10 2019 Summary: Security update for python-ecdsa Type: security Severity: moderate References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859 This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2929-1 Released: Thu Nov 7 16:45:13 2019 Summary: Recommended update for python-kubernetes Type: recommended Severity: moderate References: 1151481 This update for python-kubernetes fixes the following issues: - python-ipaddress is only required for building on Python2 (on Python3 is part of the standard library) - Backport fix for base64 padding in kubeconfig (bsc#1151481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Tue Feb 25 13:27:04 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:556-1 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Type: recommended Severity: moderate References: 1155951 This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:710-1 Released: Wed Mar 18 07:32:24 2020 Summary: Upgrading to Terraform 0.12 and fix issues in crio, grafana, kubelet, skuba, and terraform Type: recommended Severity: important References: 1145003,1157323,1159082,1160463,1161056,1161110,1161179,1161225,1162093 Upgrade Terraform Files and State In order to seamlessly switch to Terraform 0.12 you need to make sure that: * all files follow the new syntax for the HashiCorp Configuration Language included in Terraform 0.12; * all boolean values are `true` or `false` and *not* 0 or 1; * all variables are explicitly declared; * all dependencies are explicitly declared to reach the expected behavior. Recommended Procedure If you can tear down your existing cluster, do delete your cluster before upgrading to Terraform 0.12. After that follow our documentation to create a new cluster. That will lead to the cleanest upgrade result. If you are using Terraform 0.11 and you cannot tear down your cluster, you will need to update your Terraform files (and states) in place for Terraform 0.12. To do this, enter your Terraform files/state folder and: * Migrate Terraform files with the automatic migration tool by running `terraform 0.12upgrade`. * For OpenStack, run the extra operations for in-place upgrade, which follow just below. * For VMware, there is no extra operation. * You can then run the `terraform init/plan/apply` commands as usual. Extra Operations for In-place Upgrade of OpenStack Terraform Files * Replace any boolean values written as a number with `false`/`true`. For example, for the variables in `openstack/variables.tf` (and their equivalent in your `terraform.tfvars` file), replace `default = 0` with `default = false` in the variables `workers_vol_enabled` and `dnsentry`. Do the same for any extra boolean variable you might have added. * Introduce a `depends_on` on the resource `'openstack_compute_floatingip_associate_v2' 'master_ext_ip'` in `master-instance.tf`: ---- depends_on = [openstack_compute_instance_v2.master] ---- * Introduce a `depends_on` on the resource `'master_wait_cloudinit'` in `master-instance.tf`: ---- depends_on = [ openstack_compute_instance_v2.master, openstack_compute_floatingip_associate_v2.master_ext_ip ] ---- * Introduce a `depends_on` on the resources `'openstack_compute_floatingip_associate_v2' 'worker_ext_ip'` and `'null_resource' 'worker_wait_cloudinit'` in `worker-instance.tf`, similarly to the ones for master. Replace `master` with `worker` in the examples above. * Update the resources `resource 'openstack_compute_instance_v2' 'master'` and `resource 'openstack_compute_instance_v2' 'worker'` with `master-instance.tf` and `worker-instance.tf` respectively. Add the following resources: ---- lifecycle { ignore_changes = [user_data] } ---- This will make it possible to update your cluster from a Terraform 0.11 state into a Terraform 0.12 state without tearing it down completely. [WARNING] When adding `lifecycle { ignore_change = [user_data] }` in your master and worker instances, you will effectively prevent updates of nodes, should you or SUSE update the `user_data`. This should be removed as soon as possible after the migration to Terraform 0.12. From sle-security-updates at lists.suse.com Wed Mar 18 05:25:31 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Mar 2020 12:25:31 +0100 (CET) Subject: SUSE-CU-2020:91-1: Security update of caasp/v4/busybox Message-ID: <20200318112531.22FEEFCEC@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/busybox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:91-1 Container Tags : caasp/v4/busybox:1.26.2 , caasp/v4/busybox:1.26.2-rev1 , caasp/v4/busybox:1.26.2-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1047002 1049825 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120689 1121051 1121197 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128383 1128598 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132721 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136717 1137053 1137624 1137977 1138869 1138939 1139083 1139083 1139459 1139795 1139939 1140039 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1152101 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155298 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159814 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1161215 1161216 1161218 1161219 1161220 1161436 1161779 1162108 1162518 1163184 1163922 1164505 1164562 1164950 1165784 1166510 353876 859480 915402 918346 943457 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-17740 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-1712 CVE-2020-8013 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/busybox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Tue Feb 25 13:27:04 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) From sle-security-updates at lists.suse.com Wed Mar 18 08:15:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Mar 2020 15:15:40 +0100 (CET) Subject: SUSE-SU-2020:0712-1: moderate: Security update for skopeo Message-ID: <20200318141540.D1912FCEC@maintenance.suse.de> SUSE Security Update: Security update for skopeo ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0712-1 Rating: moderate References: #1159530 #1165715 Cross-References: CVE-2019-10214 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for skopeo fixes the following issues: Update to skopeo v0.1.41 (bsc#1165715): - Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1 - Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8 - Bump github.com/containers/common from 0.0.7 to 0.1.4 - Remove the reference to openshift/api - vendor github.com/containers/image/v5 at v5.2.0 - Manually update buildah to v1.13.1 - add specific authfile options to copy (and sync) command. - Bump github.com/containers/buildah from 1.11.6 to 1.12.0 - Add context to --encryption-key / --decryption-key processing failures - Bump github.com/containers/storage from 1.15.2 to 1.15.3 - Bump github.com/containers/buildah from 1.11.5 to 1.11.6 - remove direct reference on c/image/storage - Makefile: set GOBIN - Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7 - Bump github.com/containers/storage from 1.15.1 to 1.15.2 - Introduce the sync command - openshift cluster: remove .docker directory on teardown - Bump github.com/containers/storage from 1.14.0 to 1.15.1 - document installation via apk on alpine - Fix typos in doc for image encryption - Image encryption/decryption support in skopeo - make vendor-in-container - Bump github.com/containers/buildah from 1.11.4 to 1.11.5 - Travis: use go v1.13 - Use a Windows Nano Server image instead of Server Core for multi-arch testing - Increase test timeout to 15 minutes - Run the test-system container without --net=host - Mount /run/systemd/journal/socket into test-system containers - Don't unnecessarily filter out vendor from (go list ./...) output - Use -mod=vendor in (go {list,test,vet}) - Bump github.com/containers/buildah from 1.8.4 to 1.11.4 - Bump github.com/urfave/cli from 1.20.0 to 1.22.1 - skopeo: drop support for ostree - Don't critically fail on a 403 when listing tags - Revert "Temporarily work around auth.json location confusion" - Remove references to atomic - Remove references to storage.conf - Dockerfile: use golang-github-cpuguy83-go-md2man - bump version to v0.1.41-dev - systemtest: inspect container image different from current platform arch Changes in v0.1.40: - vendor containers/image v5.0.0 - copy: add a --all/-a flag - System tests: various fixes - Temporarily work around auth.json location confusion - systemtest: copy: docker->storage->oci-archive - systemtest/010-inspect.bats: require only PATH - systemtest: add simple env test in inspect.bats - bash completion: add comments to keep scattered options in sync - bash completion: use read -r instead of disabling SC2207 - bash completion: support --opt arg completion - bash-completion: use replacement instead of sed - bash completion: disable shellcheck SC2207 - bash completion: double-quote to avoid re-splitting - bash completions: use bash replacement instead of sed - bash completion: remove unused variable - bash-completions: split decl and assignment to avoid masking retvals - bash completion: double-quote fixes - bash completion: hard-set PROG=skopeo - bash completion: remove unused variable - bash completion: use `||` instead of `-o` - bash completion: rm eval on assigned variable - copy: add --dest-compress-format and --dest-compress-level - flag: add optionalIntValue - Makefile: use go proxy - inspect --raw: skip the NewImage() step - update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f - inspect.go: inspect env variables - ostree: use both image and & storage buildtags Update to skopeo v0.1.39 (bsc#1159530): - inspect: add a --config flag - Add --no-creds flag to skopeo inspect - Add --quiet option to skopeo copy - New progress bars - Parallel Pulls and Pushes for major speed improvements - containers/image moved to a new progress-bar library to fix various issues related to overlapping bars and redundant entries. - enforce blocking of registries - Allow storage-multiple-manifests - When copying images and the output is not a tty (e.g., when piping to a file) print single lines instead of using progress bars. This avoids long and hard to parse output - man pages: add --dest-oci-accept-uncompressed-layers - completions: - Introduce transports completions - Fix bash completions when a option requires a argument - Use only spaces in indent - Fix completions with a global option - add --dest-oci-accept-uncompressed-layers Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-712=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): skopeo-0.1.41-4.11.1 skopeo-debuginfo-0.1.41-4.11.1 References: https://www.suse.com/security/cve/CVE-2019-10214.html https://bugzilla.suse.com/1159530 https://bugzilla.suse.com/1165715 From sle-security-updates at lists.suse.com Wed Mar 18 14:15:39 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Mar 2020 21:15:39 +0100 (CET) Subject: SUSE-SU-2020:0715-1: Security update for postgresql10 Message-ID: <20200318201539.9895BFCEE@maintenance.suse.de> SUSE Security Update: Security update for postgresql10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0715-1 Rating: low References: #1163985 Cross-References: CVE-2020-1720 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for postgresql10 fixes the following issues: PostgreSQL was updated to version 10.12. Security issue fixed: - CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-715=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-715=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-715=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-715=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-715=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-715=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-715=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-715=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-715=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-715=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-715=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-715=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-715=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-715=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-715=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-715=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-715=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-715=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): postgresql10-docs-10.12-1.18.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE OpenStack Cloud 8 (x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE OpenStack Cloud 8 (noarch): postgresql10-docs-10.12-1.18.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE OpenStack Cloud 7 (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): postgresql10-devel-10.12-1.18.1 postgresql10-devel-debuginfo-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): postgresql10-devel-10.12-1.18.1 postgresql10-devel-debuginfo-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): postgresql10-docs-10.12-1.18.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 - SUSE Enterprise Storage 5 (x86_64): libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 - SUSE Enterprise Storage 5 (noarch): postgresql10-docs-10.12-1.18.1 - HPE Helion Openstack 8 (noarch): postgresql10-docs-10.12-1.18.1 - HPE Helion Openstack 8 (x86_64): libecpg6-10.12-1.18.1 libecpg6-debuginfo-10.12-1.18.1 libpq5-10.12-1.18.1 libpq5-32bit-10.12-1.18.1 libpq5-debuginfo-10.12-1.18.1 libpq5-debuginfo-32bit-10.12-1.18.1 postgresql10-10.12-1.18.1 postgresql10-contrib-10.12-1.18.1 postgresql10-contrib-debuginfo-10.12-1.18.1 postgresql10-debuginfo-10.12-1.18.1 postgresql10-debugsource-10.12-1.18.1 postgresql10-libs-debugsource-10.12-1.18.1 postgresql10-plperl-10.12-1.18.1 postgresql10-plperl-debuginfo-10.12-1.18.1 postgresql10-plpython-10.12-1.18.1 postgresql10-plpython-debuginfo-10.12-1.18.1 postgresql10-pltcl-10.12-1.18.1 postgresql10-pltcl-debuginfo-10.12-1.18.1 postgresql10-server-10.12-1.18.1 postgresql10-server-debuginfo-10.12-1.18.1 References: https://www.suse.com/security/cve/CVE-2020-1720.html https://bugzilla.suse.com/1163985 From sle-security-updates at lists.suse.com Thu Mar 19 08:21:24 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Mar 2020 15:21:24 +0100 (CET) Subject: SUSE-SU-2020:0717-1: important: Security update for MozillaFirefox Message-ID: <20200319142124.8CB4BFCEC@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0717-1 Rating: important References: #1132665 #1166238 Cross-References: CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: MozillaFirefox was updated to 68.6.0 ESR (MFSA 2020-09 bsc#1132665 bsc#1166238) - CVE-2020-6805: Fixed a use-after-free when removing data about origins - CVE-2020-6806: Fixed improper protections against state confusion - CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction - CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully escape website-controlled data potentially leading to command injection - CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init - CVE-2020-6812: Fixed an issue where the names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission - CVE-2020-6814: Fixed multiple memory safety bugs - Fixed an issue with minimizing a window (bsc#1132665). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-717=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-717=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-717=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-717=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-717=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-717=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-717=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-717=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-717=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-717=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-717=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-717=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-717=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-717=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-717=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-717=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-717=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-devel-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-devel-68.6.0-109.110.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-devel-68.6.0-109.110.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-devel-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-devel-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-devel-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-devel-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-devel-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-68.6.0-109.110.1 MozillaFirefox-debuginfo-68.6.0-109.110.1 MozillaFirefox-debugsource-68.6.0-109.110.1 MozillaFirefox-translations-common-68.6.0-109.110.1 References: https://www.suse.com/security/cve/CVE-2019-20503.html https://www.suse.com/security/cve/CVE-2020-6805.html https://www.suse.com/security/cve/CVE-2020-6806.html https://www.suse.com/security/cve/CVE-2020-6807.html https://www.suse.com/security/cve/CVE-2020-6811.html https://www.suse.com/security/cve/CVE-2020-6812.html https://www.suse.com/security/cve/CVE-2020-6814.html https://bugzilla.suse.com/1132665 https://bugzilla.suse.com/1166238 From sle-security-updates at lists.suse.com Thu Mar 19 08:34:11 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Mar 2020 15:34:11 +0100 (CET) Subject: SUSE-SU-2020:0722-1: moderate: Security update for nghttp2 Message-ID: <20200319143411.E6B2CFCEC@maintenance.suse.de> SUSE Security Update: Security update for nghttp2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0722-1 Rating: moderate References: #1159003 #1166481 Cross-References: CVE-2019-18802 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for nghttp2 fixes the following issues: nghttp2 was update to version 1.40.0 (bsc#1166481) - lib: Add nghttp2_check_authority as public API - lib: Fix the bug that stream is closed with wrong error code - lib: Faster huffman encoding and decoding - build: Avoid filename collision of static and dynamic lib - build: Add new flag ENABLE_STATIC_CRT for Windows - build: cmake: Support building nghttpx with systemd - third-party: Update neverbleed to fix memory leak - nghttpx: Fix bug that mruby is incorrectly shared between backends - nghttpx: Reconnect h1 backend if it lost connection before sending headers - nghttpx: Returns 408 if backend timed out before sending headers - nghttpx: Fix request stal Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-722=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-722=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): nghttp2-1.40.0-3.6.3 nghttp2-debuginfo-1.40.0-3.6.3 nghttp2-debugsource-1.40.0-3.6.3 python3-nghttp2-1.40.0-3.6.3 python3-nghttp2-debuginfo-1.40.0-3.6.3 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libnghttp2_asio1-32bit-1.40.0-3.6.3 libnghttp2_asio1-32bit-debuginfo-1.40.0-3.6.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libnghttp2-14-1.40.0-3.6.3 libnghttp2-14-debuginfo-1.40.0-3.6.3 libnghttp2-devel-1.40.0-3.6.3 libnghttp2_asio-devel-1.40.0-3.6.3 libnghttp2_asio1-1.40.0-3.6.3 libnghttp2_asio1-debuginfo-1.40.0-3.6.3 nghttp2-debuginfo-1.40.0-3.6.3 nghttp2-debugsource-1.40.0-3.6.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libnghttp2-14-32bit-1.40.0-3.6.3 libnghttp2-14-32bit-debuginfo-1.40.0-3.6.3 References: https://www.suse.com/security/cve/CVE-2019-18802.html https://bugzilla.suse.com/1159003 https://bugzilla.suse.com/1166481 From sle-security-updates at lists.suse.com Thu Mar 19 08:43:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Mar 2020 15:43:49 +0100 (CET) Subject: SUSE-SU-2020:0721-1: important: Security update for MozillaThunderbird Message-ID: <20200319144349.17F29FCB3@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0721-1 Rating: important References: #1166238 Cross-References: CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: MozillaThunderbird was updated to 68.6.0 ESR (MFSA 2020-10 bsc#1166238) - CVE-2020-6805: Fixed a use-after-free when removing data about origins - CVE-2020-6806: Fixed improper protections against state confusion - CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction - CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully escape website-controlled data potentially leading to command injection - CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init - CVE-2020-6812: Fixed an issue where the names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission - CVE-2020-6814: Fixed multiple memory safety bugs Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-721=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): MozillaThunderbird-68.6.0-3.74.1 MozillaThunderbird-debuginfo-68.6.0-3.74.1 MozillaThunderbird-debugsource-68.6.0-3.74.1 MozillaThunderbird-translations-common-68.6.0-3.74.1 MozillaThunderbird-translations-other-68.6.0-3.74.1 References: https://www.suse.com/security/cve/CVE-2019-20503.html https://www.suse.com/security/cve/CVE-2020-6805.html https://www.suse.com/security/cve/CVE-2020-6806.html https://www.suse.com/security/cve/CVE-2020-6807.html https://www.suse.com/security/cve/CVE-2020-6811.html https://www.suse.com/security/cve/CVE-2020-6812.html https://www.suse.com/security/cve/CVE-2020-6814.html https://bugzilla.suse.com/1166238 From sle-security-updates at lists.suse.com Thu Mar 19 11:21:58 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Mar 2020 18:21:58 +0100 (CET) Subject: SUSE-SU-2020:0725-1: important: Security update for tomcat Message-ID: <20200319172158.6A7FDFCEC@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0725-1 Rating: important References: #1164692 Cross-References: CVE-2020-1938 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-725=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-725=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-725=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-725=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-725=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-725=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-725=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-725=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-725=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-725=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-725=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - SUSE OpenStack Cloud 8 (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - SUSE OpenStack Cloud 7 (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - SUSE Enterprise Storage 5 (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 - HPE Helion Openstack 8 (noarch): tomcat-8.0.53-29.22.1 tomcat-admin-webapps-8.0.53-29.22.1 tomcat-docs-webapp-8.0.53-29.22.1 tomcat-el-3_0-api-8.0.53-29.22.1 tomcat-javadoc-8.0.53-29.22.1 tomcat-jsp-2_3-api-8.0.53-29.22.1 tomcat-lib-8.0.53-29.22.1 tomcat-servlet-3_1-api-8.0.53-29.22.1 tomcat-webapps-8.0.53-29.22.1 References: https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1164692 From sle-security-updates at lists.suse.com Fri Mar 20 11:13:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Mar 2020 18:13:12 +0100 (CET) Subject: SUSE-SU-2020:0737-1: important: Recommended update for ruby2.5 Message-ID: <20200320171312.A6AFFFCB3@maintenance.suse.de> SUSE Security Update: Recommended update for ruby2.5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0737-1 Rating: important References: #1140844 #1152990 #1152992 #1152994 #1152995 #1162396 #1164804 Cross-References: CVE-2012-6708 CVE-2015-9251 CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-8130 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for ruby2.5 toversion 2.5.7 fixes the following issues: ruby 2.5 was updated to version 2.5.7 - CVE-2020-8130: Fixed a command injection in intree copy of rake (bsc#1164804). - CVE-2019-16255: Fixed a code injection vulnerability of Shell#[] and Shell#test (bsc#1152990). - CVE-2019-16254: Fixed am HTTP response splitting in WEBrick (bsc#1152992). - CVE-2019-15845: Fixed a null injection vulnerability of File.fnmatch and File.fnmatch? (bsc#1152994). - CVE-2019-16201: Fixed a regular expression denial of service of WEBrick Digest access authentication (bsc#1152995). - CVE-2012-6708: Fixed an XSS in JQuery - CVE-2015-9251: Fixed an XSS in JQuery - Fixed unit tests (bsc#1140844) - Removed some unneeded test files (bsc#1162396). