From sle-security-updates at lists.suse.com Mon Nov 2 07:18:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2020 15:18:45 +0100 (CET) Subject: SUSE-SU-2020:3115-1: moderate: Security update for python Message-ID: <20201102141845.204A9FFA8@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3115-1 Rating: moderate References: #1177211 Cross-References: CVE-2020-26116 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python fixes the following issues: - bsc#1177211 (CVE-2020-26116) no longer allowing special characters in the method parameter of HTTPConnection.putrequest in httplib, stopping injection of headers. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2020-3115=1 - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-3115=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3115=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-3115=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3115=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3115=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP2 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.17-7.44.2 python-base-debugsource-2.7.17-7.44.2 python-curses-2.7.17-7.44.4 python-curses-debuginfo-2.7.17-7.44.4 python-debuginfo-2.7.17-7.44.4 python-debugsource-2.7.17-7.44.4 python-devel-2.7.17-7.44.2 python-gdbm-2.7.17-7.44.4 python-gdbm-debuginfo-2.7.17-7.44.4 python-xml-2.7.17-7.44.2 python-xml-debuginfo-2.7.17-7.44.2 - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.17-7.44.2 python-base-debugsource-2.7.17-7.44.2 python-curses-2.7.17-7.44.4 python-curses-debuginfo-2.7.17-7.44.4 python-debuginfo-2.7.17-7.44.4 python-debugsource-2.7.17-7.44.4 python-devel-2.7.17-7.44.2 python-gdbm-2.7.17-7.44.4 python-gdbm-debuginfo-2.7.17-7.44.4 python-xml-2.7.17-7.44.2 python-xml-debuginfo-2.7.17-7.44.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.17-7.44.4 python-debugsource-2.7.17-7.44.4 python-tk-2.7.17-7.44.4 python-tk-debuginfo-2.7.17-7.44.4 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.17-7.44.4 python-debugsource-2.7.17-7.44.4 python-tk-2.7.17-7.44.4 python-tk-debuginfo-2.7.17-7.44.4 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-7.44.2 libpython2_7-1_0-debuginfo-2.7.17-7.44.2 python-2.7.17-7.44.4 python-base-2.7.17-7.44.2 python-base-debuginfo-2.7.17-7.44.2 python-base-debugsource-2.7.17-7.44.2 python-debuginfo-2.7.17-7.44.4 python-debugsource-2.7.17-7.44.4 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-7.44.2 libpython2_7-1_0-debuginfo-2.7.17-7.44.2 python-2.7.17-7.44.4 python-base-2.7.17-7.44.2 python-base-debuginfo-2.7.17-7.44.2 python-base-debugsource-2.7.17-7.44.2 python-debuginfo-2.7.17-7.44.4 python-debugsource-2.7.17-7.44.4 References: https://www.suse.com/security/cve/CVE-2020-26116.html https://bugzilla.suse.com/1177211 From sle-security-updates at lists.suse.com Mon Nov 2 13:15:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Nov 2020 21:15:22 +0100 (CET) Subject: SUSE-SU-2020:3121-1: moderate: Security update for python Message-ID: <20201102201522.407E5FFAB@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3121-1 Rating: moderate References: #1177211 Cross-References: CVE-2020-26116 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python fixes the following issues: - CVE-2020-26116: Fixed CRLF injection via HTTP request method (bsc#1177211). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-3121=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3121=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3121=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): python-base-debuginfo-2.7.17-28.56.1 python-base-debugsource-2.7.17-28.56.1 python-devel-2.7.17-28.56.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.56.1 libpython2_7-1_0-debuginfo-2.7.17-28.56.1 python-2.7.17-28.56.1 python-base-2.7.17-28.56.1 python-base-debuginfo-2.7.17-28.56.1 python-base-debugsource-2.7.17-28.56.1 python-curses-2.7.17-28.56.1 python-curses-debuginfo-2.7.17-28.56.1 python-debuginfo-2.7.17-28.56.1 python-debugsource-2.7.17-28.56.1 python-demo-2.7.17-28.56.1 python-devel-2.7.17-28.56.1 python-gdbm-2.7.17-28.56.1 python-gdbm-debuginfo-2.7.17-28.56.1 python-idle-2.7.17-28.56.1 python-tk-2.7.17-28.56.1 python-tk-debuginfo-2.7.17-28.56.1 python-xml-2.7.17-28.56.1 python-xml-debuginfo-2.7.17-28.56.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.56.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.56.1 python-32bit-2.7.17-28.56.1 python-base-32bit-2.7.17-28.56.1 python-base-debuginfo-32bit-2.7.17-28.56.1 python-debuginfo-32bit-2.7.17-28.56.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-doc-2.7.17-28.56.1 python-doc-pdf-2.7.17-28.56.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): python-debuginfo-2.7.17-28.56.1 python-debugsource-2.7.17-28.56.1 python-strict-tls-check-2.7.17-28.56.1 References: https://www.suse.com/security/cve/CVE-2020-26116.html https://bugzilla.suse.com/1177211 From sle-security-updates at lists.suse.com Tue Nov 3 07:16:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Nov 2020 15:16:49 +0100 (CET) Subject: SUSE-SU-2020:3122-1: important: Security update for the Linux Kernel Message-ID: <20201103141649.A2864FFAB@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3122-1 Rating: important References: #1055014 #1055186 #1061843 #1065729 #1077428 #1129923 #1134760 #1152489 #1174748 #1174969 #1175052 #1175898 #1176485 #1176713 #1177086 #1177353 #1177410 #1177411 #1177470 #1177739 #1177749 #1177750 #1177754 #1177755 #1177765 #1177814 #1177817 #1177854 #1177855 #1177856 #1177861 #1178002 #1178079 #1178246 Cross-References: CVE-2020-14351 CVE-2020-16120 CVE-2020-25285 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has 31 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25285: A race condition between hugetlb sysctl handlers in mm/hugetlb.c could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact (bnc#1176485). - CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file. (bsc#1177470) - CVE-2020-14351: Fixed a race condition in the perf_mmap_close() function (bsc#1177086). The following non-security bugs were fixed: - ACPI: Always build evged in (git-fixes). - ACPI: button: fix handling lid state changes when input device closed (git-fixes). - ACPI: configfs: Add missing config_item_put() to fix refcount leak (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - Add CONFIG_CHECK_CODESIGN_EKU - ALSA: ac97: (cosmetic) align argument names (git-fixes). - ALSA: aoa: i2sbus: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: asihpi: fix spellint typo in comments (git-fixes). - ALSA: atmel: ac97: clarify operator precedence (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: fireworks: use semicolons rather than commas to separate statements (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda: (cosmetic) align function parameters (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - set mic to auto detect on a HP AIO machine (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: hdspm: Fix typo arbitary (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: portman2x4: fix repeated word 'if' (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: sparc: dbri: fix repeated word 'the' (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ALSA: usb-audio: Line6 Pod Go interface requires static clock rate quirk (git-fixes). - ALSA: usb: scarless_gen2: fix endianness issue (git-fixes). - ALSA: vx: vx_core: clarify operator precedence (git-fixes). - ALSA: vx: vx_pcm: remove redundant assignment (git-fixes). - ASoC: fsl: imx-es8328: add missing put_device() call in imx_es8328_probe() (git-fixes). - ASoC: fsl_sai: Instantiate snd_soc_dai_driver (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ASoC: sun50i-codec-analog: Fix duplicate use of ADC enable bits (git-fixes). - ASoC: tlv320aic32x4: Fix bdiv clock rate derivation (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k_htc: Use appropriate rs_datalen type (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - block: Fix page_is_mergeable() for compound pages (bsc#1177814). - Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - btrfs: add owner and fs_info to alloc_state io_tree (bsc#1177854). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: flexcan: remove ack_grp and ack_bit handling from driver (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - clk: keystone: sci-clk: fix parsing assigned-clock data during probe (git-fixes). - clk: meson: g12a: mark fclk_div2 as critical (git-fixes). - clk: qcom: gcc-sdm660: Fix wrong parent_map (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - dax: Fix compilation for CONFIG_DAX && !CONFIG_FS_DAX (bsc#1177817). - dma-direct: add missing set_memory_decrypted() for coherent mapping (bsc#1175898, ECO-2743). - dma-direct: always align allocation size in dma_direct_alloc_pages() (bsc#1175898, ECO-2743). - dma-direct: atomic allocations must come from atomic coherent pools (bsc#1175898, ECO-2743). - dma-direct: check return value when encrypting or decrypting memory (bsc#1175898, ECO-2743). - dma-direct: consolidate the error handling in dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dma-direct: make uncached_kernel_address more general (bsc#1175898, ECO-2743). - dma-direct: provide function to check physical memory area validity (bsc#1175898, ECO-2743). - dma-direct: provide mmap and get_sgtable method overrides (bsc#1175898, ECO-2743). - dma-direct: re-encrypt memory if dma_direct_alloc_pages() fails (bsc#1175898, ECO-2743). - dma-direct: remove __dma_direct_free_pages (bsc#1175898, ECO-2743). - dma-direct: remove the dma_handle argument to __dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - dmaengine: dmatest: Check list for emptiness before access its last entry (git-fixes). - dma-mapping: add a dma_can_mmap helper (bsc#1175898, ECO-2743). - dma-mapping: always use VM_DMA_COHERENT for generic DMA remap (bsc#1175898, ECO-2743). - dma-mapping: DMA_COHERENT_POOL should select GENERIC_ALLOCATOR (bsc#1175898, ECO-2743). - dma-mapping: make dma_atomic_pool_init self-contained (bsc#1175898, ECO-2743). - dma-mapping: merge the generic remapping helpers into dma-direct (bsc#1175898, ECO-2743). - dma-mapping: remove arch_dma_mmap_pgprot (bsc#1175898, ECO-2743). - dma-mapping: warn when coherent pool is depleted (bsc#1175898, ECO-2743). - dma-pool: add additional coherent pools to map to gfp mask (bsc#1175898, ECO-2743). - dma-pool: add pool sizes to debugfs (bsc#1175898, ECO-2743). - dma-pool: decouple DMA_REMAP from DMA_COHERENT_POOL (bsc#1175898, ECO-2743). - dma-pool: do not allocate pool memory from CMA (bsc#1175898, ECO-2743). - dma-pool: dynamically expanding atomic pools (bsc#1175898, ECO-2743). - dma-pool: Fix an uninitialized variable bug in atomic_pool_expand() (bsc#1175898, ECO-2743). - dma-pool: fix coherent pool allocations for IOMMU mappings (bsc#1175898, ECO-2743). - dma-pool: fix too large DMA pools on medium memory size systems (bsc#1175898, ECO-2743). - dma-pool: get rid of dma_in_atomic_pool() (bsc#1175898, ECO-2743). - dma-pool: introduce dma_guess_pool() (bsc#1175898, ECO-2743). - dma-pool: make sure atomic pool suits device (bsc#1175898, ECO-2743). - dma-pool: Only allocate from CMA when in same memory zone (bsc#1175898, ECO-2743). - dma-pool: scale the default DMA coherent pool size with memory capacity (bsc#1175898, ECO-2743). - dma-remap: separate DMA atomic pools from direct remap code (bsc#1175898, ECO-2743). - dm: Call proper helper to determine dax support (bsc#1177817). - dm/dax: Fix table reference counts (bsc#1178246). - docs: driver-api: remove a duplicated index entry (git-fixes). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1152489). - extcon: ptn5150: Fix usage of atomic GPIO with sleeping GPIO chips (git-fixes). - HID: hid-input: fix stylus battery reporting (git-fixes). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - i2c: rcar: Auto select RESET_CONTROLLER (git-fixes). - i3c: master add i3c_master_attach_boardinfo to preserve boardinfo (git-fixes). - i3c: master: Fix error return in cdns_i3c_master_probe() (git-fixes). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - ibmvnic: set up 200GBPS speed (bsc#1129923 git-fixes). - ida: Free allocated bitmap in error path (git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio: adc: gyroadc: fix leak of device node iterator (git-fixes). - iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Do not ignore errors from crypto_shash_update() (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - Input: ati_remote2 - add missing newlines when printing module parameters (git-fixes). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: stmfts - fix a & vs && typo (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1177739). - ipmi_si: Fix wrong return value in try_smi_init() (git-fixes). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kABI: Fix kABI after add CodeSigning extended key usage (bsc#1177353). - leds: mt6323: move period calculation (git-fixes). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - memory: omap-gpmc: Fix build error without CONFIG_OF (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - mm: do not panic when links can't be created in sysfs (bsc#1178002). - mm: do not rely on system state to detect hot-plug operations (bsc#1178002). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm: replace memmap_context by meminit_context (bsc#1178002). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mtd: rawnand: stm32_fmc2: fix a buffer overflow (git-fixes). - mtd: rawnand: vf610: disable clk on error handling path in probe (git-fixes). - mtd: spinand: gigadevice: Add QE Bit (git-fixes). - mtd: spinand: gigadevice: Only one dummy byte in QUADIO (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - ntb: intel: Fix memleak in intel_ntb_pci_probe (git-fixes). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - overflow: Include header file with SIZE_MAX declaration (git-fixes). - PCI: aardvark: Check for errors from pci_bridge_emul_init() call (git-fixes). - percpu: fix first chunk size calculation for populated bitmap (git-fixes (mm/percpu)). - perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1152489). - perf/x86: Fix n_pair for cancelled txn (bsc#1152489). - pinctrl: mcp23s08: Fix mcp23x17 precious range (git-fixes). - pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser (git-fixes). - PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification (bsc#1177353). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - PM: hibernate: Batch hibernate and resume IO requests (bsc#1178079). - powerpc/book3s64/radix: Make radix_mem_block_size 64bit (bsc#1055186 ltc#153436 git-fixes). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/papr_scm: Fix warning triggered by perf_stats_show() (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: Avoid using addr_to_pfn in real mode (jsc#SLE-9246 git-fixes). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - pwm: img: Fix null pointer access in probe (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - qtnfmac: fix resource leaks on unsupported iftype error return path (git-fixes). - r8169: fix operation under forced interrupt threading (git-fixes). - rapidio: fix the missed put_device() for rio_mport_add_riodev (git-fixes). - reset: sti: reset-syscfg: fix struct description warnings (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rtc: rx8010: do not modify the global rtc ops (git-fixes). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: mptfusion: Do not use GFP_ATOMIC for larger DMA allocations (bsc#1175898, ECO-2743). - slimbus: core: check get_addr before removing laddr ida (git-fixes). - slimbus: core: do not enter to clock pause mode in core (git-fixes). - slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback (git-fixes). - soc: fsl: qbman: Fix return value on success (git-fixes). - staging: comedi: check validity of wMaxPacketSize of usb endpoints found (git-fixes). - staging: rtl8192u: Do not use GFP_KERNEL in atomic context (git-fixes). - tracing: Check return value of __create_val_fields() before using its result (git-fixes). - tracing: Save normal string variables (git-fixes). - USB: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - USB: dwc2: Fix parameter type in function pointer prototype (git-fixes). - USB: dwc3: core: add phy cleanup for probe error handling (git-fixes). - USB: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - USB: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - USB: dwc3: gadget: Resume pending requests after CLEAR_STALL (git-fixes). - USB: dwc3: pci: Allow Elkhart Lake to utilize DSM method for PM functionality (git-fixes). - USB: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - USB: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usblp: fix race between disconnect() and read() (git-fixes). - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes). - USB: serial: option: add Cellient MPL200 card (git-fixes). - USB: serial: option: Add Telit FT980-KS composition (git-fixes). - USB: serial: pl2303: add device-id for HP GC device (git-fixes). - USB: serial: qcserial: fix altsetting probing (git-fixes). - usb: xhci-mtk: Fix typo (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: Fix memleak in watchdog_cdev_register (git-fixes). - watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 (git-fixes). - watchdog: Use put_device on error (git-fixes). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - X.509: Add CodeSigning extended key usage parsing (bsc#1177353). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1152489). - x86/ioapic: Unbreak check_timer() (bsc#1152489). - x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1177765). - x86/mm: unencrypted non-blocking DMA allocations use coherent pools (bsc#1175898, ECO-2743). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pvcallsback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xfs: force the log after remapping a synchronous-writes file (git-fixes). - xhci: do not create endpoint debugfs entry before ring buffer is set (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3122=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2020-3122=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-3122=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3122=1 - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2020-3122=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): kernel-default-debuginfo-5.3.18-24.34.1 kernel-default-debugsource-5.3.18-24.34.1 kernel-default-extra-5.3.18-24.34.1 kernel-default-extra-debuginfo-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.34.1 kernel-default-debugsource-5.3.18-24.34.1 reiserfs-kmp-default-5.3.18-24.34.1 reiserfs-kmp-default-debuginfo-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-24.34.1 kernel-obs-build-debugsource-5.3.18-24.34.1 kernel-syms-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-24.34.1 kernel-preempt-debugsource-5.3.18-24.34.1 kernel-preempt-devel-5.3.18-24.34.1 kernel-preempt-devel-debuginfo-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): kernel-docs-5.3.18-24.34.1 kernel-source-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-24.34.1 kernel-default-base-5.3.18-24.34.1.9.11.2 kernel-default-debuginfo-5.3.18-24.34.1 kernel-default-debugsource-5.3.18-24.34.1 kernel-default-devel-5.3.18-24.34.1 kernel-default-devel-debuginfo-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 x86_64): kernel-preempt-5.3.18-24.34.1 kernel-preempt-debuginfo-5.3.18-24.34.1 kernel-preempt-debugsource-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): kernel-devel-5.3.18-24.34.1 kernel-macros-5.3.18-24.34.1 - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-24.34.1 cluster-md-kmp-default-debuginfo-5.3.18-24.34.1 dlm-kmp-default-5.3.18-24.34.1 dlm-kmp-default-debuginfo-5.3.18-24.34.1 gfs2-kmp-default-5.3.18-24.34.1 gfs2-kmp-default-debuginfo-5.3.18-24.34.1 kernel-default-debuginfo-5.3.18-24.34.1 kernel-default-debugsource-5.3.18-24.34.1 ocfs2-kmp-default-5.3.18-24.34.1 ocfs2-kmp-default-debuginfo-5.3.18-24.34.1 References: https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-25285.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1129923 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1174969 https://bugzilla.suse.com/1175052 https://bugzilla.suse.com/1175898 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177353 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177739 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177765 https://bugzilla.suse.com/1177814 https://bugzilla.suse.com/1177817 https://bugzilla.suse.com/1177854 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178002 https://bugzilla.suse.com/1178079 https://bugzilla.suse.com/1178246 From sle-security-updates at lists.suse.com Tue Nov 3 07:23:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Nov 2020 15:23:52 +0100 (CET) Subject: SUSE-SU-2020:3126-1: moderate: Security update for ovmf Message-ID: <20201103142352.D6277FFAB@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3126-1 Rating: moderate References: #1163927 #1175476 Cross-References: CVE-2019-14559 CVE-2019-14562 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ovmf fixes the following issues: - CVE-2019-14562: Fixed an overflow in DxeImageVerificationHandler (bsc#1175476). - CVE-2019-14559: Fixed a memory leak in ArpOnFrameRcvdDpc() (bsc#1163927). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3126=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3126=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3126=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3126=1 Package List: - SUSE OpenStack Cloud 7 (noarch): qemu-ovmf-x86_64-2015+git1462940744.321151f-19.15.1 - SUSE OpenStack Cloud 7 (x86_64): ovmf-2015+git1462940744.321151f-19.15.1 ovmf-tools-2015+git1462940744.321151f-19.15.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): qemu-ovmf-x86_64-2015+git1462940744.321151f-19.15.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ovmf-2015+git1462940744.321151f-19.15.1 ovmf-tools-2015+git1462940744.321151f-19.15.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): qemu-ovmf-x86_64-2015+git1462940744.321151f-19.15.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ovmf-2015+git1462940744.321151f-19.15.1 ovmf-tools-2015+git1462940744.321151f-19.15.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ovmf-2015+git1462940744.321151f-19.15.1 ovmf-tools-2015+git1462940744.321151f-19.15.