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-737=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-737=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-737=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-737=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-737=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-737=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libruby2_5-2_5-2.5.7-4.8.1 libruby2_5-2_5-debuginfo-2.5.7-4.8.1 ruby2.5-2.5.7-4.8.1 ruby2.5-debuginfo-2.5.7-4.8.1 ruby2.5-debugsource-2.5.7-4.8.1 ruby2.5-devel-2.5.7-4.8.1 ruby2.5-devel-extra-2.5.7-4.8.1 ruby2.5-stdlib-2.5.7-4.8.1 ruby2.5-stdlib-debuginfo-2.5.7-4.8.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libruby2_5-2_5-2.5.7-4.8.1 libruby2_5-2_5-debuginfo-2.5.7-4.8.1 ruby2.5-2.5.7-4.8.1 ruby2.5-debuginfo-2.5.7-4.8.1 ruby2.5-debugsource-2.5.7-4.8.1 ruby2.5-devel-2.5.7-4.8.1 ruby2.5-devel-extra-2.5.7-4.8.1 ruby2.5-stdlib-2.5.7-4.8.1 ruby2.5-stdlib-debuginfo-2.5.7-4.8.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ruby2.5-debuginfo-2.5.7-4.8.1 ruby2.5-debugsource-2.5.7-4.8.1 ruby2.5-doc-2.5.7-4.8.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): ruby2.5-doc-ri-2.5.7-4.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libruby2_5-2_5-2.5.7-4.8.1 libruby2_5-2_5-debuginfo-2.5.7-4.8.1 ruby2.5-2.5.7-4.8.1 ruby2.5-debuginfo-2.5.7-4.8.1 ruby2.5-debugsource-2.5.7-4.8.1 ruby2.5-devel-2.5.7-4.8.1 ruby2.5-devel-extra-2.5.7-4.8.1 ruby2.5-stdlib-2.5.7-4.8.1 ruby2.5-stdlib-debuginfo-2.5.7-4.8.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libruby2_5-2_5-2.5.7-4.8.1 libruby2_5-2_5-debuginfo-2.5.7-4.8.1 ruby2.5-2.5.7-4.8.1 ruby2.5-debuginfo-2.5.7-4.8.1 ruby2.5-debugsource-2.5.7-4.8.1 ruby2.5-devel-2.5.7-4.8.1 ruby2.5-devel-extra-2.5.7-4.8.1 ruby2.5-stdlib-2.5.7-4.8.1 ruby2.5-stdlib-debuginfo-2.5.7-4.8.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libruby2_5-2_5-2.5.7-4.8.1 libruby2_5-2_5-debuginfo-2.5.7-4.8.1 ruby2.5-2.5.7-4.8.1 ruby2.5-debuginfo-2.5.7-4.8.1 ruby2.5-debugsource-2.5.7-4.8.1 ruby2.5-devel-2.5.7-4.8.1 ruby2.5-devel-extra-2.5.7-4.8.1 ruby2.5-stdlib-2.5.7-4.8.1 ruby2.5-stdlib-debuginfo-2.5.7-4.8.1 References: https://www.suse.com/security/cve/CVE-2012-6708.html https://www.suse.com/security/cve/CVE-2015-9251.html https://www.suse.com/security/cve/CVE-2019-15845.html https://www.suse.com/security/cve/CVE-2019-16201.html https://www.suse.com/security/cve/CVE-2019-16254.html https://www.suse.com/security/cve/CVE-2019-16255.html https://www.suse.com/security/cve/CVE-2020-8130.html https://bugzilla.suse.com/1140844 https://bugzilla.suse.com/1152990 https://bugzilla.suse.com/1152992 https://bugzilla.suse.com/1152994 https://bugzilla.suse.com/1152995 https://bugzilla.suse.com/1162396 https://bugzilla.suse.com/1164804 From sle-security-updates at lists.suse.com Fri Mar 20 12:39:20 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Mar 2020 19:39:20 +0100 (CET) Subject: SUSE-CU-2020:94-1: Security update of suse/sle15 Message-ID: <20200320183920.AA225FCEC@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:94-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.169 Container Release : 4.22.169 Severity : moderate Type : security References : 1159003 1166106 1166481 1166848 CVE-2019-18802 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:722-1 Released: Thu Mar 19 11:21:57 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1159003,1166481,CVE-2019-18802 This update for nghttp2 fixes the following issues: nghttp2 was update to version 1.40.0 (bsc#1166481) - lib: Add nghttp2_check_authority as public API - lib: Fix the bug that stream is closed with wrong error code - lib: Faster huffman encoding and decoding - build: Avoid filename collision of static and dynamic lib - build: Add new flag ENABLE_STATIC_CRT for Windows - build: cmake: Support building nghttpx with systemd - third-party: Update neverbleed to fix memory leak - nghttpx: Fix bug that mruby is incorrectly shared between backends - nghttpx: Reconnect h1 backend if it lost connection before sending headers - nghttpx: Returns 408 if backend timed out before sending headers - nghttpx: Fix request stal ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:727-1 Released: Thu Mar 19 13:57:15 2020 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1166848 This update for openssl-1_1 fixes the following issues: - Fix a locking issue uncovered by the python testsuite (bsc#1166848) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) From sle-security-updates at lists.suse.com Fri Mar 20 12:43:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Mar 2020 19:43:10 +0100 (CET) Subject: SUSE-CU-2020:95-1: Security update of suse/sle15 Message-ID: <20200320184310.9EF36FCEC@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:95-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.185 Container Release : 6.2.185 Severity : moderate Type : security References : 1159003 1166106 1166481 CVE-2019-18802 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:722-1 Released: Thu Mar 19 11:21:57 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1159003,1166481,CVE-2019-18802 This update for nghttp2 fixes the following issues: nghttp2 was update to version 1.40.0 (bsc#1166481) - lib: Add nghttp2_check_authority as public API - lib: Fix the bug that stream is closed with wrong error code - lib: Faster huffman encoding and decoding - build: Avoid filename collision of static and dynamic lib - build: Add new flag ENABLE_STATIC_CRT for Windows - build: cmake: Support building nghttpx with systemd - third-party: Update neverbleed to fix memory leak - nghttpx: Fix bug that mruby is incorrectly shared between backends - nghttpx: Reconnect h1 backend if it lost connection before sending headers - nghttpx: Returns 408 if backend timed out before sending headers - nghttpx: Fix request stal ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) From sle-security-updates at lists.suse.com Mon Mar 23 14:18:36 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Mar 2020 21:18:36 +0100 (CET) Subject: SUSE-SU-2020:0752-1: moderate: Security update for postgresql10 Message-ID: <20200323201836.47583FCEE@maintenance.suse.de> SUSE Security Update: Security update for postgresql10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0752-1 Rating: moderate References: #1163985 Cross-References: CVE-2020-1720 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for postgresql10 fixes the following issues: PostgreSQL was updated to version 10.12. Security issue fixed: - CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-752=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-752=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-752=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libecpg6-10.12-8.9.1 libecpg6-debuginfo-10.12-8.9.1 postgresql10-contrib-10.12-8.9.1 postgresql10-contrib-debuginfo-10.12-8.9.1 postgresql10-debuginfo-10.12-8.9.1 postgresql10-debugsource-10.12-8.9.1 postgresql10-devel-10.12-8.9.1 postgresql10-devel-debuginfo-10.12-8.9.1 postgresql10-plperl-10.12-8.9.1 postgresql10-plperl-debuginfo-10.12-8.9.1 postgresql10-plpython-10.12-8.9.1 postgresql10-plpython-debuginfo-10.12-8.9.1 postgresql10-pltcl-10.12-8.9.1 postgresql10-pltcl-debuginfo-10.12-8.9.1 postgresql10-server-10.12-8.9.1 postgresql10-server-debuginfo-10.12-8.9.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): postgresql10-docs-10.12-8.9.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): postgresql10-debuginfo-10.12-8.9.1 postgresql10-debugsource-10.12-8.9.1 postgresql10-test-10.12-8.9.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libecpg6-32bit-10.12-8.9.1 libecpg6-32bit-debuginfo-10.12-8.9.1 libpq5-32bit-10.12-8.9.1 libpq5-32bit-debuginfo-10.12-8.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libpq5-10.12-8.9.1 libpq5-debuginfo-10.12-8.9.1 postgresql10-10.12-8.9.1 postgresql10-debuginfo-10.12-8.9.1 postgresql10-debugsource-10.12-8.9.1 References: https://www.suse.com/security/cve/CVE-2020-1720.html https://bugzilla.suse.com/1163985 From sle-security-updates at lists.suse.com Mon Mar 23 14:25:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Mar 2020 21:25:17 +0100 (CET) Subject: SUSE-SU-2020:0751-1: moderate: Security update for cloud-init Message-ID: <20200323202517.5EF24FCEE@maintenance.suse.de> SUSE Security Update: Security update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0751-1 Rating: moderate References: #1162936 #1162937 #1163178 Cross-References: CVE-2020-8631 CVE-2020-8632 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for cloud-init fixes the following security issues: - CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG (bsc#1162937). - CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-751=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-751=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (aarch64 ppc64le s390x x86_64): cloud-init-19.4-8.17.1 cloud-init-config-suse-19.4-8.17.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): cloud-init-doc-19.4-8.17.1 References: https://www.suse.com/security/cve/CVE-2020-8631.html https://www.suse.com/security/cve/CVE-2020-8632.html https://bugzilla.suse.com/1162936 https://bugzilla.suse.com/1162937 https://bugzilla.suse.com/1163178 From sle-security-updates at lists.suse.com Mon Mar 23 14:39:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Mar 2020 21:39:12 +0100 (CET) Subject: SUSE-SU-2020:0743-1: moderate: Security update for strongswan Message-ID: <20200323203912.088BCFCEC@maintenance.suse.de> SUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0743-1 Rating: moderate References: #1079548 Cross-References: CVE-2018-6459 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for strongswan fixes the following issues: Strongswan was updated to version 5.8.2 (jsc#SLE-11370). Security issue fixed: - CVE-2018-6459: Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation (bsc#1079548). Full changelogs: Version 5.8.2 * Identity-based CA constraints, which enforce that the certificate chain of the remote peer contains a CA certificate with a specific identity, are supported via vici/swanctl.conf. This is similar to the existing CA constraints but doesn't require that the CA certificate is locally installed, for instance, intermediate CA certificates received from the peers. Wildcard identity matching (e.g. ..., OU=Research, CN=*) could also be used for the latter but requires trust in the intermediate CAs to only issue certificates with legitimate subject DNs (e.g. the "Sales" CA must not issue certificates with OU=Research). With the new constraint that's not necessary as long as a path length basic constraint (--pathlen for pki --issue) prevents intermediate CAs from issuing further intermediate CAs. * Intermediate CA certificates may now be sent in hash-and-URL encoding by configuring a base URL for the parent CA (#3234, swanctl/rw-hash-and-url-multi-level). * Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG) based on AES-CTR and SHA2-HMAC modes. Currently used by the gmp and ntru plugins. * Random nonces sent in an OCSP requests are now expected in the corresponding OCSP responses. * The kernel-netlink plugin now ignores deprecated IPv6 addresses for MOBIKE. Whether temporary or permanent IPv6 addresses are included now depends on the charon.prefer_temporary_addrs setting (#3192). * Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the kernel. * The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now cleared before sending requests, as many of the messages sent by the kernel are sent as broadcasts to all PF_KEY sockets. This is an issue if an external tool is used to manage SAs/policies unrelated to IPsec (#3225). * The vici plugin now uses unique section names for CHILD_SAs in child-updown events (7c74ce9190). * For individually deleted CHILD_SAs (in particular for IKEv1) the vici child-updown event now includes more information about the CHILD_SAs such as traffic statistics (#3198). * Custom loggers are correctly re-registered if log levels are changed via stroke loglevel (#3182). * Avoid lockups during startup on low entropy systems when using OpenSSL 1.1.1 (095a2c2eac). * Instead of failing later when setting a key, creating HMACs via openssl plugin now fails instantly if the underlying hash algorithm isn't supported (e.g. MD5 in FIPS-mode) so fallbacks to other plugins work properly (#3284). * Exponents of RSA keys read from TPM 2.0 via SAPI are correctly converted (8ee1242f1438). * Routing table IDs > 255 are supported for custom routes on Linux. * To avoid races, the check for hardware offloading support in the kernel-netlink plugin is performed during initialization of the plugin (a605452c03). * The D-Bus config file for charon-nm is now installed in $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d, which is intended for sysadmin overrides. INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same exchange type and with the same message ID as the request. * IKEv2 SAs are now immediately destroyed when sending or receiving INVALID_SYNTAX notifies in authenticated messages. * For developers working from the repository the configure script now aborts if GNU gperf is not found. Version 5.8.1 * RDNs in DNs of X.509 certificates can now optionally be matched less strict. The global strongswan.conf option charon.rdn_matching takes two alternative values that cause the matching algorithm to either ignore the order of matched RDNs (reordered) or additionally (relaxed) accept DNs that contain more RDNs than configured (unmatched RDNs are treated like wildcard matches). * The updown plugin now passes the same interface to the script that is also used for the automatically installed routes, that is, the interface over which the peer is reached instead of the interface on which the local address is found (#3095). * TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple IKE_SAs use the same private key concurrently (4b25885025). * Do a rekey check after the third QM message was received (#3060). * If available, explicit_bzero() is now used as memwipe() instead of our own implementation. * An .editorconfig file has been added, mainly so Github shows files with proper indentation (68346b6962). * The internal certificate of the load-tester plugin has been modified so it can again be used as end-entity cert with 5.6.3 and later (#3139). * The maximum data length of received COOKIE notifies (64 bytes) is now enforced (#3160). Version 5.8.0 * The systemd service units have been renamed. The modern unit, which was called strongswan-swanctl, is now called strongswan (the previous name is configured as alias in the unit, for which a symlink is created when the unit is enabled). The legacy unit is now called strongswan-starter. * Support for XFRM interfaces (available since Linux 4.19) has been added, which are intended to replace VTI devices (they are similar but offer several advantages, for instance, they are not bound to an address or address family). * IPsec SAs and policies are associated with such interfaces via interface IDs that can be configured in swanctl.conf (dynamic IDs may optionally be allocated for each SA and even direction). It's possible to use separate interfaces for in- and outbound traffic (or only use an interface in one direction and regular policies in the other). * Interfaces may be created dynamically via updown/vici scripts, or statically before or after establishing the SAs. Routes must be added manually as needed (the daemon will not install any routes for outbound policies with an interface ID). * When moving XFRM interfaces to other network namespaces they retain access to the SAs and policies installed in the original namespace, which allows providing IPsec tunnels for processes in other network namespaces without giving them access to the IPsec keys or IKE credentials. More information can be found on the page about route-based VPNs. * Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and supported by the responder, no CHILD_SA is established during IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA exchanges. This allows using a separate DH exchange even for the first CHILD_SA, which is otherwise created during IKE_AUTH with keys derived from the IKE_SA's key material. * The swanctl --initiate command may be used to initiate only the IKE_SA via --ike option if --child is omitted and the peer supports this extension. * The NetworkManager backend and plugin support IPv6. * The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks to Sean Parkinson of wolfSSL Inc. for the initial patch. * IKE SPIs may optionally be labeled via the charon.spi_mask|label options in strongswan.conf. This feature was extracted from charon-tkm, however, now applies the mask/label in network order. * The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0. * The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not correctly implemented when sending either a CRETRY or SRETRY batch. These batches can only be sent in the "Decided" state and a CRETRY batch can immediately carry all messages usually transported by a CDATA batch. It is currently not possible to send a SRETRY batch since full-duplex mode for PT-TLS transport is not supported. * Instead of marking IPv6 virtual IPs as deprecated, the kernel-netlink plugin now uses address labels to avoid that such addresses are used for non-VPN traffic (00a953d090). * The agent plugin now creates sockets to the ssh/gpg-agent dynamically and does not keep them open, which otherwise might prevent the agent from getting terminated. * To avoid broadcast loops the forecast plugin now only reinjects packets that are marked or received from the configured interface. * UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses an UTF-16LE encoding to calculate the NT hash (#3014). * Properly delete temporary drop policies (used when updating IP addresses of SAs) if manual priorities are used, which was broken since 5.6.2 (8e31d65730). * Avoid overwriting start_action when parsing the inactivity timeout in the vici plugin (#2954). * Fixed the automatic termination of reloaded vici connections with start_action=start, which was broken since 5.6.3 (71b22c250f). * The lookup for shared secrets for IKEv1 SAs via sql plugin should now work better (6ec9f68f32). * Fixed a race condition in the trap manager between installation and removal of a policy (69cbe2ca3f). * The IPsec stack detection and module loading in starter has been removed (it wasn't enforced anyway and loading modules doesn't seem necessary, also KLIPS hasn't been supported for a long time and PF_KEY will eventually be removed from the Linux kernel, ba817d2917). * Several IKEv2 protocol details are now handled more strictly: Unrequested virtual IPs are ignored, CFG_REPLY payloads are ignored if no CFG_REQUEST payloads were sent, a USE TRANSPORT_MODE notify received from the responder is checked against the local configuration. * The keys and certificates used by the scenarios in the testing environment are now generated dynamically. Running the testing/scripts/build-certs script after creating the base and root images uses the pki utility installed in the latter to create the keys and certificates for all the CAs and in some cases for individual scenarios. These credentials are stored in the source tree, not the image, so this has to be called only once even if the images are later rebuilt. The script automatically (re-)rebuilds the guest images as that generates fresh CRLs and signs the DNS zones. The only keys/certificates currently not generated are the very large ones used by the ikev2/rw-eap-tls-fragments scenario. Version 5.7.2 * For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt length (as defined by the length of the key and hash). However, if the TPM is FIPS-168-4 compliant, the salt length equals the hash length. This is assumed for FIPS-140-2 compliant TPMs, but if that's not the case, it might be necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't use the maximum salt length. * Directories for credentials loaded by swanctl are now accessed relative to the loaded swanctl.conf file, in particular, when loading it from a custom location via --file argument. * The base directory, which is used if no custom location for swanctl.conf is specified, is now also configurable at runtime via SWANCTL_DIR environment variable. * If RADIUS Accounting is enabled, the eap-radius plugin will add the session ID (Acct-Session-Id) to Access-Request messages, which e.g. simplifies associating database entries for IP leases and accounting with sessions (the session ID does not change when IKE_SAs are rekeyed, #2853). * All IP addresses assigned by a RADIUS server are included in Accounting-Stop messages even if the client did not claim them, allowing to release them early in case of connection errors (#2856). * Selectors installed on transport mode SAs by the kernel-netlink plugin are now updated if an IP address changes (e.g. via MOBIKE) and it was part of the selectors. * No deletes are sent anymore when a rekeyed CHILD_SA expires (#2815). * The bypass-lan plugin now tracks interfaces to handle subnets that move from one interface to another and properly update associated routes (#2820). * Only valid and expected inbound IKEv2 messages are used to update the timestamp of the last received message (previously, retransmits also triggered an update). * IKEv2 requests from responders are now ignored until the IKE_SA is fully established (e.g. if a DPD request from the peer arrives before the IKE_AUTH response does, 46bea1add9). Delayed IKE_SA_INIT responses with COOKIE notifies we already recevied are ignored, they caused another reset of the IKE_SA previously (#2837). * Active and queued Quick Mode tasks are now adopted if the peer reauthenticates an IKEv1 SA while creating lots of CHILD_SAs. * Newer versions of the FreeBSD kernel add an SADB_X_EXT_SA2 extension to SADB_ACQUIRE messages, which allows the kernel-pfkey plugin to determine the reqid of the policy even if it wasn't installed by the daemon previously (e.g. when using FreeBSD's if_ipsec(4) VTIs, which install policies themselves, 872b9b3e8d). * Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin. For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature authentication has to be disabled via charon.signature_authentication. * The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures. * The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys and signatures when built against OpenSSL 1.1.1. * Support for Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin. * The mysql plugin now properly handles database connections with transactions under heavy load (#2779). * IP addresses in ha pools are now distributed evenly among all segments (#2828). * Private key implementations may optionally provide a list of supported signature schemes, which, as described above, is used by the tpm plugin because for each key on a TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined. * The testing environment is now based on Debian 9 (stretch) by default. This required some changes, in particular, updating to FreeRADIUS 3.x (which forced us to abandon the TNC at FHH patches and scenarios, 2fbe44bef3) and removing FIPS-enabled versions of OpenSSL (the FIPS module only supports OpenSSL 1.0.2). * Most test scenarios were migrated to swanctl. Version 5.7.1 * Fixes a vulnerability in the gmp plugin triggered by crafted certificates with RSA keys with very small moduli. When verifying signatures with such keys, the code patched with the fix for CVE-2018-16151/2 caused an integer underflow and subsequent heap buffer overflow that results in a crash of the daemon. * The vulnerability has been registered as CVE-2018-17540. Version 5.7.0 * Fixes a potential authorization bypass vulnerability in the gmp plugin that was caused by a too lenient verification of PKCS#1 v1.5 signatures. Several flaws could be exploited by a Bleichenbacher-style attack to forge signatures for low-exponent keys (i.e. with e=3). * CVE-2018-16151 has been assigned to the problem of accepting random bytes after the OID of the hash function in such signatures, and CVE-2018-16152 has been assigned to the issue of not verifying that the parameters in the ASN.1 algorithmIdentitifer structure is empty. Other flaws that don't lead to a vulnerability directly (e.g. not checking for at least 8 bytes of padding) have no separate CVE assigned. * Dots are not allowed anymore in section names in swanctl.conf and strongswan.conf. This mainly affects the configuration of file loggers. If the path for such a log file contains dots it now has to be configured in the new path setting within the arbitrarily renamed subsection in the filelog section. * Sections in swanctl.conf and strongswan.conf may now reference other sections. All settings and subsections from such a section are inherited. This allows to simplify configs as redundant information has only to be specified once and may then be included in other sections (see strongswan.conf for an example). * The originally selected IKE config (based on the IPs and IKE version) can now change if no matching algorithm proposal is found. This way the order of the configs doesn't matter that much anymore and it's easily possible to specify separate configs for clients that require weaker algorithms (instead of having to also add them in other configs that might be selected). * Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2) has been added. For an example refer to the swanctl/rw-cert-ppk scenario (or with EAP, or PSK authentication). * The new botan plugin is a wrapper around the Botan C++ crypto library. It requires a fairly recent build from Botan's master branch (or the upcoming 2.8.0 release). Thanks to Ren?? Korthaus and his team from Rohde & Schwarz Cybersecurity for the initial patch and to Jack Lloyd for quickly adding missing functions to Botan's FFI (C89) interface. * Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA) for PA-TNC". * SWIMA subscription option sets CLOSE_WRITE trigger on apt history.log file resulting in a ClientRetry PB-TNC batch to initialize a new measurement cycle. The new imv/imc-swima plugins replace the previous imv/imc-swid plugins, which were removed. * Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA protocols on Google's OSS-Fuzz infrastructure. * Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of the in-kernel /dev/tpmrm0 resource manager is automatically detected. * The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using the syntax --san xmppaddr:. * swanctl.conf supports the configuration of marks the in- and/or outbound SA should apply to packets after processing on Linux. Configuring such a mark for outbound SAs requires at least a 4.14 kernel. The ability to set a mask and configuring a mark/mask for inbound SAs will be added with the upcoming 4.19 kernel. * New options in swanctl.conf allow configuring how/whether DF, ECN and DS fields in the IP headers are copied during IPsec processing. Controlling this is currently only possible on Linux. * The handling of sequence numbers in IKEv1 DPDs has been improved (#2714). * To avoid conflicts, the dhcp plugin now only uses the DHCP server port if explicitly configured. Version 5.6.3 * Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF. This vulnerability has been registered as CVE-2018-10811. * Fixed a vulnerability in the stroke plugin, which did not check the received length before reading a message from the socket. Unless a group is configured, root privileges are required to access that socket, so in the default configuration this shouldn't be an issue. This vulnerability has been registered as CVE-2018-5388. * CRLs that are not yet valid are now ignored to avoid problems in scenarios where expired certificates are removed from new CRLs and the clock on the host doing the revocation check is trailing behind that of the host issuing CRLs. Not doing this could result in accepting a revoked and expired certificate, if it's still valid according to the trailing clock but not contained anymore in not yet valid CRLs. * The issuer of fetched CRLs is now compared to the issuer of the checked certificate (#2608). * CRL validation results other than revocation (e.g. a skipped check because the CRL couldn't be fetched) are now stored also for intermediate CA certificates and not only for end-entity certificates, so a strict CRL policy can be enforced in such cases. * In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must now either not contain a keyUsage extension (like the ones generated by pki), or have at least one of the digitalSignature or nonRepudiation bits set. * New options for vici/swanctl allow forcing the local termination of an IKE_SA. This might be useful in situations where it's known the other end is not reachable anymore, or that it already removed the IKE_SA, so retransmitting a DELETE and waiting for a response would be pointless. * Waiting only a certain amount of time for a response (i.e. shorter than all retransmits would be) before destroying the IKE_SA is also possible by additionally specifying a timeout in the forced termination request. * When removing routes, the kernel-netlink plugin now checks if it tracks other routes for the same destination and replaces the installed route instead of just removing it. Same during installation, where existing routes previously weren't replaced. This should allow using traps with virtual IPs on Linux (#2162). * The dhcp plugin now only sends the client identifier DHCP option if the identity_lease setting is enabled (7b660944b6). It can also send identities of up to 255 bytes length, instead of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server address is configured, DHCP requests are now sent from port 67 instead of 68 to avoid ICMP port unreachables (becf027cd9). * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one containing a DH group that wasn't proposed) during CREATE_CHILD_SA exchanges has been improved (#2536). * Roam events are now completely ignored for IKEv1 SAs (there is no MOBIKE to handle such changes properly). * ChaCha20/Poly1305 is now correctly proposed without key length (#2614). For compatibility with older releases the chacha20poly1305compat keyword may be included in proposals to also propose the algorithm with a key length (c58434aeff). * Configuration of hardware offload of IPsec SAs is now more flexible and allows a new setting (auto), which automatically uses it if the kernel and device both support it. If hw offload is set to yes and offloading is not supported, the CHILD_SA installation now fails. * The kernel-pfkey plugin optionally installs routes via internal interface (one with an IP in the local traffic selector). On FreeBSD, enabling this selects the correct source IP when sending packets from the gateway itself (e811659323). * SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1 (#2574). * The pki --verify tool may load CA certificates and CRLs from directories. * The IKE daemon now also switches to port 4500 if the remote port is not 500 (e.g. because the remote maps the response to a different port, as might happen on Azure), as long as the local port is 500 (85bfab621d). * Fixed an issue with DNS servers passed to NetworkManager in charon-nm (ee8c25516a). * Logged traffic selectors now always contain the protocol if either protocol or port are set (a36d8097ed). * Only the inbound SA/policy will be updated as reaction to IP address changes for rekeyed CHILD_SAs that are kept around. * The parser for strongswan.conf/swanctl.conf now accepts = characters in values without having to put the value in quotes (e.g. for Base64 encoded shared secrets). Notes for developers: * trap_manager_t: Trap policies are now unistalled by peer/child name and not the reqid. * No reqid is returned anymore when installing trap policies. * child_sa_t: A new state (CHILD_DELETED) is used for CHILD_SAs that have been deleted but not yet destroyed (after a rekeying CHILD_SAs are kept around for a while to process delayed packets). This way child_updown events are not triggered anymore for such SAs when an IKE_SA that has such CHILD_SAs assigned is deleted. Version 5.6.2 * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1 is currently specified for this purpose. However, this in turn takes itself a parameter that specifies the underlying hash function. strongSwan's parser did not correctly handle the case of this parameter being absent, causing an undefined data read. This vulnerability has been registered as CVE-2018-6459. * When rekeying IKEv2 IKE_SAs the previously negotiated DH group will be reused, instead of using the first configured group, which avoids an additional exchange if the peer previously selected a different DH group via INVALID_KE_PAYLOAD notify. The same is also done when rekeying CHILD_SAs except for the first rekeying of the CHILD_SA that was created with the IKE_SA, where no DH group was negotiated yet. Also, the selected DH group is moved to the front in all sent proposals that contain it and all proposals that don't are moved to the back in order to convey the preference for this group to the peer. * Handling of MOBIKE task queuing has been improved. In particular, the response to an address update (with NAT-D payloads) is not ignored anymore if only an address list update or DPD is queued as that could prevent updating the UDP encapsulation in the kernel. * On Linux, roam events may optionally be triggered by changes to the routing rules, which can be useful if routing rules (instead of e.g. route metrics) are used to switch from one to another interface (i.e. from one to another routing table). Since routing rules are currently not evaluated when doing route lookups this is only useful if the kernel-based route lookup is used (4664992f7d). * The fallback drop policies installed to avoid traffic leaks when replacing addresses in installed policies are now replaced by temporary drop policies, which also prevent acquires because we currently delete and reinstall IPsec SAs to update their addresses (35ef1b032d). * Access X.509 certificates held in non-volatile storage of a TPM 2.0 referenced via the NV index. Adding the --keyid parameter to pki --print allows to print private keys or certificates stored in a smartcard or a TPM 2.0. * Fixed proposal selection if a peer incorrectly sends DH groups in the ESP proposal during IKE_AUTH and also if a DH group is configured in the local ESP proposal and charon.prefer configured_proposals is disabled (d058fd3c32). * The lookup for PSK secrets for IKEv1 has been improved for certain scenarios (see #2497 for details). * MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility issues with EAP-MSCHAPv2 and PRFs that have a block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013). * The tpm_extendpcr command line tool extends a digest into a TPM PCR. * Ported the NetworkManager backend from the deprecated libnm-glib to libnm. * The save-keys debugging/development plugin saves IKE and/or ESP keys to files compatible with Wireshark. Version 5.6.1 * Several algorithms were removed from the default ESP/AH and IKE proposals in compliance with RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH proposal were the 3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKE default proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the latter is significant for Windows clients in their default configuration). These algorithms may still be used in custom proposals. * Support for RSASSA-PSS signatures has been added. For compatibility with previous releases they are currently not used automatically, by default, to change that charon.rsa_pss may be enabled. To explicitly use or require such signatures during IKEv2 signature authentication (RFC 7427) ike:rsa/pss... authentication constraints may be used for specific connections (regardless of whether the strongswan.conf option above is enabled). Only the hash algorithm can be specified in such constraints, the MGF1 will be based on that hash and the salt length will equal the hash length (when verifying the salt length is not enforced). To enforce such signatures during PKI verification use rsa/pss... authentication constraints. * All pki commands that create certificates/CRLs can be made to sign with RSASSA-PSS instead of the classing PKCS#1 scheme with the --rsa-padding pss option. As with signatures during authentication, only the hash algorithm is configurable (via --digest option), the MGF1 will be based on that and the salt length will equal the hash length. * These signatures are supported by all RSA backends except pkcs11 (i.e. gmp, gcrypt, openssl). The gmp plugin requires the mgf1 plugin. Note that RSASSA-PSS algorithm identifiers and parameters in keys (public keys in certificates or private keys in PKCS#8 files) are currently not used as constraints. * The sec-updater tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database accordingly. Additionally for each new package version a SWID tag for the given OS and HW architecture is created and stored in the database. * Using the sec-updater.sh script template the lookup can be automated (e.g. via an hourly cron job). * When restarting an IKEv2 negotiation after receiving an INVALID_KE_PAYLOAD notify (or due to other reasons like too many retransmits) a new initiator SPI is allocated. This prevents issues caused by retransmits for IKE_SA_INIT messages. * Because the initiator SPI was previously reused when restarting the connection delayed responses for previous connection attempts were processed and might have caused fatal errors due to a failed DH negotiation or because of the internal retry counter in the ike-init task. For instance, if we proposed a DH group the responder rejected we might have later received delayed responses that either contained INVALID_KE_PAYLOAD notifies with the DH group we already switched to, or, if we retransmitted an IKE_SA_INIT with the requested group but then had to restart again, a KE payload with a group different from the one we proposed. * The introduction of file versions in the IMV database scheme broke file reference hash measurements. This has been fixed by creating generic product versions having an empty package name. * A new timeout option for the systime-fix plugin stops periodic system time checks after a while and enforces a certificate verification, closing or reauthenticating all SAs with invalid certificates. * The IKE event counters, previously only available via ipsec listcounters command, may now also be queried and reset via vici and the new swanctl --counters command. They are collected and provided by the optional counters plugin (enabled by default for backwards compatibility if the stroke plugin is built). * Class attributes received in RADIUS Access-Accept messages may optionally be added to RADIUS accounting messages (655924074b). * Basic support for systemd sockets has been added, which may be used for privilege separation (59db98fb94). * Inbound marks may optionally be installed in the SA again (was removed with 5.5.2) by enabling the mark_in_sa option in swanctl.conf. * The timeout of leases in pools configured via pool utility may be configured in other units than hours. INITIAL_CONTACT notifies are now only omitted if never is configured as uniqueness policy. * Outbound FWD policies for shunts are not installed anymore, by default (as is the case for other policies since 5.5.1). * Don't consider a DH group mismatch during CHILD_SA rekeying as failure as responder (e7276f78aa). * Handling of fragmented IPv4 and IPv6 packets in libipsec has been improved (e138003de9). * Trigger expire events for the correct IPsec SA in libipsec (6e861947a0). * A crash in CRL verification via openssl plugin using OpenSSL 1.1 has been fixed (78acaba6a1). * No hard-coded default proposals are passed from starter to the stroke plugin anymore (the IKE proposal used curve25519 since 5.5.2, which is an optional plugin). * A workaround for an issue with virtual IPs on macOS 10.13 (High Sierra) has been added (039b85dd43). * Handling of IKE_SA rekey collisions in charon-tkm has been fixed. * Instead of failing or just silently doing nothing unit tests may now warn about certain conditions (e.g. if a test was not executed due to external dependencies). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-743=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-743=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): strongswan-debuginfo-5.8.2-4.6.14 strongswan-debugsource-5.8.2-4.6.14 strongswan-mysql-5.8.2-4.6.14 strongswan-mysql-debuginfo-5.8.2-4.6.14 strongswan-nm-5.8.2-4.6.14 strongswan-nm-debuginfo-5.8.2-4.6.14 strongswan-sqlite-5.8.2-4.6.14 strongswan-sqlite-debuginfo-5.8.2-4.6.14 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): strongswan-5.8.2-4.6.14 strongswan-debuginfo-5.8.2-4.6.14 strongswan-debugsource-5.8.2-4.6.14 strongswan-hmac-5.8.2-4.6.14 strongswan-ipsec-5.8.2-4.6.14 strongswan-ipsec-debuginfo-5.8.2-4.6.14 strongswan-libs0-5.8.2-4.6.14 strongswan-libs0-debuginfo-5.8.2-4.6.14 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): strongswan-doc-5.8.2-4.6.14 References: https://www.suse.com/security/cve/CVE-2018-6459.html https://bugzilla.suse.com/1079548 From sle-security-updates at lists.suse.com Mon Mar 23 14:44:57 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Mar 2020 21:44:57 +0100 (CET) Subject: SUSE-SU-2020:0750-1: moderate: Security update for python36 Message-ID: <20200323204457.79764FCEC@maintenance.suse.de> SUSE Security Update: Security update for python36 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0750-1 Rating: moderate References: #1155094 Cross-References: CVE-2019-18348 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python36 fixes the following issues: - CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-750=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython3_6m1_0-3.6.10-4.9.1 libpython3_6m1_0-debuginfo-3.6.10-4.9.1 python36-3.6.10-4.9.1 python36-base-3.6.10-4.9.1 python36-base-debuginfo-3.6.10-4.9.1 python36-base-debugsource-3.6.10-4.9.1 python36-debuginfo-3.6.10-4.9.1 python36-debugsource-3.6.10-4.9.1 References: https://www.suse.com/security/cve/CVE-2019-18348.html https://bugzilla.suse.com/1155094 From sle-security-updates at lists.suse.com Tue Mar 24 09:03:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Mar 2020 16:03:02 +0100 (CET) Subject: SUSE-CU-2020:96-1: Security update of sles12/portus Message-ID: <20200324150302.D20BDFCEC@maintenance.suse.de> SUSE Container Update Advisory: sles12/portus ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:96-1 Container Tags : sles12/portus:2.4.3 Container Release : 2.10.1 Severity : important Type : security References : 1043886 1049825 1077717 1082318 1093414 1104902 1106383 1107617 1110929 1114592 1114674 1116995 1117951 1123886 1123919 1124847 1127027 1128828 1131830 1132826 1133495 1134550 1135254 1136298 1137053 1137832 1139459 1139870 1139942 1140039 1140631 1140914 1141093 1141798 1141897 1142058 1142614 1142649 1142654 1142661 1143194 1143215 1143273 1145092 1145521 1146415 1148517 1148987 1149145 1149429 1149496 1150003 1150250 1150451 1150595 1150734 1151377 1151506 1151577 1153386 1153557 1154036 1154037 1154043 1154043 1154162 1154862 1154871 1154948 1155199 1155338 1155339 1155574 1156482 1157198 1157578 1158586 1158763 1158809 1159162 1159814 1160163 1160571 1160594 1160764 1160895 1160912 1161779 1162108 1162388 1162518 1163922 1163985 1165811 CVE-2018-10754 CVE-2018-18311 CVE-2019-10208 CVE-2019-12749 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-15903 CVE-2019-17498 CVE-2019-17594 CVE-2019-17595 CVE-2019-18900 CVE-2019-18901 CVE-2019-2614 CVE-2019-2627 CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2805 CVE-2019-2974 CVE-2019-3688 CVE-2019-3690 CVE-2019-5188 CVE-2019-5482 CVE-2019-9893 CVE-2020-1712 CVE-2020-1720 CVE-2020-2574 CVE-2020-8013 SLE-10396 SLE-7081 SLE-7257 ----------------------------------------------------------------- The container sles12/portus was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2120-1 Released: Wed Aug 14 11:17:39 2019 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1136298,SLE-7257 This update for pam fixes the following issues: - Enable pam_userdb.so (SLE-7257,bsc#1136298) - Upgraded pam_userdb to 1.3.1. (bsc#1136298) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2264-1 Released: Mon Sep 2 09:07:12 2019 Summary: Security update for perl Type: security Severity: important References: 1114674,CVE-2018-18311 This update for perl fixes the following issues: Security issue fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2269-1 Released: Mon Sep 2 14:23:28 2019 Summary: Security update for postgresql10 Type: security Severity: important References: 1145092,CVE-2019-10208 This update for postgresql10 fixes the following issues: Security issue fixed: - CVE-2019-10208: Fixed arbitrary SQL execution via suitable SECURITY DEFINER function under the identity of the function owner (bsc#1145092). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2288-1 Released: Wed Sep 4 14:22:47 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1107617,1137053,1142661 This update for systemd fixes the following issues: - Fixes an issue where the Kernel took very long to unmount a user's runtime directory (bsc#1104902) - udevd: changed the default value of udev.children-max (again) (bsc#1107617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2372-1 Released: Thu Sep 12 14:01:27 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1139942,1140914,SLE-7081 This update for krb5 fixes the following issues: - Fix missing responder if there is no pre-auth; (bsc#1139942) - Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081) - Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2339-1 Released: Thu Sep 12 14:17:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149496,CVE-2019-5482 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2390-1 Released: Tue Sep 17 15:46:02 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1143194,1143273,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194). - CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2413-1 Released: Fri Sep 20 10:44:26 2019 Summary: Security update for openssl Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl fixes the following issues: OpenSSL Security Advisory [10 September 2019] - CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003). - CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2440-1 Released: Mon Sep 23 17:15:13 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issue fixed: - CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2461-1 Released: Wed Sep 25 16:42:53 2019 Summary: Security update for mariadb Type: security Severity: moderate References: 1127027,1132826,1141798,1142058,1143215,CVE-2019-2614,CVE-2019-2627,CVE-2019-2737,CVE-2019-2739,CVE-2019-2740,CVE-2019-2805 This update for mariadb fixes the following issues: Updated to MariaDB 10.0.40-1. Security issues fixed: - CVE-2019-2805, CVE-2019-2740, CVE-2019-2739, CVE-2019-2737, CVE-2019-2614, CVE-2019-2627. (bsc#1132826) (bsc#1141798). Non-security issues fixed: - Adjusted mysql-systemd-helper ('shutdown protected MySQL' section) so it checks both ping response and the pid in a process list as it can take some time till the process is terminated. Otherwise it can lead to 'found left-over process' situation when regular mariadb is started. (bsc#1143215) - Fixed IP resolving in mysql_install_db script. (bsc#1142058, bsc#1127027, MDEV-18526) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2480-1 Released: Fri Sep 27 13:12:08 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093) Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2510-1 Released: Tue Oct 1 17:37:12 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2740-1 Released: Tue Oct 22 15:34:30 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1150451 This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2818-1 Released: Tue Oct 29 17:22:01 2019 Summary: Recommended update for zypper and libzypp Type: recommended Severity: important References: 1049825,1116995,1140039,1145521,1146415,1153557 This update for zypper and libzypp fixes the following issues: Package: zypper - Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521) - Rephrased the file conflicts check summary (bsc#1140039) - Fixes an issue where the bash completion was wrongly expanded (bsc#1049825) Package: libzypp - Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes a file descriptor leak in the media backend (bsc#1116995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2887-1 Released: Mon Nov 4 17:31:49 2019 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1139870 This update for apparmor provides the following fix: - Change pathname in logprof.conf and use check_qualifiers() in autodep to make sure apparmor does not generate profiles for programs marked as not having their own profiles. (bsc#1139870) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2898-1 Released: Tue Nov 5 17:00:27 2019 Summary: Recommended update for systemd Type: recommended Severity: important References: 1140631,1150595,1154948 This update for systemd fixes the following issues: - sd-bus: deal with cookie overruns (bsc#1150595) - rules: Add by-id symlinks for persistent memory (bsc#1140631) - Drop the old fds used for logging and reopen them in the sub process before doing any new logging. (bsc#1154948) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2936-1 Released: Fri Nov 8 13:19:55 2019 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1154862,CVE-2019-17498 This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2941-1 Released: Tue Nov 12 10:03:32 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Update to new upstream release 2.4.1: * Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. Updated to 2.4.0 (bsc#1128828 CVE-2019-9893): * Update the syscall table for Linux v5.0-rc5 * Added support for the SCMP_ACT_KILL_PROCESS action * Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute * Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension * Added support for the parisc and parisc64 architectures * Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) * Return -EDOM on an endian mismatch when adding an architecture to a filter * Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() * Fix PFC generation when a syscall is prioritized, but no rule exists * Numerous fixes to the seccomp-bpf filter generation code * Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 * Numerous tests added to the included test suite, coverage now at ~92% * Update our Travis CI configuration to use Ubuntu 16.04 * Numerous documentation fixes and updates Update to release 2.3.3: * Updated the syscall table for Linux v4.15-rc7 Update to release 2.3.2: * Achieved full compliance with the CII Best Practices program * Added Travis CI builds to the GitHub repository * Added code coverage reporting with the '--enable-code-coverage' configure flag and added Coveralls to the GitHub repository * Updated the syscall tables to match Linux v4.10-rc6+ * Support for building with Python v3.x * Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is set to true * Several small documentation fixes - ignore make check error for ppc64/ppc64le, bypass bsc#1142614 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3003-1 Released: Tue Nov 19 10:12:33 2019 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1153386,SLE-10396 This update for procps provides the following fixes: - Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396) - Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3064-1 Released: Mon Nov 25 18:44:36 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3085-1 Released: Thu Nov 28 10:01:53 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3094-1 Released: Thu Nov 28 16:47:52 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830). - CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037). Bug fixes: - Fixed ppc64le build configuration (bsc#1134550). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3132-1 Released: Tue Dec 3 10:52:14 2019 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate References: 1154043 This update for update-alternatives fixes the following issues: - Fix post install scripts: test if there is actual file before calling update-alternatives. (bsc#1154043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3180-1 Released: Thu Dec 5 11:42:40 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused segmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3342-1 Released: Thu Dec 19 11:04:35 2019 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1151577 This update for elfutils fixes the following issues: - Add require of 'libebl1' for 'libelf1'. (bsc#1151577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3364-1 Released: Thu Dec 19 19:20:52 2019 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: 1158586,1159162 This update for ncurses fixes the following issues: - Work around a bug of old upstream gen-pkgconfig (bsc#1159162) - Remove doubled library path options (bsc#1159162) - Also remove private requirements as (lib)tinfo are binary compatible with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162) - Fix last change, that is add missed library linker paths as well as missed include directories for none standard paths (bsc#1158586, bsc#1159162) - Do not mix include directories of different ncurses ABI (bsc#1158586) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:50-1 Released: Thu Jan 9 09:34:32 2020 Summary: Security update for mariadb Type: security Severity: moderate References: 1154162,CVE-2019-2974 This update for mariadb fixes the following issues: Security issue fixed: - CVE-2019-2974: Fixed Server Optimizer (bsc#1154162). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:79-1 Released: Mon Jan 13 10:37:34 2020 Summary: Security update for libzypp Type: security Severity: moderate References: 1158763,CVE-2019-18900 This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:86-1 Released: Mon Jan 13 14:12:22 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:106-1 Released: Wed Jan 15 12:50:55 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1155338,1155339 This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:394-1 Released: Tue Feb 18 14:08:00 2020 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847 This update for gcc9 fixes the following issues: The GNU Compiler Collection is shipped in version 9. A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html The compilers have been added to the SUSE Linux Enterprise Toolchain Module. To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9 CXX=g++-9 set. For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and other compiler libraries have been switched from their gcc8 variants to their gcc9 variants. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:373-1 Released: Tue Feb 18 15:06:18 2020 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:404-1 Released: Wed Feb 19 09:05:47 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1154871 This update for p11-kit fixes the following issues: - Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:474-1 Released: Tue Feb 25 13:24:15 2020 Summary: Security update for openssl Type: security Severity: moderate References: 1117951,1158809,1160163,CVE-2019-1551 This update for openssl fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Non-security issue fixed: - Fixed a crash in BN_copy (bsc#1160163). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:527-1 Released: Fri Feb 28 11:51:29 2020 Summary: Security update for mariadb Type: security Severity: moderate References: 1077717,1160895,1160912,1162388,CVE-2019-18901,CVE-2020-2574 This update for mariadb fixes the following issues: MariaDB was updated to version 10.0.40-3 (bsc#1162388). Security issues fixed: - CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388). - CVE-2019-18901: Fixed an unsafe path handling behavior in mysql-systemd-helper (bsc#1160895). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:545-1 Released: Fri Feb 28 15:50:46 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1123886,1160594,1160764,1161779,1163922,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:561-1 Released: Mon Mar 2 17:24:59 2020 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1110929,1157578 This update for elfutils fixes the following issues: - Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578) - Fix for '.ko' file corruption in debug info. (bsc#1110929) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:571-1 Released: Tue Mar 3 13:23:35 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:331-1 Released: Wed Mar 18 12:52:46 2020 Summary: Security update for systemd Type: security Severity: important References: 1106383,1133495,1139459,1151377,1151506,1154043,1155574,1156482,1159814,1162108,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459) - Fix warnings thrown during package installation. (bsc#1154043) - Fix for system-udevd prevent crash within OES2018. (bsc#1151506) - Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482) - Wait for workers to finish when exiting. (bsc#1106383) - Improve log message when inotify limit is reached. (bsc#1155574) - Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377) - Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:715-1 Released: Wed Mar 18 16:28:12 2020 Summary: Security update for postgresql10 Type: security Severity: low References: 1163985,CVE-2020-1720 This update for postgresql10 fixes the following issues: PostgreSQL was updated to version 10.12. Security issue fixed: - CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985). ----------------------------------------------------------------- Advisory ID: 14445 Released: Mon Mar 23 14:31:56 2020 Summary: Recommended update for portus, portus-image Type: recommended Severity: moderate References: 1165811 This update for portus, portus-image fixes the following issues: Portus was updated to 2.4.3. It fixes a bug where portus was suddenly deleting all images. (bsc#1165811) From sle-security-updates at lists.suse.com Tue Mar 24 14:14:30 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Mar 2020 21:14:30 +0100 (CET) Subject: SUSE-SU-2020:14331-1: important: Security Beta update for Salt Message-ID: <20200324201430.E5ECAFCEE@maintenance.suse.de> SUSE Security Update: Security Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14331-1 Rating: important References: #1157465 #1162327 #1162504 #1163981 #1165425 Cross-References: CVE-2019-18897 Affected Products: SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update fixes the following issues: salt: - Requiring python3-distro only for openSUSE/SLE >= 15 - Use full option name instead of undocumented abbreviation for zypper - Python-distro is only needed for > Python 3.7. Removing it for Python 2 - Fixed a local privilege escalation to root (bsc#1157465) (CVE-2019-18897) - Fix unit tests failures in test_batch_async tests - Batch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327) - RHEL/CentOS 8 uses platform-python instead of python3 - Enable build for Python 3.8 - Update to Salt version 2019.2.3 (bsc#1163981) (bsc#1162504) - Replacing pycrypto with M2Crypto (bsc#1165425) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu184ct-salt-beta-202003-14331=1 Package List: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (all): salt-common-2019.2.2+ds-1.1+27.12.2 salt-minion-2019.2.2+ds-1.1+27.12.2 References: https://www.suse.com/security/cve/CVE-2019-18897.html https://bugzilla.suse.com/1157465 https://bugzilla.suse.com/1162327 https://bugzilla.suse.com/1162504 https://bugzilla.suse.com/1163981 https://bugzilla.suse.com/1165425 From sle-security-updates at lists.suse.com Tue Mar 24 14:15:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Mar 2020 21:15:50 +0100 (CET) Subject: SUSE-SU-2020:0763-1: important: Security Beta update for Salt Message-ID: <20200324201550.8E4FFFCEE@maintenance.suse.de> SUSE Security Update: Security Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0763-1 Rating: important References: #1157465 #1162327 #1162504 #1163981 #1165425 Cross-References: CVE-2019-18897 Affected Products: SUSE Manager Tools 15-BETA ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update fixes the following issues: salt: - Requiring python3-distro only for openSUSE/SLE >= 15 - Use full option name instead of undocumented abbreviation for zypper - Python-distro is only needed for > Python 3.7. Removing it for Python 2 - Fixed a local privilege escalation to root (bsc#1157465) (CVE-2019-18897) - Fix unit tests failures in test_batch_async tests - Batch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327) - RHEL/CentOS 8 uses platform-python instead of python3 - Enable build for Python 3.8 - Update to Salt version 2019.2.3 (bsc#1163981) (bsc#1162504) - Replacing pycrypto with M2Crypto (bsc#1165425) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 15-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-15-2020-763=1 Package List: - SUSE Manager Tools 15-BETA (aarch64 ppc64le s390x x86_64): python2-salt-2019.2.3-8.12.1 python3-salt-2019.2.3-8.12.1 salt-2019.2.3-8.12.1 salt-api-2019.2.3-8.12.1 salt-cloud-2019.2.3-8.12.1 salt-doc-2019.2.3-8.12.1 salt-master-2019.2.3-8.12.1 salt-minion-2019.2.3-8.12.1 salt-proxy-2019.2.3-8.12.1 salt-ssh-2019.2.3-8.12.1 salt-standalone-formulas-configuration-2019.2.3-8.12.1 salt-syndic-2019.2.3-8.12.1 - SUSE Manager Tools 15-BETA (noarch): salt-bash-completion-2019.2.3-8.12.1 salt-fish-completion-2019.2.3-8.12.1 salt-zsh-completion-2019.2.3-8.12.1 References: https://www.suse.com/security/cve/CVE-2019-18897.html https://bugzilla.suse.com/1157465 https://bugzilla.suse.com/1162327 https://bugzilla.suse.com/1162504 https://bugzilla.suse.com/1163981 https://bugzilla.suse.com/1165425 From sle-security-updates at lists.suse.com Tue Mar 24 14:17:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Mar 2020 21:17:46 +0100 (CET) Subject: SUSE-SU-2020:14332-1: important: Security Beta update for Salt Message-ID: <20200324201746.C49B2FCEE@maintenance.suse.de> SUSE Security Update: Security Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14332-1 Rating: important References: #1157465 #1162327 #1162504 #1163981 #1165425 Cross-References: CVE-2019-18897 Affected Products: SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update fixes the following issues: salt: - Requiring python3-distro only for openSUSE/SLE >= 15 - Use full option name instead of undocumented abbreviation for zypper - Python-distro is only needed for > Python 3.7. Removing it for Python 2 - Fixed a local privilege escalation to root (bsc#1157465) (CVE-2019-18897) - Fix unit tests failures in test_batch_async tests - Batch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327) - RHEL/CentOS 8 uses platform-python instead of python3 - Enable build for Python 3.8 - Update to Salt version 2019.2.3 (bsc#1163981) (bsc#1162504) - Replacing pycrypto with M2Crypto (bsc#1165425) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu164ct-salt-beta-202003-14332=1 Package List: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA (all): salt-common-2019.2.2+ds-1.1+9.9.2 salt-minion-2019.2.2+ds-1.1+9.9.2 References: https://www.suse.com/security/cve/CVE-2019-18897.html https://bugzilla.suse.com/1157465 https://bugzilla.suse.com/1162327 https://bugzilla.suse.com/1162504 https://bugzilla.suse.com/1163981 https://bugzilla.suse.com/1165425 From sle-security-updates at lists.suse.com Tue Mar 24 14:22:39 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Mar 2020 21:22:39 +0100 (CET) Subject: SUSE-SU-2020:0762-1: important: Security Beta update for Salt Message-ID: <20200324202239.EA752FCEE@maintenance.suse.de> SUSE Security Update: Security Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0762-1 Rating: important References: #1157465 #1162327 #1162504 #1163981 #1165425 Cross-References: CVE-2019-18897 Affected Products: SUSE Manager Tools 12-BETA ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update fixes the following issues: salt: - Requiring python3-distro only for openSUSE/SLE >= 15 - Use full option name instead of undocumented abbreviation for zypper - Python-distro is only needed for > Python 3.7. Removing it for Python 2 - Fixed a local privilege escalation to root (bsc#1157465) (CVE-2019-18897) - Fix unit tests failures in test_batch_async tests - Batch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327) - RHEL/CentOS 8 uses platform-python instead of python3 - Enable build for Python 3.8 - Update to Salt version 2019.2.3 (bsc#1163981) (bsc#1162504) - Replacing pycrypto with M2Crypto (bsc#1165425) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-12-2020-762=1 Package List: - SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64): python2-salt-2019.2.3-49.12.1 python3-salt-2019.2.3-49.12.1 salt-2019.2.3-49.12.1 salt-doc-2019.2.3-49.12.1 salt-minion-2019.2.3-49.12.1 References: https://www.suse.com/security/cve/CVE-2019-18897.html https://bugzilla.suse.com/1157465 https://bugzilla.suse.com/1162327 https://bugzilla.suse.com/1162504 https://bugzilla.suse.com/1163981 https://bugzilla.suse.com/1165425 From sle-security-updates at lists.suse.com Tue Mar 24 17:15:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Mar 2020 00:15:46 +0100 (CET) Subject: SUSE-SU-2020:0779-1: important: Security update for keepalived Message-ID: <20200324231546.17A17FCEE@maintenance.suse.de> SUSE Security Update: Security update for keepalived ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0779-1 Rating: important References: #1015141 #1069468 #1158280 #949238 Cross-References: CVE-2018-19044 CVE-2018-19045 CVE-2018-19046 Affected Products: SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for keepalived fixes the following issues: Initial release of keepalived v2.0.19 as supported package. (bsc#1158280, jsc#ECO-223) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-779=1 Package List: - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): keepalived-2.0.19-3.3.1 keepalived-debuginfo-2.0.19-3.3.1 keepalived-debugsource-2.0.19-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-19044.html