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): qemu-ovmf-x86_64-2015+git1462940744.321151f-19.15.1 References: https://www.suse.com/security/cve/CVE-2019-14559.html https://www.suse.com/security/cve/CVE-2019-14562.html https://bugzilla.suse.com/1163927 https://bugzilla.suse.com/1175476 From sle-security-updates at lists.suse.com Tue Nov 3 07:25:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Nov 2020 15:25:05 +0100 (CET) Subject: SUSE-SU-2020:3125-1: important: Security update for sane-backends Message-ID: <20201103142505.08DDEFFAB@maintenance.suse.de> SUSE Security Update: Security update for sane-backends ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3125-1 Rating: important References: #1172524 ECO-2418 SLE-15560 SLE-15561 Cross-References: CVE-2017-6318 CVE-2020-12861 CVE-2020-12862 CVE-2020-12863 CVE-2020-12864 CVE-2020-12865 CVE-2020-12866 CVE-2020-12867 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 8 vulnerabilities, contains three features is now available. Description: This update for sane-backends fixes the following issues: - sane-backends version upgrade to 1.0.31: * sane-backends version upgrade to 1.0.30 fixes memory corruption bugs CVE-2020-12861, CVE-2020-12862, CVE-2020-12863, CVE-2020-12864, CVE-2020-12865, CVE-2020-12866, CVE-2020-12867 (bsc#1172524) * sane-backends version upgrade to 1.0.31 to further improve hardware enablement for scanner devices (jsc#SLE-15561 and jsc#SLE-15560 with jsc#ECO-2418) * The new escl backend cannot be provided for SLE12 because it requires more additional software (avahi-client, libcurl, and libpoppler-glib-devel) where in particular for libcurl the one that is in SLE12 (via libcurl-devel-7.37.0) is likely too old because with that building the escl backend fails with "escl/escl.c:1267:34: error: 'CURLOPT_UNIX_SOCKET_PATH' undeclared curl_easy_setopt(handle, CURLOPT_UNIX_SOCKET_PATH" Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3125=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3125=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3125=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3125=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3125=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-3125=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3125=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3125=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3125=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3125=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3125=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3125=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3125=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3125=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3125=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3125=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3125=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3125=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE OpenStack Cloud 9 (x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE OpenStack Cloud 8 (x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE OpenStack Cloud 7 (s390x x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): sane-backends-32bit-1.0.31-4.3.1 sane-backends-autoconfig-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debuginfo-32bit-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 sane-backends-devel-1.0.31-4.3.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 - HPE Helion Openstack 8 (x86_64): sane-backends-1.0.31-4.3.1 sane-backends-debuginfo-1.0.31-4.3.1 sane-backends-debugsource-1.0.31-4.3.1 References: https://www.suse.com/security/cve/CVE-2017-6318.html https://www.suse.com/security/cve/CVE-2020-12861.html https://www.suse.com/security/cve/CVE-2020-12862.html https://www.suse.com/security/cve/CVE-2020-12863.html https://www.suse.com/security/cve/CVE-2020-12864.html https://www.suse.com/security/cve/CVE-2020-12865.html https://www.suse.com/security/cve/CVE-2020-12866.html https://www.suse.com/security/cve/CVE-2020-12867.html https://bugzilla.suse.com/1172524 From sle-security-updates at lists.suse.com Tue Nov 3 07:26:13 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Nov 2020 15:26:13 +0100 (CET) Subject: SUSE-SU-2020:3132-1: moderate: Security update for gnome-settings-daemon, gnome-shell Message-ID: <20201103142613.36605FFAB@maintenance.suse.de> SUSE Security Update: Security update for gnome-settings-daemon, gnome-shell ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3132-1 Rating: moderate References: #1172760 #1175155 SLE-16518 Cross-References: CVE-2020-17489 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has one errata is now available. Description: This update for gnome-settings-daemon, gnome-shell fixes the following issues: gnome-settings-daemon: - Add support for recent UCM related changes in ALSA and PulseAudio. (jsc#SLE-16518) - Don't warn when a default source or sink is missing and the PulseAudio daemon is restarting. (jsc#SLE-16518) - Don't warn about starting/stopping services which don't exist. (bsc#1172760). gnome-shell: - Add support for recent UCM related changes in ALSA and PulseAudio. (jsc#SLE-16518) - CVE-2020-17489: reset auth prompt on vt switch before fade in in loginDialog (bsc#1175155). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3132=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3132=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): gnome-shell-calendar-3.34.5-3.13.1 gnome-shell-calendar-debuginfo-3.34.5-3.13.1 gnome-shell-debuginfo-3.34.5-3.13.1 gnome-shell-debugsource-3.34.5-3.13.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): gnome-settings-daemon-3.34.2+0-4.3.1 gnome-settings-daemon-debuginfo-3.34.2+0-4.3.1 gnome-settings-daemon-debugsource-3.34.2+0-4.3.1 gnome-settings-daemon-devel-3.34.2+0-4.3.1 gnome-shell-3.34.5-3.13.1 gnome-shell-debuginfo-3.34.5-3.13.1 gnome-shell-debugsource-3.34.5-3.13.1 gnome-shell-devel-3.34.5-3.13.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch): gnome-settings-daemon-lang-3.34.2+0-4.3.1 gnome-shell-lang-3.34.5-3.13.1 References: https://www.suse.com/security/cve/CVE-2020-17489.html https://bugzilla.suse.com/1172760 https://bugzilla.suse.com/1175155 From sle-security-updates at lists.suse.com Tue Nov 3 07:31:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Nov 2020 15:31:04 +0100 (CET) Subject: SUSE-SU-2020:3122-1: important: Security update for the Linux Kernel Message-ID: <20201103143104.ECC46FFAB@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3122-1 Rating: important References: #1055014 #1055186 #1061843 #1065729 #1077428 #1129923 #1134760 #1152489 #1174748 #1174969 #1175052 #1175898 #1176485 #1176713 #1177086 #1177353 #1177410 #1177411 #1177470 #1177739 #1177749 #1177750 #1177754 #1177755 #1177765 #1177814 #1177817 #1177854 #1177855 #1177856 #1177861 #1178002 #1178079 #1178246 Cross-References: CVE-2020-14351 CVE-2020-16120 CVE-2020-25285 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has 31 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25285: A race condition between hugetlb sysctl handlers in mm/hugetlb.c could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact (bnc#1176485). - CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file. (bsc#1177470) - CVE-2020-14351: Fixed a race condition in the perf_mmap_close() function (bsc#1177086). The following non-security bugs were fixed: - ACPI: Always build evged in (git-fixes). - ACPI: button: fix handling lid state changes when input device closed (git-fixes). - ACPI: configfs: Add missing config_item_put() to fix refcount leak (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - Add CONFIG_CHECK_CODESIGN_EKU - ALSA: ac97: (cosmetic) align argument names (git-fixes). - ALSA: aoa: i2sbus: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: asihpi: fix spellint typo in comments (git-fixes). - ALSA: atmel: ac97: clarify operator precedence (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: fireworks: use semicolons rather than commas to separate statements (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda: (cosmetic) align function parameters (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - set mic to auto detect on a HP AIO machine (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: hdspm: Fix typo arbitary (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: portman2x4: fix repeated word 'if' (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: sparc: dbri: fix repeated word 'the' (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ALSA: usb-audio: Line6 Pod Go interface requires static clock rate quirk (git-fixes). - ALSA: usb: scarless_gen2: fix endianness issue (git-fixes). - ALSA: vx: vx_core: clarify operator precedence (git-fixes). - ALSA: vx: vx_pcm: remove redundant assignment (git-fixes). - ASoC: fsl: imx-es8328: add missing put_device() call in imx_es8328_probe() (git-fixes). - ASoC: fsl_sai: Instantiate snd_soc_dai_driver (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ASoC: sun50i-codec-analog: Fix duplicate use of ADC enable bits (git-fixes). - ASoC: tlv320aic32x4: Fix bdiv clock rate derivation (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k_htc: Use appropriate rs_datalen type (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - block: Fix page_is_mergeable() for compound pages (bsc#1177814). - Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - btrfs: add owner and fs_info to alloc_state io_tree (bsc#1177854). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: flexcan: remove ack_grp and ack_bit handling from driver (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - clk: keystone: sci-clk: fix parsing assigned-clock data during probe (git-fixes). - clk: meson: g12a: mark fclk_div2 as critical (git-fixes). - clk: qcom: gcc-sdm660: Fix wrong parent_map (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - dax: Fix compilation for CONFIG_DAX && !CONFIG_FS_DAX (bsc#1177817). - dma-direct: add missing set_memory_decrypted() for coherent mapping (bsc#1175898, ECO-2743). - dma-direct: always align allocation size in dma_direct_alloc_pages() (bsc#1175898, ECO-2743). - dma-direct: atomic allocations must come from atomic coherent pools (bsc#1175898, ECO-2743). - dma-direct: check return value when encrypting or decrypting memory (bsc#1175898, ECO-2743). - dma-direct: consolidate the error handling in dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dma-direct: make uncached_kernel_address more general (bsc#1175898, ECO-2743). - dma-direct: provide function to check physical memory area validity (bsc#1175898, ECO-2743). - dma-direct: provide mmap and get_sgtable method overrides (bsc#1175898, ECO-2743). - dma-direct: re-encrypt memory if dma_direct_alloc_pages() fails (bsc#1175898, ECO-2743). - dma-direct: remove __dma_direct_free_pages (bsc#1175898, ECO-2743). - dma-direct: remove the dma_handle argument to __dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - dmaengine: dmatest: Check list for emptiness before access its last entry (git-fixes). - dma-mapping: add a dma_can_mmap helper (bsc#1175898, ECO-2743). - dma-mapping: always use VM_DMA_COHERENT for generic DMA remap (bsc#1175898, ECO-2743). - dma-mapping: DMA_COHERENT_POOL should select GENERIC_ALLOCATOR (bsc#1175898, ECO-2743). - dma-mapping: make dma_atomic_pool_init self-contained (bsc#1175898, ECO-2743). - dma-mapping: merge the generic remapping helpers into dma-direct (bsc#1175898, ECO-2743). - dma-mapping: remove arch_dma_mmap_pgprot (bsc#1175898, ECO-2743). - dma-mapping: warn when coherent pool is depleted (bsc#1175898, ECO-2743). - dma-pool: add additional coherent pools to map to gfp mask (bsc#1175898, ECO-2743). - dma-pool: add pool sizes to debugfs (bsc#1175898, ECO-2743). - dma-pool: decouple DMA_REMAP from DMA_COHERENT_POOL (bsc#1175898, ECO-2743). - dma-pool: do not allocate pool memory from CMA (bsc#1175898, ECO-2743). - dma-pool: dynamically expanding atomic pools (bsc#1175898, ECO-2743). - dma-pool: Fix an uninitialized variable bug in atomic_pool_expand() (bsc#1175898, ECO-2743). - dma-pool: fix coherent pool allocations for IOMMU mappings (bsc#1175898, ECO-2743). - dma-pool: fix too large DMA pools on medium memory size systems (bsc#1175898, ECO-2743). - dma-pool: get rid of dma_in_atomic_pool() (bsc#1175898, ECO-2743). - dma-pool: introduce dma_guess_pool() (bsc#1175898, ECO-2743). - dma-pool: make sure atomic pool suits device (bsc#1175898, ECO-2743). - dma-pool: Only allocate from CMA when in same memory zone (bsc#1175898, ECO-2743). - dma-pool: scale the default DMA coherent pool size with memory capacity (bsc#1175898, ECO-2743). - dma-remap: separate DMA atomic pools from direct remap code (bsc#1175898, ECO-2743). - dm: Call proper helper to determine dax support (bsc#1177817). - dm/dax: Fix table reference counts (bsc#1178246). - docs: driver-api: remove a duplicated index entry (git-fixes). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1152489). - extcon: ptn5150: Fix usage of atomic GPIO with sleeping GPIO chips (git-fixes). - HID: hid-input: fix stylus battery reporting (git-fixes). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - i2c: rcar: Auto select RESET_CONTROLLER (git-fixes). - i3c: master add i3c_master_attach_boardinfo to preserve boardinfo (git-fixes). - i3c: master: Fix error return in cdns_i3c_master_probe() (git-fixes). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - ibmvnic: set up 200GBPS speed (bsc#1129923 git-fixes). - ida: Free allocated bitmap in error path (git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio: adc: gyroadc: fix leak of device node iterator (git-fixes). - iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Do not ignore errors from crypto_shash_update() (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - Input: ati_remote2 - add missing newlines when printing module parameters (git-fixes). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: stmfts - fix a & vs && typo (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1177739). - ipmi_si: Fix wrong return value in try_smi_init() (git-fixes). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kABI: Fix kABI after add CodeSigning extended key usage (bsc#1177353). - leds: mt6323: move period calculation (git-fixes). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - memory: omap-gpmc: Fix build error without CONFIG_OF (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - mm: do not panic when links can't be created in sysfs (bsc#1178002). - mm: do not rely on system state to detect hot-plug operations (bsc#1178002). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm: replace memmap_context by meminit_context (bsc#1178002). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mtd: rawnand: stm32_fmc2: fix a buffer overflow (git-fixes). - mtd: rawnand: vf610: disable clk on error handling path in probe (git-fixes). - mtd: spinand: gigadevice: Add QE Bit (git-fixes). - mtd: spinand: gigadevice: Only one dummy byte in QUADIO (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - ntb: intel: Fix memleak in intel_ntb_pci_probe (git-fixes). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - overflow: Include header file with SIZE_MAX declaration (git-fixes). - PCI: aardvark: Check for errors from pci_bridge_emul_init() call (git-fixes). - percpu: fix first chunk size calculation for populated bitmap (git-fixes (mm/percpu)). - perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1152489). - perf/x86: Fix n_pair for cancelled txn (bsc#1152489). - pinctrl: mcp23s08: Fix mcp23x17 precious range (git-fixes). - pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser (git-fixes). - PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification (bsc#1177353). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - PM: hibernate: Batch hibernate and resume IO requests (bsc#1178079). - powerpc/book3s64/radix: Make radix_mem_block_size 64bit (bsc#1055186 ltc#153436 git-fixes). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/papr_scm: Fix warning triggered by perf_stats_show() (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: Avoid using addr_to_pfn in real mode (jsc#SLE-9246 git-fixes). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - pwm: img: Fix null pointer access in probe (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - qtnfmac: fix resource leaks on unsupported iftype error return path (git-fixes). - r8169: fix operation under forced interrupt threading (git-fixes). - rapidio: fix the missed put_device() for rio_mport_add_riodev (git-fixes). - reset: sti: reset-syscfg: fix struct description warnings (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rtc: rx8010: do not modify the global rtc ops (git-fixes). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: mptfusion: Do not use GFP_ATOMIC for larger DMA allocations (bsc#1175898, ECO-2743). - slimbus: core: check get_addr before removing laddr ida (git-fixes). - slimbus: core: do not enter to clock pause mode in core (git-fixes). - slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback (git-fixes). - soc: fsl: qbman: Fix return value on success (git-fixes). - staging: comedi: check validity of wMaxPacketSize of usb endpoints found (git-fixes). - staging: rtl8192u: Do not use GFP_KERNEL in atomic context (git-fixes). - tracing: Check return value of __create_val_fields() before using its result (git-fixes). - tracing: Save normal string variables (git-fixes). - USB: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - USB: dwc2: Fix parameter type in function pointer prototype (git-fixes). - USB: dwc3: core: add phy cleanup for probe error handling (git-fixes). - USB: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - USB: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - USB: dwc3: gadget: Resume pending requests after CLEAR_STALL (git-fixes). - USB: dwc3: pci: Allow Elkhart Lake to utilize DSM method for PM functionality (git-fixes). - USB: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - USB: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usblp: fix race between disconnect() and read() (git-fixes). - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes). - USB: serial: option: add Cellient MPL200 card (git-fixes). - USB: serial: option: Add Telit FT980-KS composition (git-fixes). - USB: serial: pl2303: add device-id for HP GC device (git-fixes). - USB: serial: qcserial: fix altsetting probing (git-fixes). - usb: xhci-mtk: Fix typo (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: Fix memleak in watchdog_cdev_register (git-fixes). - watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 (git-fixes). - watchdog: Use put_device on error (git-fixes). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - X.509: Add CodeSigning extended key usage parsing (bsc#1177353). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1152489). - x86/ioapic: Unbreak check_timer() (bsc#1152489). - x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1177765). - x86/mm: unencrypted non-blocking DMA allocations use coherent pools (bsc#1175898, ECO-2743). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pvcallsback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xfs: force the log after remapping a synchronous-writes file (git-fixes). - xhci: do not create endpoint debugfs entry before ring buffer is set (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3122=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2020-3122=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2020-3122=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-3122=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3122=1 - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2020-3122=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): kernel-default-debuginfo-5.3.18-24.34.1 kernel-default-debugsource-5.3.18-24.34.1 kernel-default-extra-5.3.18-24.34.1 kernel-default-extra-debuginfo-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.34.1 kernel-default-debugsource-5.3.18-24.34.1 kernel-default-livepatch-5.3.18-24.34.1 kernel-default-livepatch-devel-5.3.18-24.34.1 kernel-livepatch-5_3_18-24_34-default-1-5.3.2 kernel-livepatch-5_3_18-24_34-default-debuginfo-1-5.3.2 kernel-livepatch-SLE15-SP2_Update_6-debugsource-1-5.3.2 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.34.1 kernel-default-debugsource-5.3.18-24.34.1 reiserfs-kmp-default-5.3.18-24.34.1 reiserfs-kmp-default-debuginfo-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-24.34.1 kernel-obs-build-debugsource-5.3.18-24.34.1 kernel-syms-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-24.34.1 kernel-preempt-debugsource-5.3.18-24.34.1 kernel-preempt-devel-5.3.18-24.34.1 kernel-preempt-devel-debuginfo-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): kernel-docs-5.3.18-24.34.1 kernel-source-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-24.34.1 kernel-default-base-5.3.18-24.34.1.9.11.2 kernel-default-debuginfo-5.3.18-24.34.1 kernel-default-debugsource-5.3.18-24.34.1 kernel-default-devel-5.3.18-24.34.1 kernel-default-devel-debuginfo-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 x86_64): kernel-preempt-5.3.18-24.34.1 kernel-preempt-debuginfo-5.3.18-24.34.1 kernel-preempt-debugsource-5.3.18-24.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): kernel-devel-5.3.18-24.34.1 kernel-macros-5.3.18-24.34.1 - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-24.34.1 cluster-md-kmp-default-debuginfo-5.3.18-24.34.1 dlm-kmp-default-5.3.18-24.34.1 dlm-kmp-default-debuginfo-5.3.18-24.34.1 gfs2-kmp-default-5.3.18-24.34.1 gfs2-kmp-default-debuginfo-5.3.18-24.34.1 kernel-default-debuginfo-5.3.18-24.34.1 kernel-default-debugsource-5.3.18-24.34.1 ocfs2-kmp-default-5.3.18-24.34.1 ocfs2-kmp-default-debuginfo-5.3.18-24.34.1 References: https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-25285.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1129923 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1174969 https://bugzilla.suse.com/1175052 https://bugzilla.suse.com/1175898 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177353 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177739 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177765 https://bugzilla.suse.com/1177814 https://bugzilla.suse.com/1177817 https://bugzilla.suse.com/1177854 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178002 https://bugzilla.suse.com/1178079 https://bugzilla.suse.com/1178246 From sle-security-updates at lists.suse.com Tue Nov 3 07:36:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Nov 2020 15:36:42 +0100 (CET) Subject: SUSE-SU-2020:3133-1: Security update for opensc Message-ID: <20201103143642.90C51FFAC@maintenance.suse.de> SUSE Security Update: Security update for opensc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3133-1 Rating: low References: #1122756 Cross-References: CVE-2019-6502 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for opensc fixes the following issues: Security issue fixed: - CVE-2019-6502: Fixed a memory leak in sc_context_create() (bsc#1122756). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3133=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): opensc-0.13.0-3.6.27 opensc-debuginfo-0.13.0-3.6.27 opensc-debugsource-0.13.0-3.6.27 References: https://www.suse.com/security/cve/CVE-2019-6502.html https://bugzilla.suse.com/1122756 From sle-security-updates at lists.suse.com Tue Nov 3 13:14:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Nov 2020 21:14:49 +0100 (CET) Subject: SUSE-SU-2020:3143-1: important: Security update for libvirt Message-ID: <20201103201449.221F0FFAB@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3143-1 Rating: important References: #1174955 #1177155 Cross-References: CVE-2020-15708 CVE-2020-25637 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for libvirt fixes the following issues: - CVE-2020-15708: Added a note to libvirtd.conf about polkit auth in SUSE distros (bsc#1174955). - CVE-2020-25637: Fixed a double free in qemuAgentGetInterfaces() (bsc#1177155). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3143=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3143=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3143=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3143=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): libvirt-2.0.0-27.64.1 libvirt-client-2.0.0-27.64.1 libvirt-client-debuginfo-2.0.0-27.64.1 libvirt-daemon-2.0.0-27.64.1 libvirt-daemon-config-network-2.0.0-27.64.1 libvirt-daemon-config-nwfilter-2.0.0-27.64.1 libvirt-daemon-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-interface-2.0.0-27.64.1 libvirt-daemon-driver-interface-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-lxc-2.0.0-27.64.1 libvirt-daemon-driver-lxc-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-network-2.0.0-27.64.1 libvirt-daemon-driver-network-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-nodedev-2.0.0-27.64.1 libvirt-daemon-driver-nodedev-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-nwfilter-2.0.0-27.64.1 libvirt-daemon-driver-nwfilter-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-qemu-2.0.0-27.64.1 libvirt-daemon-driver-qemu-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-secret-2.0.0-27.64.1 libvirt-daemon-driver-secret-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-storage-2.0.0-27.64.1 libvirt-daemon-driver-storage-debuginfo-2.0.0-27.64.1 libvirt-daemon-hooks-2.0.0-27.64.1 libvirt-daemon-lxc-2.0.0-27.64.1 libvirt-daemon-qemu-2.0.0-27.64.1 libvirt-debugsource-2.0.0-27.64.1 libvirt-doc-2.0.0-27.64.1 libvirt-lock-sanlock-2.0.0-27.64.1 libvirt-lock-sanlock-debuginfo-2.0.0-27.64.1 libvirt-nss-2.0.0-27.64.1 libvirt-nss-debuginfo-2.0.0-27.64.1 - SUSE OpenStack Cloud 7 (x86_64): libvirt-daemon-driver-libxl-2.0.0-27.64.1 libvirt-daemon-driver-libxl-debuginfo-2.0.0-27.64.1 libvirt-daemon-xen-2.0.0-27.64.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libvirt-2.0.0-27.64.1 libvirt-client-2.0.0-27.64.1 libvirt-client-debuginfo-2.0.0-27.64.1 libvirt-daemon-2.0.0-27.64.1 libvirt-daemon-config-network-2.0.0-27.64.1 libvirt-daemon-config-nwfilter-2.0.0-27.64.1 libvirt-daemon-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-interface-2.0.0-27.64.1 libvirt-daemon-driver-interface-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-lxc-2.0.0-27.64.1 libvirt-daemon-driver-lxc-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-network-2.0.0-27.64.1 libvirt-daemon-driver-network-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-nodedev-2.0.0-27.64.1 libvirt-daemon-driver-nodedev-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-nwfilter-2.0.0-27.64.1 libvirt-daemon-driver-nwfilter-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-qemu-2.0.0-27.64.1 libvirt-daemon-driver-qemu-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-secret-2.0.0-27.64.1 libvirt-daemon-driver-secret-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-storage-2.0.0-27.64.1 libvirt-daemon-driver-storage-debuginfo-2.0.0-27.64.1 libvirt-daemon-hooks-2.0.0-27.64.1 libvirt-daemon-lxc-2.0.0-27.64.1 libvirt-daemon-qemu-2.0.0-27.64.1 libvirt-debugsource-2.0.0-27.64.1 libvirt-doc-2.0.0-27.64.1 libvirt-lock-sanlock-2.0.0-27.64.1 libvirt-lock-sanlock-debuginfo-2.0.0-27.64.1 libvirt-nss-2.0.0-27.64.1 libvirt-nss-debuginfo-2.0.0-27.64.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libvirt-daemon-driver-libxl-2.0.0-27.64.1 libvirt-daemon-driver-libxl-debuginfo-2.0.0-27.64.1 libvirt-daemon-xen-2.0.0-27.64.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libvirt-2.0.0-27.64.1 libvirt-client-2.0.0-27.64.1 libvirt-client-debuginfo-2.0.0-27.64.1 libvirt-daemon-2.0.0-27.64.1 libvirt-daemon-config-network-2.0.0-27.64.1 libvirt-daemon-config-nwfilter-2.0.0-27.64.1 libvirt-daemon-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-interface-2.0.0-27.64.1 libvirt-daemon-driver-interface-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-lxc-2.0.0-27.64.1 libvirt-daemon-driver-lxc-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-network-2.0.0-27.64.1 libvirt-daemon-driver-network-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-nodedev-2.0.0-27.64.1 libvirt-daemon-driver-nodedev-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-nwfilter-2.0.0-27.64.1 libvirt-daemon-driver-nwfilter-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-qemu-2.0.0-27.64.1 libvirt-daemon-driver-qemu-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-secret-2.0.0-27.64.1 libvirt-daemon-driver-secret-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-storage-2.0.0-27.64.1 libvirt-daemon-driver-storage-debuginfo-2.0.0-27.64.1 libvirt-daemon-hooks-2.0.0-27.64.1 libvirt-daemon-lxc-2.0.0-27.64.1 libvirt-daemon-qemu-2.0.0-27.64.1 libvirt-debugsource-2.0.0-27.64.1 libvirt-doc-2.0.0-27.64.1 libvirt-lock-sanlock-2.0.0-27.64.1 libvirt-lock-sanlock-debuginfo-2.0.0-27.64.1 libvirt-nss-2.0.0-27.64.1 libvirt-nss-debuginfo-2.0.0-27.64.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): libvirt-daemon-driver-libxl-2.0.0-27.64.1 libvirt-daemon-driver-libxl-debuginfo-2.0.0-27.64.1 libvirt-daemon-xen-2.0.0-27.64.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libvirt-2.0.0-27.64.1 libvirt-client-2.0.0-27.64.1 libvirt-client-debuginfo-2.0.0-27.64.1 libvirt-daemon-2.0.0-27.64.1 libvirt-daemon-config-network-2.0.0-27.64.1 libvirt-daemon-config-nwfilter-2.0.0-27.64.1 libvirt-daemon-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-interface-2.0.0-27.64.1 libvirt-daemon-driver-interface-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-libxl-2.0.0-27.64.1 libvirt-daemon-driver-libxl-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-lxc-2.0.0-27.64.1 libvirt-daemon-driver-lxc-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-network-2.0.0-27.64.1 libvirt-daemon-driver-network-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-nodedev-2.0.0-27.64.1 libvirt-daemon-driver-nodedev-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-nwfilter-2.0.0-27.64.1 libvirt-daemon-driver-nwfilter-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-qemu-2.0.0-27.64.1 libvirt-daemon-driver-qemu-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-secret-2.0.0-27.64.1 libvirt-daemon-driver-secret-debuginfo-2.0.0-27.64.1 libvirt-daemon-driver-storage-2.0.0-27.64.1 libvirt-daemon-driver-storage-debuginfo-2.0.0-27.64.1 libvirt-daemon-hooks-2.0.0-27.64.1 libvirt-daemon-lxc-2.0.0-27.64.1 libvirt-daemon-qemu-2.0.0-27.64.1 libvirt-daemon-xen-2.0.0-27.64.1 libvirt-debugsource-2.0.0-27.64.1 libvirt-doc-2.0.0-27.64.1 libvirt-lock-sanlock-2.0.0-27.64.1 libvirt-lock-sanlock-debuginfo-2.0.0-27.64.1 libvirt-nss-2.0.0-27.64.1 libvirt-nss-debuginfo-2.0.0-27.64.1 References: https://www.suse.com/security/cve/CVE-2020-15708.html https://www.suse.com/security/cve/CVE-2020-25637.html https://bugzilla.suse.com/1174955 https://bugzilla.suse.com/1177155 From sle-security-updates at lists.suse.com Wed Nov 4 00:21:26 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Nov 2020 08:21:26 +0100 (CET) Subject: SUSE-CU-2020:616-1: Security update of harbor/harbor-trivy-adapter Message-ID: <20201104072126.6E4FFFFAB@maintenance.suse.de> SUSE Container Update Advisory: harbor/harbor-trivy-adapter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:616-1 Container Tags : harbor/harbor-trivy-adapter:2.1.1 , harbor/harbor-trivy-adapter:2.1.1-rev1 , harbor/harbor-trivy-adapter:2.1.1-rev1-build3.11 Container Release : 3.11 Severity : important Type : security References : 1063412 1082023 1082318 1090638 1095218 1095218 1095219 1095219 1100786 1104902 1108562 1110949 1110949 1112230 1112928 1114225 1117257 1117969 1118629 1128828 1132350 1136136 1137832 1139937 1142614 1148244 1149429 1149792 1149792 1149792 1149792 1154935 1156651 1158785 1158785 1158787 1158787 1158788 1158788 1158789 1158789 1158790 1158790 1158791 1158791 1158792 1158792 1158793 1158793 1158795 1158795 1165050 1165121 1165502 1165580 1167471 1167890 1168930 1168930 1169605 1169786 1169786 1169936 1169936 1170302 1170741 1170939 1171656 1172040 1172566 1173422 1173799 1174918 1175110 1176192 1176435 1176513 1176712 1176740 1176800 1176902 1177238 935885 CVE-2017-15298 CVE-2017-17833 CVE-2018-11233 CVE-2018-11233 CVE-2018-11235 CVE-2018-11235 CVE-2018-17456 CVE-2018-17456 CVE-2018-19486 CVE-2018-20843 CVE-2019-12749 CVE-2019-1348 CVE-2019-1348 CVE-2019-1349 CVE-2019-1349 CVE-2019-1350 CVE-2019-1350 CVE-2019-1351 CVE-2019-1351 CVE-2019-1352 CVE-2019-1352 CVE-2019-1353 CVE-2019-1353 CVE-2019-1354 CVE-2019-1354 CVE-2019-1387 CVE-2019-1387 CVE-2019-15903 CVE-2019-19604 CVE-2019-19604 CVE-2019-9893 CVE-2020-11008 CVE-2020-5260 CVE-2020-5260 ----------------------------------------------------------------- The container harbor/harbor-trivy-adapter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1267-1 Released: Tue Jul 3 18:09:32 2018 Summary: Security update for git Type: security Severity: important References: 1095218,1095219,CVE-2018-11233,CVE-2018-11235 This update for git to version 2.16.4 fixes several issue. These security issue were fixed: - CVE-2018-11233: Path sanity-checks on NTFS allowed attackers to read arbitrary memory (bsc#1095218) - CVE-2018-11235: Arbitrary code execution when recursively cloning a malicious repository (bsc#1095219) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1292-1 Released: Mon Jul 9 11:57:14 2018 Summary: Security update for openslp Type: security Severity: important References: 1090638,CVE-2017-17833 This update for openslp fixes the following issue: - CVE-2017-17833: Prevent heap-related memory corruption issuewhich may have manifested itself as a denial-of-service or a remote code-execution vulnerability (bsc#1090638) - Prevent out of bounds reads in message parsing ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2232-1 Released: Mon Oct 15 14:57:55 2018 Summary: Security update for git Type: security Severity: important References: 1110949,CVE-2018-17456 This update for git fixes the following issue: - CVE-2018-17456: Git allowed remote code execution during processing of a recursive 'git clone' of a superproject if a .gitmodules file has a URL field beginning with a '-' character. (boo#1110949). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2485-1 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1112928 This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2990-1 Released: Wed Dec 19 14:16:40 2018 Summary: Security update for git Type: security Severity: moderate References: 1117257,CVE-2018-19486 This update for git fixes the following issue: Security issuefixed: - CVE-2018-19486: Fixed git that executed commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was (bsc#1117257). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:170-1 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issue: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1358-1 Released: Mon May 27 13:51:26 2019 Summary: Recommended update for rsync Type: recommended Severity: moderate References: 1100786,1108562 This update for rsync fixes the following issue: - rsync invoked with --sparse and --preallocate could have resulted in a failure (bsc#1108562) - Don't require systemd explicitly as it's not present in containers [bsc#1100786]. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issue: Security issuefixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issue: Security issuefixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1892-1 Released: Thu Jul 18 15:54:35 2019 Summary: Recommended update for openslp Type: recommended Severity: moderate References: 1117969,1136136 This update for openslp fixes the following issue: - Use tcp connects to talk with other directory agents (DAs) (bsc#1117969) - Fix segfault in predicate match if a registered service has a malformed attribute list (bsc#1136136) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issue: Security issue fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issue: Security issue fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2681-1 Released: Tue Oct 15 22:01:40 2019 Summary: Recommended update for libdb-4_8 Type: recommended Severity: moderate References: 1148244 This update for libdb-4_8 fixes the following issue: - Add off-page deadlock patch as found and documented by Red Hat. (bsc#1148244) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:45-1 Released: Wed Jan 8 14:56:48 2020 Summary: Security update for git Type: security Severity: important References: 1082023,1149792,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604 This update for git fixes the following issue: Security issue fixed: - CVE-2019-1349: Fixed issueon Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787). - CVE-2019-19604: Fixed a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795). - CVE-2019-1387: Fixed recursive clones that are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793). - CVE-2019-1354: Fixed issueon Windows that refuses to write tracked files with filenames that contain backslashes (bsc#1158792). - CVE-2019-1353: Fixed issuewhen run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791). - CVE-2019-1352: Fixed issueon Windows was unaware of NTFS Alternate Data Streams (bsc#1158790). - CVE-2019-1351: Fixed issueon Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789). - CVE-2019-1350: Fixed incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788). - CVE-2019-1348: Fixed the --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785). - Fixes an issuewhere git send-email failed to authenticate with SMTP server (bsc#1082023) Bug fixes: - Add zlib dependency, which used to be provided by openssl-devel, so that package can compile successfully after openssl upgrade to 1.1.1. (bsc#1149792). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:52-1 Released: Thu Jan 9 10:09:11 2020 Summary: Optional update for openslp Type: optional Severity: low References: 1149792 This update for openslp doesn't fix any user visible bugs. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:825-1 Released: Tue Mar 31 13:30:37 2020 Summary: Recommended update for openslp Type: recommended Severity: moderate References: 1165050,1165121 This update for openslp fixes the following issue: - Add missing group prerequisites to the openslp-server package. (bsc#1165050) - Add missing openslp prerequisites to the openslp-server package. (bsc#1165121) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:991-1 Released: Tue Apr 14 20:07:08 2020 Summary: Security update for git Type: security Severity: important References: 1168930,CVE-2020-5260 This update for git fixes the following issue: - CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1121-1 Released: Tue Apr 28 07:15:43 2020 Summary: Security update for git Type: security Severity: moderate References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936,CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260 This update for git fixes the following issue: Security issue fixed: * CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (bsc#1169936) git was updated to 2.26.1 (bsc#1169786, jsc#ECO-1628, bsc#1149792) - Fix git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). * CVE-2020-5260: Specially crafted URLs with newline characters could have been used to make the Git client to send credential information for a wrong host to the attacker's site bsc#1168930 git 2.26.0 (bsc#1167890, jsc#SLE-11608): * 'git rebase' now uses a different backend that is based on the 'merge' machinery by default. The 'rebase.backend' configuration variable reverts to old behaviour when set to 'apply' * Improved handling of sparse checkouts * Improvements to many commands and internal features git 2.25.2: * bug fixes to various subcommands in specific operations git 2.25.1: * 'git commit' now honors advise.statusHints * various updates, bug fixes and documentation updates git 2.25.0 * The branch description ('git branch --edit-description') has been used to fill the body of the cover letters by the format-patch command; this has been enhanced so that the subject can also be filled. * A few commands learned to take the pathspec from the standard input or a named file, instead of taking it as the command line arguments, with the '--pathspec-from-file' option. * Test updates to prepare for SHA-2 transition continues. * Redo 'git name-rev' to avoid recursive calls. * When all files from some subdirectory were renamed to the root directory, the directory rename heuristics would fail to detect that as a rename/merge of the subdirectory to the root directory, which has been corrected. * HTTP transport had possible allocator/deallocator mismatch, which has been corrected. git 2.24.1: * CVE-2019-1348: The --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785) * CVE-2019-1349: on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787) * CVE-2019-1350: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788) * CVE-2019-1351: on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789) * CVE-2019-1352: on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790) * CVE-2019-1353: when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791) * CVE-2019-1354: on Windows refuses to write tracked files with filenames that contain backslashes (bsc#1158792) * CVE-2019-1387: Recursive clones vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793) * CVE-2019-19604: a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795) git 2.24.0 * The command line parser learned '--end-of-options' notation. * A mechanism to affect the default setting for a (related) group of configuration variables is introduced. * 'git fetch' learned '--set-upstream' option to help those who first clone from their private fork they intend to push to, add the true upstream via 'git remote add' and then 'git fetch' from it. * fixes and improvements to UI, workflow and features, bash completion fixes git 2.23.0: * The '--base' option of 'format-patch' computed the patch-ids for prerequisite patches in an unstable way, which has been updated to compute in a way that is compatible with 'git patch-id --stable'. * The 'git log' command by default behaves as if the --mailmap option was given. * fixes and improvements to UI, workflow and features git 2.22.1 * A relative pathname given to 'git init --template= ' ought to be relative to the directory 'git init' gets invoked in, but it instead was made relative to the repository, which has been corrected. * 'git worktree add' used to fail when another worktree connected to the same repository was corrupt, which has been corrected. * 'git am -i --resolved' segfaulted after trying to see a commit as if it were a tree, which has been corrected. * 'git merge --squash' is designed to update the working tree and the index without creating the commit, and this cannot be countermanded by adding the '--commit' option; the command now refuses to work when both options are given. * Update to Unicode 12.1 width table. * 'git request-pull' learned to warn when the ref we ask them to pull from in the local repository and in the published repository are different. * 'git fetch' into a lazy clone forgot to fetch base objects that are necessary to complete delta in a thin packfile, which has been corrected. * The URL decoding code has been updated to avoid going past the end of the string while parsing %-- sequence. * 'git clean' silently skipped a path when it cannot lstat() it; now it gives a warning. * 'git rm' to resolve a conflicted path leaked an internal message 'needs merge' before actually removing the path, which was confusing. This has been corrected. * Many more bugfixes and code cleanups. - removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by firewalld. - partial fix for git instaweb giving 500 error (bsc#1112230) git 2.22.0 * The filter specification '--filter=sparse:path=' used to create a lazy/partial clone has been removed. Using a blob that is part of the project as sparse specification is still supported with the '--filter=sparse:oid=' option * 'git checkout --no-overlay' can be used to trigger a new mode of checking out paths out of the tree-ish, that allows paths that match the pathspec that are in the current index and working tree and are not in the tree-ish. * Four new configuration variables {author,committer}.{name,email} have been introduced to override user.{name,email} in more specific cases. * 'git branch' learned a new subcommand '--show-current'. * The command line completion (in contrib/) has been taught to complete more subcommand parameters. * The completion helper code now pays attention to repository-local configuration (when available), which allows --list-cmds to honour a repository specific setting of completion.commands, for example. * The list of conflicted paths shown in the editor while concluding a conflicted merge was shown above the scissors line when the clean-up mode is set to 'scissors', even though it was commented out just like the list of updated paths and other information to help the user explain the merge better. * 'git rebase' that was reimplemented in C did not set ORIG_HEAD correctly, which has been corrected. * 'git worktree add' used to do a 'find an available name with stat and then mkdir', which is race-prone. This has been fixed by using mkdir and reacting to EEXIST in a loop. - Move to DocBook 5.x. Asciidoctor 2.x no longer supports the legacy DocBook 4.5 format. - update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350) git 2.21.0 * Historically, the '-m' (mainline) option can only be used for 'git cherry-pick' and 'git revert' when working with a merge commit. This version of Git no longer warns or errors out when working with a single-parent commit, as long as the argument to the '-m' option is 1 (i.e. it has only one parent, and the request is to pick or revert relative to that first parent). Scripts that relied on the behaviour may get broken with this change. * Small fixes and features for fast-export and fast-import. * The 'http.version' configuration variable can be used with recent enough versions of cURL library to force the version of HTTP used to talk when fetching and pushing. * 'git push $there $src:$dst' rejects when $dst is not a fully qualified refname and it is not clear what the end user