https://www.suse.com/security/cve/CVE-2018-19045.html https://www.suse.com/security/cve/CVE-2018-19046.html https://bugzilla.suse.com/1015141 https://bugzilla.suse.com/1069468 https://bugzilla.suse.com/1158280 https://bugzilla.suse.com/949238 From sle-security-updates at lists.suse.com Wed Mar 25 11:15:51 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Mar 2020 18:15:51 +0100 (CET) Subject: SUSE-SU-2020:0790-1: moderate: Security update for python-cffi, python-cryptography, python-xattr Message-ID: <20200325171551.63A46FCEC@maintenance.suse.de> SUSE Security Update: Security update for python-cffi, python-cryptography, python-xattr ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0790-1 Rating: moderate References: #1055478 #1070737 #1101820 #1111657 #1138748 #1149792 #981848 Cross-References: CVE-2018-10903 Affected Products: SUSE OpenStack Cloud 6-LTSS SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that solves one vulnerability and has 6 fixes is now available. Description: This update for python-cffi, python-cryptography and python-xattr fixes the following issues: Security issue fixed: - CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820). Non-security issues fixed: python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598): - fixed a build failure on i586 (bsc#1111657) - Salt was unable to highstate in snapshot 20171129 (bsc#1070737) - Update pytest in spec to add c directory tests in addition to testing directory. Update to 1.11.1: * Fix tests, remove deprecated C API usage * Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary extensions (cpython issue #29943) * Fix for 3.7.0a1+ Update to 1.11.0: * Support the modern standard types char16_t and char32_t. These work like wchar_t: they represent one unicode character, or when used as charN_t * or charN_t[] they represent a unicode string. The difference with wchar_t is that they have a known, fixed size. They should work at all places that used to work with wchar_t (please report an issue if I missed something). Note that with set_source(), you need to make sure that these types are actually defined by the C source you provide (if used in cdef()). * Support the C99 types float _Complex and double _Complex. Note that libffi doesn't support them, which means that in the ABI mode you still cannot call C functions that take complex numbers directly as arguments or return type. * Fixed a rare race condition when creating multiple FFI instances from multiple threads. (Note that you aren't meant to create many FFI instances: in inline mode, you should write ffi = cffi.FFI() at module level just after import cffi; and in out-of-line mode you don't instantiate FFI explicitly at all.) * Windows: using callbacks can be messy because the CFFI internal error messages show up to stderr-but stderr goes nowhere in many applications. This makes it particularly hard to get started with the embedding mode. (Once you get started, you can at least use @ffi.def_extern(onerror=...) and send the error logs where it makes sense for your application, or record them in log files, and so on.) So what is new in CFFI is that now, on Windows CFFI will try to open a non-modal MessageBox (in addition to sending raw messages to stderr). The MessageBox is only visible if the process stays alive: typically, console applications that crash close immediately, but that is also the situation where stderr should be visible anyway. * Progress on support for callbacks in NetBSD. * Functions returning booleans would in some case still return 0 or 1 instead of False or True. Fixed. * ffi.gc() now takes an optional third parameter, which gives an estimate of the size (in bytes) of the object. So far, this is only used by PyPy, to make the next GC occur more quickly (issue #320). In the future, this might have an effect on CPython too (provided the CPython issue 31105 is addressed). * Add a note to the documentation: the ABI mode gives function objects that are slower to call than the API mode does. For some reason it is often thought to be faster. It is not! Update to 1.10.1: * Fixed the line numbers reported in case of cdef() errors. Also, I just noticed, but pycparser always supported the preprocessor directive # 42 "foo.h" to mean "from the next line, we're in file foo.h starting from line 42";, which it puts in the error messages. Update to 1.10.0: Issue #295: use calloc() directly instead of PyObject_Malloc()+memset() to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array) where most of the time you never touch most of the array. * Some OS/X build fixes ("only with Xcode but without CLT";). * Improve a couple of error messages: when getting mismatched versions of cffi and its backend; and when calling functions which cannot be called with libffi because an argument is a struct that is "too complicated"; (and not a struct pointer, which always works). * Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang) * Implemented the remaining cases for ffi.from_buffer. Now all buffer/memoryview objects can be passed. The one remaining check is against passing unicode strings in Python 2. (They support the buffer interface, but that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the times not what you expect. In Python 3 this has been fixed and the unicode strings don't support the memoryview interface any more.) * The C type _Bool or bool now converts to a Python boolean when reading, instead of the content of the byte as an integer. The potential incompatibility here is what occurs if the byte contains a value different from 0 and 1. Previously, it would just return it; with this change, CFFI raises an exception in this case. But this case means "undefined behavior"; in C; if you really have to interface with a library relying on this, don't use bool in the CFFI side. Also, it is still valid to use a byte string as initializer for a bool[], but now it must only contain \x00 or \x01. As an aside, ffi.string() no longer works on bool[] (but it never made much sense, as this function stops at the first zero). * ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works like before but is the constructor of that type. * ffi.addressof(lib, "name") now works also in in-line mode, not only in out-of-line mode. This is useful for taking the address of global variables. * Issue #255: cdata objects of a primitive type (integers, floats, char) are now compared and ordered by value. For example, compares equal to 42 and compares equal to b'A'. Unlike C, does not compare equal to ffi.cast("unsigned int", -1): it compares smaller, because -1 < 4294967295. * PyPy: ffi.new() and ffi.new_allocator()() did not record "memory pressure";, causing the GC to run too infrequently if you call ffi.new() very often and/or with large arrays. Fixed in PyPy 5.7. * Support in ffi.cdef() for numeric expressions with + or -. Assumes that there is no overflow; it should be fixed first before we add more general support for arbitrary arithmetic on constants. Update to 1.9.1: - Structs with variable-sized arrays as their last field: now we track the length of the array after ffi.new() is called, just like we always tracked the length of ffi.new("int[]", 42). This lets us detect out-of-range accesses to array items. This also lets us display a better repr(), and have the total size returned by ffi.sizeof() and ffi.buffer(). Previously both functions would return a result based on the size of the declared structure type, with an assumed empty array. (Thanks andrew for starting this refactoring.) - Add support in cdef()/set_source() for unspecified-length arrays in typedefs: typedef int foo_t[...];. It was already supported for global variables or structure fields. - I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has no values explicitly defined: refusing to guess which integer type it is meant to be (unsigned/signed, int/long). Now I'm turning it back to a warning again; it seems that guessing that the enum has size int is a 99%-safe bet. (But not 100%, so it stays as a warning.) - Fix leaks in the code handling FILE * arguments. In CPython 3 there is a remaining issue that is hard to fix: if you pass a Python file object to a FILE * argument, then os.dup() is used and the new file descriptor is only closed when the GC reclaims the Python file object-and not at the earlier time when you call close(), which only closes the original file descriptor. If this is an issue, you should avoid this automatic convertion of Python file objects: instead, explicitly manipulate file descriptors and call fdopen() from C (...via cffi). - When passing a void * argument to a function with a different pointer type, or vice-versa, the cast occurs automatically, like in C. The same occurs for initialization with ffi.new() and a few other places. However, I thought that char * had the same property-but I was mistaken. In C you get the usual warning if you try to give a char * to a char ** argument, for example. Sorry about the confusion. This has been fixed in CFFI by giving for now a warning, too. It will turn into an error in a future version. - Issue #283: fixed ffi.new() on structures/unions with nested anonymous structures/unions, when there is at least one union in the mix. When initialized with a list or a dict, it should now behave more closely like the { } syntax does in GCC. - CPython 3.x: experimental: the generated C extension modules now use the "limited API";, which means that, as a compiled .so/.dll, it should work directly on any version of CPython >= 3.2. The name produced by distutils is still version-specific. To get the version-independent name, you can rename it manually to NAME.abi3.so, or use the very recent setuptools 26. - Added ffi.compile(debug=...), similar to python setup.py build --debug but defaulting to True if we are running a debugging version of Python itself. - Removed the restriction that ffi.from_buffer() cannot be used on byte strings. Now you can get a char * out of a byte string, which is valid as long as the string object is kept alive. (But don't use it to modify the string object! If you need this, use bytearray or other official techniques.) - PyPy 5.4 can now pass a byte string directly to a char * argument (in older versions, a copy would be made). This used to be a CPython-only optimization. - ffi.gc(p, None) removes the destructor on an object previously created by another call to ffi.gc() - bool(ffi.cast("primitive type", x)) now returns False if the value is zero (including -0.0), and True otherwise. Previously this would only return False for cdata objects of a pointer type when the pointer is NULL. - bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason it was not supported was that it was hard to do in PyPy, but it works since PyPy 5.3.) To call a C function with a char * argument from a buffer object-now including bytearrays???you write lib.foo(ffi.from_buffer(x)). Additionally, this is now supported: p[0:length] = bytearray-object. The problem with this was that a iterating over bytearrays gives numbers instead of characters. (Now it is implemented with just a memcpy, of course, not actually iterating over the characters.) - C++: compiling the generated C code with C++ was supposed to work, but failed if you make use the bool type (because that is rendered as the C _Bool type, which doesn't exist in C++). - help(lib) and help(lib.myfunc) now give useful information, as well as dir(p) where p is a struct or pointer-to-struct. - Fixed the "negative left shift" warning by replacing bitshifting in appropriate places by bitwise and comparison to self; patch taken from upstream git. Drop cffi-1.5.2-wnoerror.patch: no longer required. - disable "negative left shift" warning in test suite to prevent failures with gcc6, until upstream fixes the undefined code in question (bsc#981848) Update to version 1.6.0: * ffi.list_types() * ffi.unpack() * extern "Python+C"; * in API mode, lib.foo.__doc__ contains the C signature now. * Yet another attempt at robustness of ffi.def_extern() against CPython's interpreter shutdown logic. Update to 1.5.2: * support for cffi-based embedding * more robustness for shutdown logic Updated python-cryptography to 2.1.4 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598) - Make this version of the package compatible with OpenSSL 1.1.1d (bsc#1149792) - CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820) Update to version 2.1.4: * Added X509_up_ref for an upcoming pyOpenSSL release. * Corrected a bug with the manylinux1 wheels where OpenSSL's stack was marked executable. * support for OpenSSL 1.0.0 has been removed. * Added support for Diffie-Hellman key exchange * The OS random engine for OpenSSL has been rewritten python-xattr was just rebuilt to adjust its cffi depedency. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6-LTSS: zypper in -t patch SUSE-OpenStack-Cloud-6-LTSS-2020-790=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-790=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-790=1 Package List: - SUSE OpenStack Cloud 6-LTSS (x86_64): python-cryptography-2.1.4-3.15.5 python-cryptography-debuginfo-2.1.4-3.15.5 python-cryptography-debugsource-2.1.4-3.15.5 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): python-cffi-1.11.2-2.19.2 python-cffi-debuginfo-1.11.2-2.19.2 python-cffi-debugsource-1.11.2-2.19.2 python-cryptography-2.1.4-3.15.5 python-cryptography-debuginfo-2.1.4-3.15.5 python-cryptography-debugsource-2.1.4-3.15.5 python-xattr-0.7.5-3.2.1 python-xattr-debuginfo-0.7.5-3.2.1 python-xattr-debugsource-0.7.5-3.2.1 python3-cffi-1.11.2-2.19.2 python3-cryptography-2.1.4-3.15.5 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): python-cffi-1.11.2-2.19.2 python-cffi-debuginfo-1.11.2-2.19.2 python-cffi-debugsource-1.11.2-2.19.2 python-cryptography-2.1.4-3.15.5 python-cryptography-debuginfo-2.1.4-3.15.5 python-cryptography-debugsource-2.1.4-3.15.5 python-xattr-0.7.5-3.2.1 python-xattr-debuginfo-0.7.5-3.2.1 python-xattr-debugsource-0.7.5-3.2.1 python3-cffi-1.11.2-2.19.2 python3-cryptography-2.1.4-3.15.5 References: https://www.suse.com/security/cve/CVE-2018-10903.html https://bugzilla.suse.com/1055478 https://bugzilla.suse.com/1070737 https://bugzilla.suse.com/1101820 https://bugzilla.suse.com/1111657 https://bugzilla.suse.com/1138748 https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/981848 From sle-security-updates at lists.suse.com Wed Mar 25 11:19:37 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Mar 2020 18:19:37 +0100 (CET) Subject: SUSE-SU-2020:0792-1: moderate: Security update for python-cffi, python-cryptography Message-ID: <20200325171937.2EEAEFCEC@maintenance.suse.de> SUSE Security Update: Security update for python-cffi, python-cryptography ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0792-1 Rating: moderate References: #1055478 #1070737 #1101820 #1111657 #1138748 #1149792 #981848 Cross-References: CVE-2018-10903 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has 6 fixes is now available. Description: This update for python-cffi, python-cryptography fixes the following issues: Security issue fixed: - CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820). Non-security issues fixed: python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598): - fixed a build failure on i586 (bsc#1111657) - Salt was unable to highstate in snapshot 20171129 (bsc#1070737) - Update pytest in spec to add c directory tests in addition to testing directory. - update to version 1.11.2: * Fix Windows issue with managing the thread-state on CPython 3.0 to 3.5 - Update pytest in spec to add c directory tests in addition to testing directory. - Omit test_init_once_multithread tests as they rely on multiple threads finishing in a given time. Returns sporadic pass/fail within build. - Update to 1.11.1: * Fix tests, remove deprecated C API usage * Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary extensions (cpython issue #29943) * Fix for 3.7.0a1+ - Update to 1.11.0: * Support the modern standard types char16_t and char32_t. These work like wchar_t: they represent one unicode character, or when used as charN_t * or charN_t[] they represent a unicode string. The difference with wchar_t is that they have a known, fixed size. They should work at all places that used to work with wchar_t (please report an issue if I missed something). Note that with set_source(), you need to make sure that these types are actually defined by the C source you provide (if used in cdef()). * Support the C99 types float _Complex and double _Complex. Note that libffi doesn't support them, which means that in the ABI mode you still cannot call C functions that take complex numbers directly as arguments or return type. * Fixed a rare race condition when creating multiple FFI instances from multiple threads. (Note that you aren't meant to create many FFI instances: in inline mode, you should write ffi = cffi.FFI() at module level just after import cffi; and in out-of-line mode you don't instantiate FFI explicitly at all.) * Windows: using callbacks can be messy because the CFFI internal error messages show up to stderr-but stderr goes nowhere in many applications. This makes it particularly hard to get started with the embedding mode. (Once you get started, you can at least use @ffi.def_extern(onerror=...) and send the error logs where it makes sense for your application, or record them in log files, and so on.) So what is new in CFFI is that now, on Windows CFFI will try to open a non-modal MessageBox (in addition to sending raw messages to stderr). The MessageBox is only visible if the process stays alive: typically, console applications that crash close immediately, but that is also the situation where stderr should be visible anyway. * Progress on support for callbacks in NetBSD. * Functions returning booleans would in some case still return 0 or 1 instead of False or True. Fixed. * ffi.gc() now takes an optional third parameter, which gives an estimate of the size (in bytes) of the object. So far, this is only used by PyPy, to make the next GC occur more quickly (issue #320). In the future, this might have an effect on CPython too (provided the CPython issue 31105 is addressed). * Add a note to the documentation: the ABI mode gives function objects that are slower to call than the API mode does. For some reason it is often thought to be faster. It is not! - Update to 1.10.1: * Fixed the line numbers reported in case of cdef() errors. Also, I just noticed, but pycparser always supported the preprocessor directive # 42 "foo.h" to mean "from the next line, we're in file foo.h starting from line 42";, which it puts in the error messages. - update to 1.10.0: * Issue #295: use calloc() directly instead of PyObject_Malloc()+memset() to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array) where most of the time you never touch most of the array. * Some OS/X build fixes ("only with Xcode but without CLT";). * Improve a couple of error messages: when getting mismatched versions of cffi and its backend; and when calling functions which cannot be called with libffi because an argument is a struct that is "too complicated"; (and not a struct pointer, which always works). * Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang) * Implemented the remaining cases for ffi.from_buffer. Now all buffer/memoryview objects can be passed. The one remaining check is against passing unicode strings in Python 2. (They support the buffer interface, but that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the times not what you expect. In Python 3 this has been fixed and the unicode strings don't support the memoryview interface any more.) * The C type _Bool or bool now converts to a Python boolean when reading, instead of the content of the byte as an integer. The potential incompatibility here is what occurs if the byte contains a value different from 0 and 1. Previously, it would just return it; with this change, CFFI raises an exception in this case. But this case means "undefined behavior"; in C; if you really have to interface with a library relying on this, don't use bool in the CFFI side. Also, it is still valid to use a byte string as initializer for a bool[], but now it must only contain \x00 or \x01. As an aside, ffi.string() no longer works on bool[] (but it never made much sense, as this function stops at the first zero). * ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works like before but is the constructor of that type. * ffi.addressof(lib, "name") now works also in in-line mode, not only in out-of-line mode. This is useful for taking the address of global variables. * Issue #255: cdata objects of a primitive type (integers, floats, char) are now compared and ordered by value. For example, compares equal to 42 and compares equal to b'A'. Unlike C, does not compare equal to ffi.cast("unsigned int", -1): it compares smaller, because -1 < 4294967295. * PyPy: ffi.new() and ffi.new_allocator()() did not record "memory pressure";, causing the GC to run too infrequently if you call ffi.new() very often and/or with large arrays. Fixed in PyPy 5.7. * Support in ffi.cdef() for numeric expressions with + or -. Assumes that there is no overflow; it should be fixed first before we add more general support for arbitrary arithmetic on constants. - do not generate HTML documentation for packages that are indirect dependencies of Sphinx (see docs at https://cffi.readthedocs.org/ ) - update to 1.9.1 - Structs with variable-sized arrays as their last field: now we track the length of the array after ffi.new() is called, just like we always tracked the length of ffi.new("int[]", 42). This lets us detect out-of-range accesses to array items. This also lets us display a better repr(), and have the total size returned by ffi.sizeof() and ffi.buffer(). Previously both functions would return a result based on the size of the declared structure type, with an assumed empty array. (Thanks andrew for starting this refactoring.) - Add support in cdef()/set_source() for unspecified-length arrays in typedefs: typedef int foo_t[...];. It was already supported for global variables or structure fields. - I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has no values explicitly defined: refusing to guess which integer type it is meant to be (unsigned/signed, int/long). Now I'm turning it back to a warning again; it seems that guessing that the enum has size int is a 99%-safe bet. (But not 100%, so it stays as a warning.) - Fix leaks in the code handling FILE * arguments. In CPython 3 there is a remaining issue that is hard to fix: if you pass a Python file object to a FILE * argument, then os.dup() is used and the new file descriptor is only closed when the GC reclaims the Python file object-and not at the earlier time when you call close(), which only closes the original file descriptor. If this is an issue, you should avoid this automatic convertion of Python file objects: instead, explicitly manipulate file descriptors and call fdopen() from C (...via cffi). - When passing a void * argument to a function with a different pointer type, or vice-versa, the cast occurs automatically, like in C. The same occurs for initialization with ffi.new() and a few other places. However, I thought that char * had the same property-but I was mistaken. In C you get the usual warning if you try to give a char * to a char ** argument, for example. Sorry about the confusion. This has been fixed in CFFI by giving for now a warning, too. It will turn into an error in a future version. - Issue #283: fixed ffi.new() on structures/unions with nested anonymous structures/unions, when there is at least one union in the mix. When initialized with a list or a dict, it should now behave more closely like the { } syntax does in GCC. - CPython 3.x: experimental: the generated C extension modules now use the "limited API";, which means that, as a compiled .so/.dll, it should work directly on any version of CPython >= 3.2. The name produced by distutils is still version-specific. To get the version-independent name, you can rename it manually to NAME.abi3.so, or use the very recent setuptools 26. - Added ffi.compile(debug=...), similar to python setup.py build --debug but defaulting to True if we are running a debugging version of Python itself. - Removed the restriction that ffi.from_buffer() cannot be used on byte strings. Now you can get a char * out of a byte string, which is valid as long as the string object is kept alive. (But don't use it to modify the string object! If you need this, use bytearray or other official techniques.) - PyPy 5.4 can now pass a byte string directly to a char * argument (in older versions, a copy would be made). This used to be a CPython-only optimization. - ffi.gc(p, None) removes the destructor on an object previously created by another call to ffi.gc() - bool(ffi.cast("primitive type", x)) now returns False if the value is zero (including -0.0), and True otherwise. Previously this would only return False for cdata objects of a pointer type when the pointer is NULL. - bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason it was not supported was that it was hard to do in PyPy, but it works since PyPy 5.3.) To call a C function with a char * argument from a buffer object-now including bytearrays-you write lib.foo(ffi.from_buffer(x)). Additionally, this is now supported: p[0:length] = bytearray-object. The problem with this was that a iterating over bytearrays gives numbers instead of characters. (Now it is implemented with just a memcpy, of course, not actually iterating over the characters.) - C++: compiling the generated C code with C++ was supposed to work, but failed if you make use the bool type (because that is rendered as the C _Bool type, which doesn't exist in C++). - help(lib) and help(lib.myfunc) now give useful information, as well as dir(p) where p is a struct or pointer-to-struct. - update for multipython build - disable "negative left shift" warning in test suite to prevent failures with gcc6, until upstream fixes the undefined code in question (bsc#981848) - Update to version 1.6.0: * ffi.list_types() * ffi.unpack() * extern "Python+C"; * in API mode, lib.foo.__doc__ contains the C signature now. * Yet another attempt at robustness of ffi.def_extern() against CPython's interpreter shutdown logic. - Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598) - Make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792. - bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in finalize_with_tag API - Add proper conditional for the python2, the ifpython works only for the requires/etc - add missing dependency on python ssl - update to version 2.1.4: * Added X509_up_ref for an upcoming pyOpenSSL release. - update to version 2.1.3: * Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g. - update to version 2.1.2: * Corrected a bug with the manylinux1 wheels where OpenSSL's stack was marked executable. - fix BuildRequires conditions for python3 - update to 2.1.1 - Fix cffi version requirement. - Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478) - update to 2.0.3 - update to 2.0.2 - update to 2.0 - update to 1.9 - add python-packaging to requirements explicitly instead of relying on setuptools to pull it in - Switch to singlespec approach - update to 1.8.1 - Adust Requires and BuildRequires Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-792=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-792=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-792=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-792=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-792=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-792=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-792=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-792=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-792=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-792=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-792=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-792=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-792=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE OpenStack Cloud 8 (x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 - SUSE OpenStack Cloud 7 (s390x x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cffi-debuginfo-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 python3-cryptography-debuginfo-2.1.4-7.28.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cffi-debuginfo-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 python3-cryptography-debuginfo-2.1.4-7.28.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE Enterprise Storage 5 (aarch64 x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 - SUSE CaaS Platform 3.0 (x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 - HPE Helion Openstack 8 (x86_64): python-cffi-1.11.2-5.11.1 python-cffi-debuginfo-1.11.2-5.11.1 python-cffi-debugsource-1.11.2-5.11.1 python-cryptography-2.1.4-7.28.2 python-cryptography-debuginfo-2.1.4-7.28.2 python-cryptography-debugsource-2.1.4-7.28.2 python-xattr-0.7.5-6.3.2 python-xattr-debuginfo-0.7.5-6.3.2 python-xattr-debugsource-0.7.5-6.3.2 python3-cffi-1.11.2-5.11.1 python3-cryptography-2.1.4-7.28.2 References: https://www.suse.com/security/cve/CVE-2018-10903.html https://bugzilla.suse.com/1055478 https://bugzilla.suse.com/1070737 https://bugzilla.suse.com/1101820 https://bugzilla.suse.com/1111657 https://bugzilla.suse.com/1138748 https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/981848 From sle-security-updates at lists.suse.com Thu Mar 26 14:16:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Mar 2020 21:16:05 +0100 (CET) Subject: SUSE-SU-2020:0801-1: moderate: Security update for ldns Message-ID: <20200326201605.9848AFDE5@maintenance.suse.de> SUSE Security Update: Security update for ldns ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0801-1 Rating: moderate References: #1068709 #1068711 Cross-References: CVE-2017-1000231 CVE-2017-1000232 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ldns fixes the following issues: - CVE-2017-1000231: Fixed a buffer overflow during token parsing (bsc#1068711). - CVE-2017-1000232: Fixed a double-free vulnerability in str2host.c (bsc#1068709). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-801=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-801=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-801=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ldns-1.7.0-4.3.1 ldns-debuginfo-1.7.0-4.3.1 ldns-debugsource-1.7.0-4.3.1 python3-ldns-1.7.0-4.3.1 python3-ldns-debuginfo-1.7.0-4.3.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ldns-debuginfo-1.7.0-4.3.1 ldns-debugsource-1.7.0-4.3.1 perl-DNS-LDNS-1.7.0-4.3.1 perl-DNS-LDNS-debuginfo-1.7.0-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ldns-debuginfo-1.7.0-4.3.1 ldns-debugsource-1.7.0-4.3.1 ldns-devel-1.7.0-4.3.1 libldns2-1.7.0-4.3.1 libldns2-debuginfo-1.7.0-4.3.1 References: https://www.suse.com/security/cve/CVE-2017-1000231.html https://www.suse.com/security/cve/CVE-2017-1000232.html https://bugzilla.suse.com/1068709 https://bugzilla.suse.com/1068711 From sle-security-updates at lists.suse.com Fri Mar 27 05:32:21 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Mar 2020 12:32:21 +0100 (CET) Subject: SUSE-SU-2020:14334-1: important: Security update for tomcat6 Message-ID: <20200327113221.C76ADFCEE@maintenance.suse.de> SUSE Security Update: Security update for tomcat6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14334-1 Rating: important References: #1164692 Cross-References: CVE-2020-1938 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat6 fixes the following issues: - CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-tomcat6-14334=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-tomcat6-14334=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (noarch): tomcat6-6.0.53-0.57.13.1 tomcat6-admin-webapps-6.0.53-0.57.13.1 tomcat6-docs-webapp-6.0.53-0.57.13.1 tomcat6-javadoc-6.0.53-0.57.13.1 tomcat6-jsp-2_1-api-6.0.53-0.57.13.1 tomcat6-lib-6.0.53-0.57.13.1 tomcat6-servlet-2_5-api-6.0.53-0.57.13.1 tomcat6-webapps-6.0.53-0.57.13.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): tomcat6-6.0.53-0.57.13.1 tomcat6-admin-webapps-6.0.53-0.57.13.1 tomcat6-docs-webapp-6.0.53-0.57.13.1 tomcat6-javadoc-6.0.53-0.57.13.1 tomcat6-jsp-2_1-api-6.0.53-0.57.13.1 tomcat6-lib-6.0.53-0.57.13.1 tomcat6-servlet-2_5-api-6.0.53-0.57.13.1 tomcat6-webapps-6.0.53-0.57.13.1 References: https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1164692 From sle-security-updates at lists.suse.com Fri Mar 27 11:19:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Mar 2020 18:19:09 +0100 (CET) Subject: SUSE-SU-2020:0806-1: important: Security update for tomcat Message-ID: <20200327171909.9D20DFCEE@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0806-1 Rating: important References: #1164692 Cross-References: CVE-2020-1938 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-806=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-806=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): tomcat-8.0.53-10.38.1 tomcat-admin-webapps-8.0.53-10.38.1 tomcat-docs-webapp-8.0.53-10.38.1 tomcat-el-3_0-api-8.0.53-10.38.1 tomcat-javadoc-8.0.53-10.38.1 tomcat-jsp-2_3-api-8.0.53-10.38.1 tomcat-lib-8.0.53-10.38.1 tomcat-servlet-3_1-api-8.0.53-10.38.1 tomcat-webapps-8.0.53-10.38.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): tomcat-8.0.53-10.38.1 tomcat-admin-webapps-8.0.53-10.38.1 tomcat-docs-webapp-8.0.53-10.38.1 tomcat-el-3_0-api-8.0.53-10.38.1 tomcat-javadoc-8.0.53-10.38.1 tomcat-jsp-2_3-api-8.0.53-10.38.1 tomcat-lib-8.0.53-10.38.1 tomcat-servlet-3_1-api-8.0.53-10.38.1 tomcat-webapps-8.0.53-10.38.1 References: https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1164692 From sle-security-updates at lists.suse.com Mon Mar 30 07:16:58 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Mar 2020 15:16:58 +0200 (CEST) Subject: SUSE-SU-2020:0810-1: important: Security update for spamassassin Message-ID: <20200330131658.6CDCAFCEE@maintenance.suse.de> SUSE Security Update: Security update for spamassassin ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0810-1 Rating: important References: #1118987 #1162197 #1162200 Cross-References: CVE-2018-11805 CVE-2020-1930 CVE-2020-1931 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for spamassassin fixes the following issues: - CVE-2018-11805: Fixed an issue with delimiter handling in rule files related to is_regexp_valid() (bsc#1118987). - CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which can be configured to run system commands (bsc#1162197). - CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which can be configured to run system commands with warnings (bsc#1162200). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-810=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-810=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-810=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-810=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-810=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-810=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-810=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-810=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-810=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-810=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-810=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-810=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-810=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-810=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-810=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE OpenStack Cloud 8 (x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE OpenStack Cloud 7 (s390x x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 - HPE Helion Openstack 8 (x86_64): perl-Mail-SpamAssassin-3.4.2-44.8.1 spamassassin-3.4.2-44.8.1 spamassassin-debuginfo-3.4.2-44.8.1 spamassassin-debugsource-3.4.2-44.8.1 References: https://www.suse.com/security/cve/CVE-2018-11805.html https://www.suse.com/security/cve/CVE-2020-1930.html https://www.suse.com/security/cve/CVE-2020-1931.html https://bugzilla.suse.com/1118987 https://bugzilla.suse.com/1162197 https://bugzilla.suse.com/1162200 From sle-security-updates at lists.suse.com Mon Mar 30 07:20:14 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Mar 2020 15:20:14 +0200 (CEST) Subject: SUSE-SU-2020:0811-1: important: Security update for spamassassin Message-ID: <20200330132014.C91A5FCEE@maintenance.suse.de> SUSE Security Update: Security update for spamassassin ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0811-1 Rating: important References: #1118987 #1162197 #1162200 #862963 Cross-References: CVE-2018-11805 CVE-2020-1930 CVE-2020-1931 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for spamassassin fixes the following issues: Security issues fixed: - CVE-2018-11805: Fixed an issue with delimiter handling in rule files related to is_regexp_valid() (bsc#1118987). - CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which can be configured to run system commands (bsc#1162197). - CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which can be configured to run system commands with warnings (bsc#1162200). Non-security issue fixed: - Altering hash requires restarting loop (bsc#862963). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-811=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-811=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.2-12.5.1 spamassassin-3.4.2-12.5.1 spamassassin-debuginfo-3.4.2-12.5.1 spamassassin-debugsource-3.4.2-12.5.1 References: https://www.suse.com/security/cve/CVE-2018-11805.html https://www.suse.com/security/cve/CVE-2020-1930.html https://www.suse.com/security/cve/CVE-2020-1931.html https://bugzilla.suse.com/1118987 https://bugzilla.suse.com/1162197 https://bugzilla.suse.com/1162200 https://bugzilla.suse.com/862963 From sle-security-updates at lists.suse.com Mon Mar 30 10:17:48 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Mar 2020 18:17:48 +0200 (CEST) Subject: SUSE-SU-2020:0813-1: important: Security update for spamassassin Message-ID: <20200330161748.E5C4DFCEE@maintenance.suse.de> SUSE Security Update: Security update for spamassassin ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0813-1 Rating: important References: #1118987 #1162197 #1162200 #862963 Cross-References: CVE-2018-11805 CVE-2020-1930 CVE-2020-1931 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for spamassassin fixes the following issues: Security issues fixed: - CVE-2018-11805: Fixed an issue with delimiter handling in rule files related to is_regexp_valid() (bsc#1118987). - CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which can be configured to run system commands (bsc#1162197). - CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which can be configured to run system commands with warnings (bsc#1162200). Non-security issue fixed: - Altering hash requires restarting loop (bsc#862963). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-813=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-813=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-813=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-813=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): perl-Mail-SpamAssassin-3.4.2-7.9.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-7.9.1 spamassassin-3.4.2-7.9.1 spamassassin-debuginfo-3.4.2-7.9.1 spamassassin-debugsource-3.4.2-7.9.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): perl-Mail-SpamAssassin-3.4.2-7.9.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-7.9.1 spamassassin-3.4.2-7.9.1 spamassassin-debuginfo-3.4.2-7.9.1 spamassassin-debugsource-3.4.2-7.9.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): perl-Mail-SpamAssassin-3.4.2-7.9.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-7.9.1 spamassassin-3.4.2-7.9.1 spamassassin-debuginfo-3.4.2-7.9.1 spamassassin-debugsource-3.4.2-7.9.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): perl-Mail-SpamAssassin-3.4.2-7.9.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-7.9.1 spamassassin-3.4.2-7.9.1 spamassassin-debuginfo-3.4.2-7.9.1 spamassassin-debugsource-3.4.2-7.9.1 References: https://www.suse.com/security/cve/CVE-2018-11805.html https://www.suse.com/security/cve/CVE-2020-1930.html https://www.suse.com/security/cve/CVE-2020-1931.html https://bugzilla.suse.com/1118987 https://bugzilla.suse.com/1162197 https://bugzilla.suse.com/1162200 https://bugzilla.suse.com/862963 From sle-security-updates at lists.suse.com Tue Mar 31 04:27:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 31 Mar 2020 12:27:10 +0200 (CEST) Subject: SUSE-SU-2020:0818-1: moderate: Security update for cloud-init Message-ID: <20200331102710.6E0AFFCEE@maintenance.suse.de> SUSE Security Update: Security update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0818-1 Rating: moderate References: #1162936 #1162937 #1163178 Cross-References: CVE-2020-8631 CVE-2020-8632 Affected Products: SUSE Linux Enterprise Module for Public Cloud 12 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for cloud-init fixes the following security issues: - CVE-2020-8631: Replaced the theoretically predictable deterministic random number generator with the system RNG (bsc#1162937). - CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-818=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Module for Public Cloud 12 (aarch64 ppc64le s390x x86_64): cloud-init-19.4-37.39.1 cloud-init-config-suse-19.4-37.39.1 - SUSE CaaS Platform 3.0 (x86_64): cloud-init-19.4-37.39.1 References: https://www.suse.com/security/cve/CVE-2020-8631.html https://www.suse.com/security/cve/CVE-2020-8632.html https://bugzilla.suse.com/1162936 https://bugzilla.suse.com/1162937 https://bugzilla.suse.com/1163178 From sle-security-updates at lists.suse.com Tue Mar 31 10:29:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 31 Mar 2020 18:29:12 +0200 (CEST) Subject: SUSE-SU-2020:0820-1: important: Security update for glibc Message-ID: <20200331162912.E6CADFCEE@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0820-1 Rating: important References: #1167631 Cross-References: CVE-2020-1752 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-820=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-820=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-820=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-820=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-820=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-820=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-820=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): glibc-2.26-13.45.1 glibc-debuginfo-2.26-13.45.1 glibc-debugsource-2.26-13.45.1 glibc-devel-2.26-13.45.1 glibc-devel-debuginfo-2.26-13.45.1 glibc-devel-static-2.26-13.45.1 glibc-extra-2.26-13.45.1 glibc-extra-debuginfo-2.26-13.45.1 glibc-locale-2.26-13.45.1 glibc-locale-base-2.26-13.45.1 glibc-locale-base-debuginfo-2.26-13.45.1 glibc-profile-2.26-13.45.1 glibc-utils-2.26-13.45.1 glibc-utils-debuginfo-2.26-13.45.1 glibc-utils-src-debugsource-2.26-13.45.1 nscd-2.26-13.45.1 nscd-debuginfo-2.26-13.45.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): glibc-32bit-2.26-13.45.1 glibc-32bit-debuginfo-2.26-13.45.1 glibc-devel-32bit-2.26-13.45.1 glibc-devel-32bit-debuginfo-2.26-13.45.1 glibc-locale-base-32bit-2.26-13.45.1 glibc-locale-base-32bit-debuginfo-2.26-13.45.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): glibc-i18ndata-2.26-13.45.1 glibc-info-2.26-13.45.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): glibc-2.26-13.45.1 glibc-debuginfo-2.26-13.45.1 glibc-debugsource-2.26-13.45.1 glibc-devel-2.26-13.45.1 glibc-devel-debuginfo-2.26-13.45.1 glibc-devel-static-2.26-13.45.1 glibc-extra-2.26-13.45.1 glibc-extra-debuginfo-2.26-13.45.1 glibc-locale-2.26-13.45.1 glibc-locale-base-2.26-13.45.1 glibc-locale-base-debuginfo-2.26-13.45.1 glibc-profile-2.26-13.45.1 glibc-utils-2.26-13.45.1 glibc-utils-debuginfo-2.26-13.45.1 glibc-utils-src-debugsource-2.26-13.45.1 nscd-2.26-13.45.1 nscd-debuginfo-2.26-13.45.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): glibc-i18ndata-2.26-13.45.1 glibc-info-2.26-13.45.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x x86_64): glibc-debugsource-2.26-13.45.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): glibc-html-2.26-13.45.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): glibc-32bit-debuginfo-2.26-13.45.1 glibc-devel-static-32bit-2.26-13.45.1 glibc-locale-base-32bit-2.26-13.45.1 glibc-locale-base-32bit-debuginfo-2.26-13.45.1 glibc-profile-32bit-2.26-13.45.1 glibc-utils-32bit-2.26-13.45.1 glibc-utils-32bit-debuginfo-2.26-13.45.1 glibc-utils-src-debugsource-2.26-13.45.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.26-13.45.1 glibc-debugsource-2.26-13.45.1 glibc-devel-static-2.26-13.45.1 glibc-utils-2.26-13.45.1 glibc-utils-debuginfo-2.26-13.45.1 glibc-utils-src-debugsource-2.26-13.45.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (x86_64): glibc-32bit-debuginfo-2.26-13.45.1 glibc-devel-32bit-2.26-13.45.1 glibc-devel-32bit-debuginfo-2.26-13.45.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): glibc-2.26-13.45.1 glibc-debuginfo-2.26-13.45.1 glibc-debugsource-2.26-13.45.1 glibc-devel-2.26-13.45.1 glibc-devel-debuginfo-2.26-13.45.1 glibc-extra-2.26-13.45.1 glibc-extra-debuginfo-2.26-13.45.1 glibc-locale-2.26-13.45.1 glibc-locale-base-2.26-13.45.1 glibc-locale-base-debuginfo-2.26-13.45.1 glibc-profile-2.26-13.45.1 nscd-2.26-13.45.1 nscd-debuginfo-2.26-13.45.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): glibc-32bit-2.26-13.45.1 glibc-32bit-debuginfo-2.26-13.45.1 glibc-locale-base-32bit-2.26-13.45.1 glibc-locale-base-32bit-debuginfo-2.26-13.45.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): glibc-i18ndata-2.26-13.45.1 glibc-info-2.26-13.45.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): glibc-2.26-13.45.1 glibc-debuginfo-2.26-13.45.1 glibc-debugsource-2.26-13.45.1 glibc-devel-2.26-13.45.1 glibc-devel-debuginfo-2.26-13.45.1 glibc-devel-static-2.26-13.45.1 glibc-extra-2.26-13.45.1 glibc-extra-debuginfo-2.26-13.45.1 glibc-locale-2.26-13.45.1 glibc-locale-base-2.26-13.45.1 glibc-locale-base-debuginfo-2.26-13.45.1 glibc-profile-2.26-13.45.1 glibc-utils-2.26-13.45.1 glibc-utils-debuginfo-2.26-13.45.1 glibc-utils-src-debugsource-2.26-13.45.1 nscd-2.26-13.45.1 nscd-debuginfo-2.26-13.45.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): glibc-32bit-2.26-13.45.1 glibc-32bit-debuginfo-2.26-13.45.1 glibc-devel-32bit-2.26-13.45.1 glibc-devel-32bit-debuginfo-2.26-13.45.1 glibc-locale-base-32bit-2.26-13.45.1 glibc-locale-base-32bit-debuginfo-2.26-13.45.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): glibc-i18ndata-2.26-13.45.1 glibc-info-2.26-13.45.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): glibc-2.26-13.45.1 glibc-debuginfo-2.26-13.45.1 glibc-debugsource-2.26-13.45.1 glibc-devel-2.26-13.45.1 glibc-devel-debuginfo-2.26-13.45.1 glibc-devel-static-2.26-13.45.1 glibc-extra-2.26-13.45.1 glibc-extra-debuginfo-2.26-13.45.1 glibc-locale-2.26-13.45.1 glibc-locale-base-2.26-13.45.1 glibc-locale-base-debuginfo-2.26-13.45.1 glibc-profile-2.26-13.45.1 glibc-utils-2.26-13.45.1 glibc-utils-debuginfo-2.26-13.45.1 glibc-utils-src-debugsource-2.26-13.45.1 nscd-2.26-13.45.1 nscd-debuginfo-2.26-13.45.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): glibc-i18ndata-2.26-13.45.1 glibc-info-2.26-13.45.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): glibc-32bit-2.26-13.45.1 glibc-32bit-debuginfo-2.26-13.45.1 glibc-devel-32bit-2.26-13.45.1 glibc-devel-32bit-debuginfo-2.26-13.45.1 glibc-locale-base-32bit-2.26-13.45.1 glibc-locale-base-32bit-debuginfo-2.26-13.45.1 References: https://www.suse.com/security/cve/CVE-2020-1752.html https://bugzilla.suse.com/1167631 From sle-security-updates at lists.suse.com Tue Mar 31 10:44:37 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 31 Mar 2020 18:44:37 +0200 (CEST) Subject: SUSE-SU-2020:0819-1: important: Security update for icu Message-ID: <20200331164437.75B2EFCEE@maintenance.suse.de> SUSE Security Update: Security update for icu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0819-1 Rating: important References: #1166844 Cross-References: CVE-2020-10531 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for icu fixes the following issues: - CVE-2020-10531: Fixed a potential integer overflow in UnicodeString:doAppend (bsc#1166844). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-819=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-819=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-819=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-819=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-819=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-819=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): icu-debuginfo-60.2-3.9.1 icu-debugsource-60.2-3.9.1 libicu-devel-60.2-3.9.1 libicu60_2-60.2-3.9.1 libicu60_2-debuginfo-60.2-3.9.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): libicu60_2-ledata-60.2-3.9.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): icu-debuginfo-60.2-3.9.1 icu-debugsource-60.2-3.9.1 libicu-devel-60.2-3.9.1 libicu60_2-60.2-3.9.1 libicu60_2-debuginfo-60.2-3.9.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): libicu60_2-bedata-60.2-3.9.1 libicu60_2-ledata-60.2-3.9.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): icu-60.2-3.9.1 icu-debuginfo-60.2-3.9.1 icu-debugsource-60.2-3.9.1 libicu-doc-60.2-3.9.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libicu-devel-32bit-60.2-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): icu-debuginfo-60.2-3.9.1 icu-debugsource-60.2-3.9.1 libicu-devel-60.2-3.9.1 libicu60_2-60.2-3.9.1 libicu60_2-debuginfo-60.2-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libicu60_2-bedata-60.2-3.9.1 libicu60_2-ledata-60.2-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): icu-debuginfo-60.2-3.9.1 icu-debugsource-60.2-3.9.1 libicu-devel-60.2-3.9.1 libicu60_2-60.2-3.9.1 libicu60_2-debuginfo-60.2-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): libicu60_2-ledata-60.2-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): icu-debuginfo-60.2-3.9.1 icu-debugsource-60.2-3.9.1 libicu-devel-60.2-3.9.1 libicu60_2-60.2-3.9.1 libicu60_2-debuginfo-60.2-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): libicu60_2-ledata-60.2-3.9.1 References: https://www.suse.com/security/cve/CVE-2020-10531.html https://bugzilla.suse.com/1166844 From sle-security-updates at lists.suse.com Tue Mar 31 10:55:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 31 Mar 2020 18:55:16 +0200 (CEST) Subject: SUSE-SU-2020:0831-1: important: Security update for mariadb Message-ID: <20200331165516.4A1BAFCEE@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0831-1 Rating: important References: #1077717 #1156669 #1160878 #1160883 #1160895 #1160912 #1162388 Cross-References: CVE-2019-18901 CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2758 CVE-2019-2805 CVE-2019-2938 CVE-2019-2974 CVE-2020-2574 Affected Products: SUSE OpenStack Cloud 7 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for mariadb to version 10.2.31 GA fixes the following issues: MariaDB was updated to version 10.2.31 GA (bsc#1162388 and bsc#1156669). Security issues fixed: - CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388). - CVE-2019-18901: Fixed an unsafe path handling behavior in mysql-systemd-helper (bsc#1160895). - CVE-2019-2737: Fixed an issue where could lead a remote attacker to cause denial of service - CVE-2019-2938: Fixed an issue where could lead a remote attacker to cause denial of service - CVE-2019-2740: Fixed an issue where could lead a local attacker to cause denial of service - CVE-2019-2805: Fixed an issue where could lead a local attacker to cause denial of service - CVE-2019-2974: Fixed an issue where could lead a remote attacker to cause denial of service - CVE-2019-2758: Fixed an issue where could lead a local attacker to cause denial of service or data corruption - CVE-2019-2739: Fixed an issue where could lead a local attacker to cause denial of service or data corruption - Enabled security hardenings in MariaDB's systemd service, namely ProtectSystem, ProtectHome and UMask (bsc#1160878). - Fixed a potental symlink attack (bsc#1160912). - Fixed a permissions issue in /var/lib/mysql (bsc#1077717). - Used systemd-tmpfiles for a cleaner and safer creation of /run/mysql (bsc#1160883). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-831=1 Package List: - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): mariadb-10.2.31-16.1 mariadb-client-10.2.31-16.1 mariadb-client-debuginfo-10.2.31-16.1 mariadb-debuginfo-10.2.31-16.1 mariadb-debugsource-10.2.31-16.1 mariadb-tools-10.2.31-16.1 mariadb-tools-debuginfo-10.2.31-16.1 - SUSE OpenStack Cloud 7 (x86_64): mariadb-galera-10.2.31-16.1 - SUSE OpenStack Cloud 7 (noarch): mariadb-errormessages-10.2.31-16.1 References: https://www.suse.com/security/cve/CVE-2019-18901.html https://www.suse.com/security/cve/CVE-2019-2737.html https://www.suse.com/security/cve/CVE-2019-2739.html https://www.suse.com/security/cve/CVE-2019-2740.html https://www.suse.com/security/cve/CVE-2019-2758.html https://www.suse.com/security/cve/CVE-2019-2805.html https://www.suse.com/security/cve/CVE-2019-2938.html https://www.suse.com/security/cve/CVE-2019-2974.html https://www.suse.com/security/cve/CVE-2020-2574.html https://bugzilla.suse.com/1077717 https://bugzilla.suse.com/1156669 https://bugzilla.suse.com/1160878 https://bugzilla.suse.com/1160883 https://bugzilla.suse.com/1160895 https://bugzilla.suse.com/1160912 https://bugzilla.suse.com/1162388 From sle-security-updates at lists.suse.com Tue Mar 31 13:19:39 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 31 Mar 2020 21:19:39 +0200 (CEST) Subject: SUSE-SU-2020:0832-1: important: Security update for glibc Message-ID: <20200331191939.68149FCEE@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0832-1 Rating: important References: #1149332 #1157893 #1158996 #1165784 #1167631 Cross-References: CVE-2020-10029 CVE-2020-1751 CVE-2020-1752 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). - CVE-2020-1751: Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - CVE-2020-10029: Fixed a stack buffer overflow during range reduction (bsc#1165784). - Use 'posix_spawn' on popen preventing crash caused by 'subprocess'. (bsc#1149332, BZ #22834) - Fix handling of needles crossing a page, preventing incorrect results to return during the cross page boundary search. (bsc#1157893, BZ #25226) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-832=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-832=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-832=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-832=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.22-100.21.5 glibc-debugsource-2.22-100.21.5 glibc-devel-static-2.22-100.21.5 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): glibc-info-2.22-100.21.5 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.22-100.21.5 glibc-debugsource-2.22-100.21.5 glibc-devel-static-2.22-100.21.5 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): glibc-info-2.22-100.21.5 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): glibc-2.22-100.21.5 glibc-debuginfo-2.22-100.21.5 glibc-debugsource-2.22-100.21.5 glibc-devel-2.22-100.21.5 glibc-devel-debuginfo-2.22-100.21.5 glibc-locale-2.22-100.21.5 glibc-locale-debuginfo-2.22-100.21.5 glibc-profile-2.22-100.21.5 nscd-2.22-100.21.5 nscd-debuginfo-2.22-100.21.5 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): glibc-32bit-2.22-100.21.5 glibc-debuginfo-32bit-2.22-100.21.5 glibc-devel-32bit-2.22-100.21.5 glibc-devel-debuginfo-32bit-2.22-100.21.5 glibc-locale-32bit-2.22-100.21.5 glibc-locale-debuginfo-32bit-2.22-100.21.5 glibc-profile-32bit-2.22-100.21.5 - SUSE Linux Enterprise Server 12-SP5 (noarch): glibc-html-2.22-100.21.5 glibc-i18ndata-2.22-100.21.5 glibc-info-2.22-100.21.5 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): glibc-2.22-100.21.5 glibc-debuginfo-2.22-100.21.5 glibc-debugsource-2.22-100.21.5 glibc-devel-2.22-100.21.5 glibc-devel-debuginfo-2.22-100.21.5 glibc-locale-2.22-100.21.5 glibc-locale-debuginfo-2.22-100.21.5 glibc-profile-2.22-100.21.5 nscd-2.22-100.21.5 nscd-debuginfo-2.22-100.21.5 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): glibc-32bit-2.22-100.21.5 glibc-debuginfo-32bit-2.22-100.21.5 glibc-devel-32bit-2.22-100.21.5 glibc-devel-debuginfo-32bit-2.22-100.21.5 glibc-locale-32bit-2.22-100.21.5 glibc-locale-debuginfo-32bit-2.22-100.21.5 glibc-profile-32bit-2.22-100.21.5 - SUSE Linux Enterprise Server 12-SP4 (noarch): glibc-html-2.22-100.21.5 glibc-i18ndata-2.22-100.21.5 glibc-info-2.22-100.21.5 References: https://www.suse.com/security/cve/CVE-2020-10029.html https://www.suse.com/security/cve/CVE-2020-1751.html https://www.suse.com/security/cve/CVE-2020-1752.html https://bugzilla.suse.com/1149332 https://bugzilla.suse.com/1157893 https://bugzilla.suse.com/1158996 https://bugzilla.suse.com/1165784 https://bugzilla.suse.com/1167631 From sle-security-updates at lists.suse.com Tue Mar 31 16:16:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 1 Apr 2020 00:16:40 +0200 (CEST) Subject: SUSE-SU-2020:0836-1: important: Security update for the Linux Kernel Message-ID: <20200331221640.08776FE02@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0836-1 Rating: important References: #1044231 #1051510 #1051858 #1056686 #1060463 #1065729 #1103990 #1103992 #1104353 #1104745 #1109837 #1111666 #1111974 #1112178 #1112374 #1113956 #1114279 #1114685 #1119680 #1127611 #1133021 #1134090 #1136157 #1141895 #1144333 #1146539 #1156510 #1157424 #1158187 #1159285 #1160659 #1161561 #1161951 #1162928 #1162929 #1162931 #1164078 #1164507 #1165111 #1165404 #1165488 #1165527 #1165741 #1165813 #1165873 #1165929 #1165950 #1165980 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166658 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 Cross-References: CVE-2019-19768 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 58 fixes is now available. Description: The SUSE Linux Enterprise 15-SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8647: Fixed a use-after-free in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929). - CVE-2020-8649: Fixed a use-after-free in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931). - CVE-2020-8648: Fixed a use-after-free in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928). - CVE-2020-9383: Fixed an out-of-bounds read due to improper error condition check of FDC index (bsc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). The following non-security bugs were fixed: - ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666). - ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666). - ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666). - ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666). - ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666). - ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666). - ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666). - ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666). - ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666). - ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666). - ALSA: usb-audio: unlock on error in probe (bsc#1111666). - ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956) - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bnxt_en: Improve device shutdown method (bsc#1104745 ). - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837). - CIFS: add a debug macro that prints \\server\share for errors (bsc#1144333). - CIFS: add missing mount option to /proc/mounts (bsc#1144333). - CIFS: add new debugging macro cifs_server_dbg (bsc#1144333). - CIFS: add passthrough for smb2 setinfo (bsc#1144333). - CIFS: add SMB2_open() arg to return POSIX data (bsc#1144333). - CIFS: add smb2 POSIX info level (bsc#1144333). - CIFS: add SMB3 change notification support (bsc#1144333). - CIFS: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - CIFS: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - CIFS: Add tracepoints for errors on flush or fsync (bsc#1144333). - CIFS: Adjust indentation in smb2_open_file (bsc#1144333). - CIFS: allow chmod to set mode bits using special sid (bsc#1144333). - CIFS: Avoid doing network I/O while holding cache lock (bsc#1144333). - CIFS: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#1144333). - CIFS: Clean up DFS referral cache (bsc#1144333). - CIFS: create a helper function to parse the query-directory response buffer (bsc#1144333). - CIFS: do d_move in rename (bsc#1144333). - CIFS: Do not display RDMA transport on reconnect (bsc#1144333). - CIFS: do not ignore the SYNC flags in getattr (bsc#1144333). - CIFS: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - CIFS: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - CIFS: enable change notification for SMB2.1 dialect (bsc#1144333). - CIFS: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - CIFS: fix a comment for the timeouts when sending echos (bsc#1144333). - CIFS: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - CIFS: fix dereference on ses before it is null checked (bsc#1144333). - CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - CIFS: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - CIFS: Fix mode output in debugging statements (bsc#1144333). - CIFS: Fix mount options set in automount (bsc#1144333). - CIFS: fix NULL dereference in match_prepath (bsc#1144333). - CIFS: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - CIFS: fix potential mismatch of UNC paths (bsc#1144333). - CIFS: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - CIFS: Fix return value in __update_cache_entry (bsc#1144333). - CIFS: fix soft mounts hanging in the reconnect code (bsc#1144333). - CIFS: fix soft mounts hanging in the reconnect code (bsc#1144333). - CIFS: Fix task struct use-after-free on reconnect (bsc#1144333). - CIFS: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - CIFS: get mode bits from special sid on stat (bsc#1144333). - CIFS: Get rid of kstrdup_const()'d paths (bsc#1144333). - CIFS: handle prefix paths in reconnect (bsc#1144333). - CIFS: Introduce helpers for finding TCP connection (bsc#1144333). - CIFS: log warning message (once) if out of disk space (bsc#1144333). - CIFS: make sure we do not overflow the max EA buffer size (bsc#1144333). - CIFS: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - CIFS: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - CIFS: modefromsid: make room for 4 ACE (bsc#1144333). - CIFS: modefromsid: write mode ACE first (bsc#1144333). - CIFS: Optimize readdir on reparse points (bsc#1144333). - CIFS: plumb smb2 POSIX dir enumeration (bsc#1144333). - CIFS: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - CIFS: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - CIFS: print warning once if mounting with vers=1.0 (bsc#1144333). - CIFS: refactor cifs_get_inode_info() (bsc#1144333). - CIFS: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - CIFS: remove redundant assignment to variable rc (bsc#1144333). - CIFS: remove set but not used variables (bsc#1144333). - CIFS: remove set but not used variable 'server' (bsc#1144333). - CIFS: remove unused variable (bsc#1144333). - CIFS: remove unused variable 'sid_user' (bsc#1144333). - CIFS: rename a variable in SendReceive() (bsc#1144333). - CIFS: rename posix create rsp (bsc#1144333). - CIFS: replace various strncpy with strscpy and similar (bsc#1144333). - CIFS: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - CIFS: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - CIFS: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - CIFS: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - CIFS: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - CIFS: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - CIFS: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - CIFS: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - CIFS: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - CIFS: use compounding for open and first query-dir for readdir() (bsc#1144333). - CIFS: Use #define in cifs_dbg (bsc#1144333). - CIFS: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - CIFS: use mod_delayed_work() for server->reconnect if already queued (bsc#1144333). - CIFS: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - core: Do not skip generic XDP program execution for cloned SKBs (bsc#1109837). - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - devlink: report 0 after hitting end in region read (bsc#1109837). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drm/amd/dm/mst: Ignore payload update failures (bsc#1112178) - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime (git-fixes). - drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits (git-fixes). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915: Program MBUS with rmw during initialization (git-fixes). - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets (git-fixes). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - Enabled the following two patches in series.conf, and refresh the KABI patch due to previous md commit (bsc#1119680) - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - firmware: imx: misc: Align imx sc msg structs to 4 (git-fixes). - firmware: imx: scu: Ensure sequential TX (git-fixes). - firmware: imx: scu-pd: Align imx sc msg structs to 4 (git-fixes). - Fixed memory leak in large read decrypt offload (bsc#1144333). - Fixed some regressions (bsc#1165527 ltc#184149). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/amd: Remap the IOMMU device table with the memory encryption mask for kdump (bsc#1141895). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipv6: restrict IPV6_ADDRFORM operation (bsc#1109837). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled (bsc#1141895). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - kexec: Allocate decrypted control pages for kdump if SME is enabled (bsc#1141895). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - libnvdimm/pfn_dev: Do not clear device memmap area during generic namespace probe (bsc#1165929 bsc#1165950). - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields (bsc#1165929). - libnvdimm: remove redundant __func__ in dev_dbg (bsc#1165929). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters (bsc#1112374). - mlxsw: spectrum: Wipe xstats.backlog of down ports (bsc#1112374). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - net: Fix Tx hash bound checking (bsc#1109837). - net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() (bsc#1104353). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlx5: Fix lowest FDB pool size (bsc#1103990). - net/mlx5: IPsec, Fix esp modify function attribute (bsc#1103990 ). - net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx (bsc#1103990). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net/tls: fix async operation (bsc#1109837). - net/tls: free the record on encryption error (bsc#1109837). - net/tls: take into account that bpf_exec_tx_verdict() may free the record (bsc#1109837). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - nvme: Fix parsing of ANA log page (bsc#1166658). - nvme: resync include/linux/nvme.h with nvmecli (bsc#1156510). - nvme: Translate more status codes to blk_status_t (bsc#1156510). - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - PCI/AER: Clear device status bits during ERR_COR handling (bsc#1161561). - PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL (bsc#1161561). - PCI/AER: Clear only ERR_FATAL status bits during fatal recovery (bsc#1161561). - PCI/AER: Clear only ERR_NONFATAL bits during non-fatal recovery (bsc#1161561). - PCI/AER: Do not clear AER bits if error handling is Firmware-First (bsc#1161561). - PCI/AER: Do not read upstream ports below fatal errors (bsc#1161561). - PCI/AER: Factor out ERR_NONFATAL status bit clearing (bsc#1161561). - PCI/AER: Take reference on error devices (bsc#1161561). - PCI/ERR: Run error recovery callbacks for all affected devices (bsc#1161561). - PCI/ERR: Use slot reset if available (bsc#1161561). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: imx: scu: Align imx sc msg structs to 4 (git-fixes). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/mellanox: fix potential deadlock in the tmfifo driver (bsc#1136333 jsc#SLE-4994). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries: fix of_read_drc_info_cell() to point at next record (bsc#1165980 ltc#183834). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - ptr_ring: add include of linux/mm.h (bsc#1109837). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - RDMA/cma: Fix unbalanced cm_id reference count during address resolve (bsc#1103992). - RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create (bsc#1114685). - RDMA/uverbs: Verify MR access flags (bsc#1103992). - remoteproc: Initialize rproc_class before use (bsc#1051510). - Revert "HID: add NOGET quirk for Eaton Ellipse MAX UPS" (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/pci: Fix unexpected write combine on resource (git-fixes). - s390/uv: Fix handling of length extensions (git-fixes). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - smb3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - SUNRPC: Fix svcauth_gss_proxy_init() (bsc#1103992). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() (bsc#1109837). - Updated block layer, timers and md code for SLE15-SP1 kernel (bsc#1111974). - Updated "drm/i915: Wean off drm_pci_alloc/drm_pci_free" (bsc#1114279) - USB: core: add endpoint-blacklist quirk (git-fixes). - USBip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (https://patchwork.kernel.org/patch/9683663/) (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/ioremap: Add an ioremap_encrypted() helper (bsc#1141895). - x86/kdump: Export the SME mask to vmcoreinfo (bsc#1141895). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-836=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-836=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-836=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-836=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-836=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-836=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 kernel-default-extra-4.12.14-197.37.1 kernel-default-extra-debuginfo-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 kernel-obs-qa-4.12.14-197.37.1 kernel-vanilla-4.12.14-197.37.1 kernel-vanilla-base-4.12.14-197.37.1 kernel-vanilla-base-debuginfo-4.12.14-197.37.1 kernel-vanilla-debuginfo-4.12.14-197.37.1 kernel-vanilla-debugsource-4.12.14-197.37.1 kernel-vanilla-devel-4.12.14-197.37.1 kernel-vanilla-devel-debuginfo-4.12.14-197.37.1 kernel-vanilla-livepatch-devel-4.12.14-197.37.1 kselftests-kmp-default-4.12.14-197.37.1 kselftests-kmp-default-debuginfo-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le x86_64): kernel-debug-4.12.14-197.37.1 kernel-debug-base-4.12.14-197.37.1 kernel-debug-base-debuginfo-4.12.14-197.37.1 kernel-debug-debuginfo-4.12.14-197.37.1 kernel-debug-debugsource-4.12.14-197.37.1 kernel-debug-devel-4.12.14-197.37.1 kernel-debug-devel-debuginfo-4.12.14-197.37.1 kernel-debug-livepatch-devel-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 s390x): kernel-default-livepatch-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): kernel-kvmsmall-4.12.14-197.37.1 kernel-kvmsmall-base-4.12.14-197.37.1 kernel-kvmsmall-base-debuginfo-4.12.14-197.37.1 kernel-kvmsmall-debuginfo-4.12.14-197.37.1 kernel-kvmsmall-debugsource-4.12.14-197.37.1 kernel-kvmsmall-devel-4.12.14-197.37.1 kernel-kvmsmall-devel-debuginfo-4.12.14-197.37.1 kernel-kvmsmall-livepatch-devel-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): kernel-docs-html-4.12.14-197.37.1 kernel-source-vanilla-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): kernel-zfcpdump-debuginfo-4.12.14-197.37.1 kernel-zfcpdump-debugsource-4.12.14-197.37.1 kernel-zfcpdump-man-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 reiserfs-kmp-default-4.12.14-197.37.1 reiserfs-kmp-default-debuginfo-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.37.1 kernel-obs-build-debugsource-4.12.14-197.37.1 kernel-syms-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.37.1 kernel-source-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.37.1 kernel-default-base-4.12.14-197.37.1 kernel-default-base-debuginfo-4.12.14-197.37.1 kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 kernel-default-devel-4.12.14-197.37.1 kernel-default-devel-debuginfo-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.37.1 kernel-macros-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.37.1 kernel-zfcpdump-debuginfo-4.12.14-197.37.1 kernel-zfcpdump-debugsource-4.12.14-197.37.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.37.1 cluster-md-kmp-default-debuginfo-4.12.14-197.37.1 dlm-kmp-default-4.12.14-197.37.1 dlm-kmp-default-debuginfo-4.12.14-197.37.1 gfs2-kmp-default-4.12.14-197.37.1 gfs2-kmp-default-debuginfo-4.12.14-197.37.1 kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 ocfs2-kmp-default-4.12.14-197.37.1 ocfs2-kmp-default-debuginfo-4.12.14-197.37.1 References: https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1111974 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1119680 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1134090 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1141895 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1156510 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158187 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165929 https://bugzilla.suse.com/1165950 https://bugzilla.suse.com/1165980 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166658 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 From sle-security-updates at lists.suse.com Tue Mar 31 16:28:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 1 Apr 2020 00:28:16 +0200 (CEST) Subject: SUSE-SU-2020:0836-1: important: Security update for the Linux Kernel Message-ID: <20200331222816.01562FE02@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0836-1 Rating: important References: #1044231 #1051510 #1051858 #1056686 #1060463 #1065729 #1103990 #1103992 #1104353 #1104745 #1109837 #1111666 #1111974 #1112178 #1112374 #1113956 #1114279 #1114685 #1119680 #1127611 #1133021 #1134090 #1136157 #1141895 #1144333 #1146539 #1156510 #1157424 #1158187 #1159285 #1160659 #1161561 #1161951 #1162928 #1162929 #1162931 #1164078 #1164507 #1165111 #1165404 #1165488 #1165527 #1165741 #1165813 #1165873 #1165929 #1165950 #1165980 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166658 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 Cross-References: CVE-2019-19768 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 58 fixes is now available. Description: The SUSE Linux Enterprise 15-SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8647: Fixed a use-after-free in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929). - CVE-2020-8649: Fixed a use-after-free in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931). - CVE-2020-8648: Fixed a use-after-free in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928). - CVE-2020-9383: Fixed an out-of-bounds read due to improper error condition check of FDC index (bsc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). The following non-security bugs were fixed: - ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666). - ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666). - ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666). - ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666). - ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666). - ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666). - ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666). - ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666). - ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666). - ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666). - ALSA: usb-audio: unlock on error in probe (bsc#1111666). - ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956) - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bnxt_en: Improve device shutdown method (bsc#1104745 ). - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837). - CIFS: add a debug macro that prints \\server\share for errors (bsc#1144333). - CIFS: add missing mount option to /proc/mounts (bsc#1144333). - CIFS: add new debugging macro cifs_server_dbg (bsc#1144333). - CIFS: add passthrough for smb2 setinfo (bsc#1144333). - CIFS: add SMB2_open() arg to return POSIX data (bsc#1144333). - CIFS: add smb2 POSIX info level (bsc#1144333). - CIFS: add SMB3 change notification support (bsc#1144333). - CIFS: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - CIFS: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - CIFS: Add tracepoints for errors on flush or fsync (bsc#1144333). - CIFS: Adjust indentation in smb2_open_file (bsc#1144333). - CIFS: allow chmod to set mode bits using special sid (bsc#1144333). - CIFS: Avoid doing network I/O while holding cache lock (bsc#1144333). - CIFS: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#1144333). - CIFS: Clean up DFS referral cache (bsc#1144333). - CIFS: create a helper function to parse the query-directory response buffer (bsc#1144333). - CIFS: do d_move in rename (bsc#1144333). - CIFS: Do not display RDMA transport on reconnect (bsc#1144333). - CIFS: do not ignore the SYNC flags in getattr (bsc#1144333). - CIFS: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - CIFS: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - CIFS: enable change notification for SMB2.1 dialect (bsc#1144333). - CIFS: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - CIFS: fix a comment for the timeouts when sending echos (bsc#1144333). - CIFS: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - CIFS: fix dereference on ses before it is null checked (bsc#1144333). - CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - CIFS: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - CIFS: Fix mode output in debugging statements (bsc#1144333). - CIFS: Fix mount options set in automount (bsc#1144333). - CIFS: fix NULL dereference in match_prepath (bsc#1144333). - CIFS: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - CIFS: fix potential mismatch of UNC paths (bsc#1144333). - CIFS: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - CIFS: Fix return value in __update_cache_entry (bsc#1144333). - CIFS: fix soft mounts hanging in the reconnect code (bsc#1144333). - CIFS: fix soft mounts hanging in the reconnect code (bsc#1144333). - CIFS: Fix task struct use-after-free on reconnect (bsc#1144333). - CIFS: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - CIFS: get mode bits from special sid on stat (bsc#1144333). - CIFS: Get rid of kstrdup_const()'d paths (bsc#1144333). - CIFS: handle prefix paths in reconnect (bsc#1144333). - CIFS: Introduce helpers for finding TCP connection (bsc#1144333). - CIFS: log warning message (once) if out of disk space (bsc#1144333). - CIFS: make sure we do not overflow the max EA buffer size (bsc#1144333). - CIFS: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - CIFS: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - CIFS: modefromsid: make room for 4 ACE (bsc#1144333). - CIFS: modefromsid: write mode ACE first (bsc#1144333). - CIFS: Optimize readdir on reparse points (bsc#1144333). - CIFS: plumb smb2 POSIX dir enumeration (bsc#1144333). - CIFS: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - CIFS: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - CIFS: print warning once if mounting with vers=1.0 (bsc#1144333). - CIFS: refactor cifs_get_inode_info() (bsc#1144333). - CIFS: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - CIFS: remove redundant assignment to variable rc (bsc#1144333). - CIFS: remove set but not used variables (bsc#1144333). - CIFS: remove set but not used variable 'server' (bsc#1144333). - CIFS: remove unused variable (bsc#1144333). - CIFS: remove unused variable 'sid_user' (bsc#1144333). - CIFS: rename a variable in SendReceive() (bsc#1144333). - CIFS: rename posix create rsp (bsc#1144333). - CIFS: replace various strncpy with strscpy and similar (bsc#1144333). - CIFS: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - CIFS: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - CIFS: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - CIFS: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - CIFS: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - CIFS: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - CIFS: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - CIFS: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - CIFS: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - CIFS: use compounding for open and first query-dir for readdir() (bsc#1144333). - CIFS: Use #define in cifs_dbg (bsc#1144333). - CIFS: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - CIFS: use mod_delayed_work() for server->reconnect if already queued (bsc#1144333). - CIFS: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - core: Do not skip generic XDP program execution for cloned SKBs (bsc#1109837). - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - devlink: report 0 after hitting end in region read (bsc#1109837). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drm/amd/dm/mst: Ignore payload update failures (bsc#1112178) - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime (git-fixes). - drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits (git-fixes). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915: Program MBUS with rmw during initialization (git-fixes). - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets (git-fixes). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - Enabled the following two patches in series.conf, and refresh the KABI patch due to previous md commit (bsc#1119680) - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - firmware: imx: misc: Align imx sc msg structs to 4 (git-fixes). - firmware: imx: scu: Ensure sequential TX (git-fixes). - firmware: imx: scu-pd: Align imx sc msg structs to 4 (git-fixes). - Fixed memory leak in large read decrypt offload (bsc#1144333). - Fixed some regressions (bsc#1165527 ltc#184149). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/amd: Remap the IOMMU device table with the memory encryption mask for kdump (bsc#1141895). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipv6: restrict IPV6_ADDRFORM operation (bsc#1109837). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled (bsc#1141895). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - kexec: Allocate decrypted control pages for kdump if SME is enabled (bsc#1141895). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - libnvdimm/pfn_dev: Do not clear device memmap area during generic namespace probe (bsc#1165929 bsc#1165950). - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields (bsc#1165929). - libnvdimm: remove redundant __func__ in dev_dbg (bsc#1165929). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters (bsc#1112374). - mlxsw: spectrum: Wipe xstats.backlog of down ports (bsc#1112374). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - net: Fix Tx hash bound checking (bsc#1109837). - net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() (bsc#1104353). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlx5: Fix lowest FDB pool size (bsc#1103990). - net/mlx5: IPsec, Fix esp modify function attribute (bsc#1103990 ). - net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx (bsc#1103990). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net/tls: fix async operation (bsc#1109837). - net/tls: free the record on encryption error (bsc#1109837). - net/tls: take into account that bpf_exec_tx_verdict() may free the record (bsc#1109837). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - nvme: Fix parsing of ANA log page (bsc#1166658). - nvme: resync include/linux/nvme.h with nvmecli (bsc#1156510). - nvme: Translate more status codes to blk_status_t (bsc#1156510). - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - PCI/AER: Clear device status bits during ERR_COR handling (bsc#1161561). - PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL (bsc#1161561). - PCI/AER: Clear only ERR_FATAL status bits during fatal recovery (bsc#1161561). - PCI/AER: Clear only ERR_NONFATAL bits during non-fatal recovery (bsc#1161561). - PCI/AER: Do not clear AER bits if error handling is Firmware-First (bsc#1161561). - PCI/AER: Do not read upstream ports below fatal errors (bsc#1161561). - PCI/AER: Factor out ERR_NONFATAL status bit clearing (bsc#1161561). - PCI/AER: Take reference on error devices (bsc#1161561). - PCI/ERR: Run error recovery callbacks for all affected devices (bsc#1161561). - PCI/ERR: Use slot reset if available (bsc#1161561). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: imx: scu: Align imx sc msg structs to 4 (git-fixes). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/mellanox: fix potential deadlock in the tmfifo driver (bsc#1136333 jsc#SLE-4994). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries: fix of_read_drc_info_cell() to point at next record (bsc#1165980 ltc#183834). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - ptr_ring: add include of linux/mm.h (bsc#1109837). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - RDMA/cma: Fix unbalanced cm_id reference count during address resolve (bsc#1103992). - RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create (bsc#1114685). - RDMA/uverbs: Verify MR access flags (bsc#1103992). - remoteproc: Initialize rproc_class before use (bsc#1051510). - Revert "HID: add NOGET quirk for Eaton Ellipse MAX UPS" (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/pci: Fix unexpected write combine on resource (git-fixes). - s390/uv: Fix handling of length extensions (git-fixes). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - smb3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - SUNRPC: Fix svcauth_gss_proxy_init() (bsc#1103992). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() (bsc#1109837). - Updated block layer, timers and md code for SLE15-SP1 kernel (bsc#1111974). - Updated "drm/i915: Wean off drm_pci_alloc/drm_pci_free" (bsc#1114279) - USB: core: add endpoint-blacklist quirk (git-fixes). - USBip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (https://patchwork.kernel.org/patch/9683663/) (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/ioremap: Add an ioremap_encrypted() helper (bsc#1141895). - x86/kdump: Export the SME mask to vmcoreinfo (bsc#1141895). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-836=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-836=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-836=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-836=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-836=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-836=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-836=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 kernel-default-extra-4.12.14-197.37.1 kernel-default-extra-debuginfo-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 kernel-obs-qa-4.12.14-197.37.1 kernel-vanilla-4.12.14-197.37.1 kernel-vanilla-base-4.12.14-197.37.1 kernel-vanilla-base-debuginfo-4.12.14-197.37.1 kernel-vanilla-debuginfo-4.12.14-197.37.1 kernel-vanilla-debugsource-4.12.14-197.37.1 kernel-vanilla-devel-4.12.14-197.37.1 kernel-vanilla-devel-debuginfo-4.12.14-197.37.1 kernel-vanilla-livepatch-devel-4.12.14-197.37.1 kselftests-kmp-default-4.12.14-197.37.1 kselftests-kmp-default-debuginfo-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le x86_64): kernel-debug-4.12.14-197.37.1 kernel-debug-base-4.12.14-197.37.1 kernel-debug-base-debuginfo-4.12.14-197.37.1 kernel-debug-debuginfo-4.12.14-197.37.1 kernel-debug-debugsource-4.12.14-197.37.1 kernel-debug-devel-4.12.14-197.37.1 kernel-debug-devel-debuginfo-4.12.14-197.37.1 kernel-debug-livepatch-devel-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 s390x): kernel-default-livepatch-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): kernel-docs-html-4.12.14-197.37.1 kernel-source-vanilla-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): kernel-kvmsmall-4.12.14-197.37.1 kernel-kvmsmall-base-4.12.14-197.37.1 kernel-kvmsmall-base-debuginfo-4.12.14-197.37.1 kernel-kvmsmall-debuginfo-4.12.14-197.37.1 kernel-kvmsmall-debugsource-4.12.14-197.37.1 kernel-kvmsmall-devel-4.12.14-197.37.1 kernel-kvmsmall-devel-debuginfo-4.12.14-197.37.1 kernel-kvmsmall-livepatch-devel-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): kernel-zfcpdump-debuginfo-4.12.14-197.37.1 kernel-zfcpdump-debugsource-4.12.14-197.37.1 kernel-zfcpdump-man-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 kernel-default-livepatch-4.12.14-197.37.1 kernel-default-livepatch-devel-4.12.14-197.37.1 kernel-livepatch-4_12_14-197_37-default-1-3.3.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 reiserfs-kmp-default-4.12.14-197.37.1 reiserfs-kmp-default-debuginfo-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.37.1 kernel-obs-build-debugsource-4.12.14-197.37.1 kernel-syms-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.37.1 kernel-source-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.37.1 kernel-default-base-4.12.14-197.37.1 kernel-default-base-debuginfo-4.12.14-197.37.1 kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 kernel-default-devel-4.12.14-197.37.1 kernel-default-devel-debuginfo-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.37.1 kernel-macros-4.12.14-197.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.37.1 kernel-zfcpdump-debuginfo-4.12.14-197.37.1 kernel-zfcpdump-debugsource-4.12.14-197.37.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.37.1 cluster-md-kmp-default-debuginfo-4.12.14-197.37.1 dlm-kmp-default-4.12.14-197.37.1 dlm-kmp-default-debuginfo-4.12.14-197.37.1 gfs2-kmp-default-4.12.14-197.37.1 gfs2-kmp-default-debuginfo-4.12.14-197.37.1 kernel-default-debuginfo-4.12.14-197.37.1 kernel-default-debugsource-4.12.14-197.37.1 ocfs2-kmp-default-4.12.14-197.37.1 ocfs2-kmp-default-debuginfo-4.12.14-197.37.1 References: https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1111974 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1119680 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1134090 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1141895 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1156510 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158187 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165929 https://bugzilla.suse.com/1165950 https://bugzilla.suse.com/1165980 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166658 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735