meant. * Update 'git multimail' from the upstream. * A new date format '--date=human' that morphs its output depending on how far the time is from the current time has been introduced. '--date=auto:human' can be used to use this new format (or any existing format) when the output is going to the pager or to the terminal, and otherwise the default format. - Fix worktree creation race (bsc#1114225). - add shadow build dependency to the -daemon subpackage. git 2.20.1: * portability fixes * 'git help -a' did not work well when an overly long alias was defined * no longer squelched an error message when the run_command API failed to run a missing command git 2.20.0 * 'git help -a' now gives verbose output (same as 'git help -av'). Those who want the old output may say 'git help --no-verbose -a'.. * 'git send-email' learned to grab address-looking string on any trailer whose name ends with '-by'. * 'git format-patch' learned new '--interdiff' and '--range-diff' options to explain the difference between this version and the previous attempt in the cover letter (or after the three-dashes as a comment). * Developer builds now use -Wunused-function compilation option. * Fix a bug in which the same path could be registered under multiple worktree entries if the path was missing (for instance, was removed manually). Also, as a convenience, expand the number of cases in which --force is applicable. * The overly large Documentation/config.txt file have been split into million little pieces. This potentially allows each individual piece to be included into the manual page of the command it affects more easily. * Malformed or crafted data in packstream can make our code attempt to read or write past the allocated buffer and abort, instead of reporting an error, which has been fixed. * Fix for a long-standing bug that leaves the index file corrupt when it shrinks during a partial commit. * 'git merge' and 'git pull' that merges into an unborn branch used to completely ignore '--verify-signatures', which has been corrected. * ...and much more features and fixes git 2.19.2: * various bug fixes for multiple subcommands and operations git 2.19.1: * CVE-2018-17456: Specially crafted .gitmodules files may have allowed arbitrary code execution when the repository is cloned with --recurse-submodules (bsc#1110949) git 2.19.0: * 'git diff' compares the index and the working tree. For paths added with intent-to-add bit, the command shows the full contents of them as added, but the paths themselves were not marked as new files. They are now shown as new by default. * 'git apply' learned the '--intent-to-add' option so that an otherwise working-tree-only application of a patch will add new paths to the index marked with the 'intent-to-add' bit. * 'git grep' learned the '--column' option that gives not just the line number but the column number of the hit. * The '-l' option in 'git branch -l' is an unfortunate short-hand for '--create-reflog', but many users, both old and new, somehow expect it to be something else, perhaps '--list'. This step warns when '-l' is used as a short-hand for '--create-reflog' and warns about the future repurposing of the it when it is used. * The userdiff pattern for .php has been updated. * The content-transfer-encoding of the message 'git send-email' sends out by default was 8bit, which can cause trouble when there is an overlong line to bust RFC 5322/2822 limit. A new option 'auto' to automatically switch to quoted-printable when there is such a line in the payload has been introduced and is made the default. * 'git checkout' and 'git worktree add' learned to honor checkout.defaultRemote when auto-vivifying a local branch out of a remote tracking branch in a repository with multiple remotes that have tracking branches that share the same names. (merge 8d7b558bae ab/checkout-default-remote later to maint). * 'git grep' learned the '--only-matching' option. * 'git rebase --rebase-merges' mode now handles octopus merges as well. * Add a server-side knob to skip commits in exponential/fibbonacci stride in an attempt to cover wider swath of history with a smaller number of iterations, potentially accepting a larger packfile transfer, instead of going back one commit a time during common ancestor discovery during the 'git fetch' transaction. (merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint). * A new configuration variable core.usereplacerefs has been added, primarily to help server installations that want to ignore the replace mechanism altogether. * Teach 'git tag -s' etc. a few configuration variables (gpg.format that can be set to 'openpgp' or 'x509', and gpg..program that is used to specify what program to use to deal with the format) to allow x.509 certs with CMS via 'gpgsm' to be used instead of openpgp via 'gnupg'. * Many more strings are prepared for l10n. * 'git p4 submit' learns to ask its own pre-submit hook if it should continue with submitting. * The test performed at the receiving end of 'git push' to prevent bad objects from entering repository can be customized via receive.fsck.* configuration variables; we now have gained a counterpart to do the same on the 'git fetch' side, with fetch.fsck.* configuration variables. * 'git pull --rebase=interactive' learned 'i' as a short-hand for 'interactive'. * 'git instaweb' has been adjusted to run better with newer Apache on RedHat based distros. * 'git range-diff' is a reimplementation of 'git tbdiff' that lets us compare individual patches in two iterations of a topic. * The sideband code learned to optionally paint selected keywords at the beginning of incoming lines on the receiving end. * 'git branch --list' learned to take the default sort order from the 'branch.sort' configuration variable, just like 'git tag --list' pays attention to 'tag.sort'. * 'git worktree' command learned '--quiet' option to make it less verbose. git 2.18.0: * improvements to rename detection logic * When built with more recent cURL, GIT_SSL_VERSION can now specify 'tlsv1.3' as its value. * 'git mergetools' learned talking to guiffy. * various other workflow improvements and fixes * performance improvements and other developer visible fixes git 2.17.1 * Submodule 'names' come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting '../' into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235, bsc#1095219) * It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233, bsc#1095218) * Support on the server side to reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers by preventing malicious contents from spreading. git 2.17.0: * 'diff' family of commands learned '--find-object=' option to limit the findings to changes that involve the named object. * 'git format-patch' learned to give 72-cols to diffstat, which is consistent with other line length limits the subcommand uses for its output meant for e-mails. * The log from 'git daemon' can be redirected with a new option; one relevant use case is to send the log to standard error (instead of syslog) when running it from inetd. * 'git rebase' learned to take '--allow-empty-message' option. * 'git am' has learned the '--quit' option, in addition to the existing '--abort' option; having the pair mirrors a few other commands like 'rebase' and 'cherry-pick'. * 'git worktree add' learned to run the post-checkout hook, just like 'git clone' runs it upon the initial checkout. * 'git tag' learned an explicit '--edit' option that allows the message given via '-m' and '-F' to be further edited. * 'git fetch --prune-tags' may be used as a handy short-hand for getting rid of stale tags that are locally held. * The new '--show-current-patch' option gives an end-user facing way to get the diff being applied when 'git rebase' (and 'git am') stops with a conflict. * 'git add -p' used to offer '/' (look for a matching hunk) as a choice, even there was only one hunk, which has been corrected. Also the single-key help is now given only for keys that are enabled (e.g. help for '/' won't be shown when there is only one hunk). * Since Git 1.7.9, 'git merge' defaulted to --no-ff (i.e. even when the side branch being merged is a descendant of the current commit, create a merge commit instead of fast-forwarding) when merging a tag object. This was appropriate default for integrators who pull signed tags from their downstream contributors, but caused an unnecessary merges when used by downstream contributors who habitually 'catch up' their topic branches with tagged releases from the upstream. Update 'git merge' to default to --no-ff only when merging a tag object that does *not* sit at its usual place in refs/tags/ hierarchy, and allow fast-forwarding otherwise, to mitigate the problem. * 'git status' can spend a lot of cycles to compute the relation between the current branch and its upstream, which can now be disabled with '--no-ahead-behind' option. * 'git diff' and friends learned funcname patterns for Go language source files. * 'git send-email' learned '--reply-to=
' option. * Funcname pattern used for C# now recognizes 'async' keyword. * In a way similar to how 'git tag' learned to honor the pager setting only in the list mode, 'git config' learned to ignore the pager setting when it is used for setting values (i.e. when the purpose of the operation is not to 'show'). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1340-1 Released: Tue May 19 13:26:34 2020 Summary: Recommended update for git Type: recommended Severity: moderate References: 1149792,1169786,1169936,1170302,1170741,1170939 This update for git to version 2.26.2 fixes the following issue: - Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). - Enabled access for git-daemon in firewall configuration (bsc#1170302). - Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issue: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1795-1 Released: Mon Jun 29 11:22:45 2020 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1172566 This update for lvm2 fixes the following issue: - Fix potential data loss problem with LVM cache (bsc#1172566) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2018-1 Released: Thu Jul 23 09:35:42 2020 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1172040 This update for apparmor fixes the following issue: - Add 'UI_Showfile' so Yast shows the profile correctly. (bsc#1172040) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2638-1 Released: Tue Sep 15 15:41:32 2020 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1165580 This update for cryptsetup fixes the following issue: Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580) - Fix support of larger metadata areas in *LUKS2* header. This release properly supports all specified metadata areas, as documented in *LUKS2* format description. Currently, only default metadata area size is used (in format or convert). Later cryptsetup versions will allow increasing this metadata area size. - If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check if the requested *AEAD* algorithm with specified key size is available in kernel crypto API. This change avoids formatting a device that cannot be later activated. For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) are already mandatory for LUKS2. - Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option. - Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt. - Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested sector size. Previously it was possible, and the device was rejected to activate by kernel later. - Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash algorithm with invalid keyslot preventing the device from activation. - Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used both for data encryption and keyslot encryption in *LUKS1/2* devices. For benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2781-1 Released: Tue Sep 29 11:29:34 2020 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1173799 This update for openssh fixes the following issue: - This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. (bsc#1173799). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2850-1 Released: Fri Oct 2 12:26:03 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1175110 This update for lvm2 fixes the following issue: - Fixed an issuewhen the hot spares in LVM not added automatically. (bsc#1175110) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3048-1 Released: Tue Oct 27 16:04:52 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issue: libzypp was updated to 17.25.1: - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902) - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - Link against libzstd to close libsolvs open references (as we link statically) yaml-cpp: - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency. No source changes were done to yaml-cpp. zypper was updated to 1.14.40: - info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issue: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) From sle-security-updates at lists.suse.com Wed Nov 4 07:14:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Nov 2020 15:14:45 +0100 (CET) Subject: SUSE-SU-2020:3149-1: important: Security update for apache-commons-httpclient Message-ID: <20201104141445.DB5A6FFA8@maintenance.suse.de> SUSE Security Update: Security update for apache-commons-httpclient ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3149-1 Rating: important References: #1178171 #945190 Cross-References: CVE-2014-3577 CVE-2015-5262 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for apache-commons-httpclient fixes the following issues: - http/conn/ssl/SSLConnectionSocketFactory.java ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262] - org.apache.http.conn.ssl.AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows MITM attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate. [bsc#1178171, CVE-2014-3577] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3149=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3149=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3149=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3149=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3149=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3149=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3149=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3149=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3149=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3149=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3149=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3149=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3149=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3149=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3149=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3149=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE OpenStack Cloud 9 (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE OpenStack Cloud 8 (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE OpenStack Cloud 7 (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): apache-commons-httpclient-3.1-6.3.1 - SUSE Enterprise Storage 5 (noarch): apache-commons-httpclient-3.1-6.3.1 - HPE Helion Openstack 8 (noarch): apache-commons-httpclient-3.1-6.3.1 References: https://www.suse.com/security/cve/CVE-2014-3577.html https://www.suse.com/security/cve/CVE-2015-5262.html https://bugzilla.suse.com/1178171 https://bugzilla.suse.com/945190 From sle-security-updates at lists.suse.com Wed Nov 4 07:15:53 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Nov 2020 15:15:53 +0100 (CET) Subject: SUSE-SU-2020:3151-1: important: Security update for apache-commons-httpclient Message-ID: <20201104141553.92AB5FFA8@maintenance.suse.de> SUSE Security Update: Security update for apache-commons-httpclient ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3151-1 Rating: important References: #1178171 #945190 Cross-References: CVE-2014-3577 CVE-2015-5262 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for apache-commons-httpclient fixes the following issues: - http/conn/ssl/SSLConnectionSocketFactory.java ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262] - org.apache.http.conn.ssl.AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows MITM attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate. [bsc#1178171, CVE-2014-3577] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3151=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3151=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3151=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3151=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3151=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): apache-commons-httpclient-3.1-4.3.2 - SUSE Linux Enterprise Server 15-LTSS (noarch): apache-commons-httpclient-3.1-4.3.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): apache-commons-httpclient-3.1-4.3.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): apache-commons-httpclient-3.1-4.3.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): apache-commons-httpclient-3.1-4.3.2 References: https://www.suse.com/security/cve/CVE-2014-3577.html https://www.suse.com/security/cve/CVE-2015-5262.html https://bugzilla.suse.com/1178171 https://bugzilla.suse.com/945190 From sle-security-updates at lists.suse.com Wed Nov 4 07:16:57 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Nov 2020 15:16:57 +0100 (CET) Subject: SUSE-SU-2020:3147-1: important: Security update for rmt-server Message-ID: <20201104141657.DC451FFA8@maintenance.suse.de> SUSE Security Update: Security update for rmt-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3147-1 Rating: important References: #1172177 #1172182 #1172184 #1172186 #1173351 Cross-References: CVE-2019-16770 CVE-2019-5418 CVE-2019-5419 CVE-2019-5420 CVE-2020-11076 CVE-2020-11077 CVE-2020-15169 CVE-2020-5247 CVE-2020-5249 CVE-2020-5267 CVE-2020-8164 CVE-2020-8165 CVE-2020-8166 CVE-2020-8167 CVE-2020-8184 CVE-2020-8185 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for rmt-server fixes the following issues: - Version 2.6.5 - Solved potential bug of SCC repository URLs changing over time. RMT now self heals by removing the previous invalid repository and creating the correct one. - Version 2.6.4 - Add web server settings to /etc/rmt.conf: Now it's possible to configure the minimum and maximum threads count as well the number of web server workers to be booted through /etc/rmt.conf. - Version 2.6.3 - Instead of using an MD5 of URLs for custom repository friendly_ids, RMT now builds an ID from the name. - Version 2.6.2 - Fix RMT file caching based on timestamps: Previously, RMT sent GET requests with the header 'If-Modified-Since' to a repository server and if the response had a 304 (Not Modified), it would copy a file from the local cache instead of downloading. However, if the local file timestamp accidentally changed to a date newer than the one on the repository server, RMT would have an outdated file, which caused some errors. Now, RMT makes HEAD requests to the repositories servers and inspect the 'Last-Modified' header to decide whether to download a file or copy it from cache, by comparing the equalness of timestamps. - Version 2.6.1 - Fixed an issue where relative paths supplied to `rmt-cli import repos` caused the command to fail. - Version 2.6.0 - Friendlier IDs for custom repositories: In an effort to simplify the handling of SCC and custom repositories, RMT now has friendly IDs. For SCC repositories, it's the same SCC ID as before. For custom repositories, it can either be user provided or RMT generated (MD5 of the provided URL). Benefits: * `rmt-cli mirror repositories` now works for custom repositories. * Custom repository IDs can be the same across RMT instances. * No more confusing "SCC ID" vs "ID" in `rmt-cli` output. Deprecation Warnings: * RMT now uses a different ID for custom repositories than before. RMT still supports that old ID, but it's recommended to start using the new ID to ensure future compatibility. - Version 2.5.20 - Updated rails from 6.0.3.2 to 6.0.3.3: - actionview (CVE-2020-15169) - Version 2.5.19 - RMT now has the ability to remove local systems with the command `rmt-cli systems remove`. - Version 2.5.18 - Fixed exit code for `rmt-cli mirror` and its subcommands. Now it exits with 1 whenever an error occurrs during mirroring - Improved message logging for `rtm-cli mirror`. Instead of logging an error when it occurs, the command summarize all errors at the end of execution. Now log messages have colors to better identify failure/success. - Version 2.5.17 - RMT no longer provides the installer updates repository to systems via its zypper service. This repository is used during the installation process, as it provides an up-to-date installation experience, but it has no use on an already installed system. - Version 2.5.16 - Updated RMT's rails and puma dependencies. - puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249, CVE-2020-5247 CVE-2019-16770) - actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166) - actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418, CVE-2019-5419) - activesupport (CVE-2020-8165) - railties (CVE-2019-5420) - Version 2.5.15 - RMT now checks if repositories are fully mirrored during the activation process. Previously, RMT only checked if the repositories were enabled to be mirrored, but not that they were actually mirrored. In this case, RMTs were not able to provide the repository data which systems assumed it had. - Version 2.5.14 - Enable 'Installer-Updates' repositories by default - Fixed deprecation warning when thor encountered an error. Also, instead of returning 0 for thor errors, rmt-cli will return 1 instead. - Version 2.5.13 - Added `rmt-cli repos clean` command to remove locally mirrored files of repositories which are not marked to be mirrored. - Previously, RMT didn't track deduplicated files in its database. Now, to accommodate `rmt-cli repos clean`, RMT will track all mirrored files. - Move the nginx reload to the configuration package which contain nginx config files, don't reload nginx unconditionally from main package. - Version 2.5.12 - Update rack to version 2.2.3 (CVE-2020-8184: bsc#1173351) - Update Rails to version 5.2.4.3: - actionpack (CVE-2020-8164: bsc#1172177) - actionpack (CVE-2020-8166: bsc#1172182) - activesupport (CVE-2020-8165: bsc#1172186) - actionview (CVE-2020-8167: bsc#1172184) - Version 2.5.11 - rmt-server-pubcloud: - SLES11 EOL - Extension activation verification based on the available subscriptions - Added a manual instance verification script - Version 2.5.10 - Support rmt-server to run with Ruby 2.7 (Factory/Tumbleweed): - Bump gem 'config' version from 1.7.2 to 2.2.1 to fix incompatibility Ruby 2.7 OpenStruct class; - Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order to also bump gem 'ethon' version, which caused a 'rb_safe_level' warning on Ruby 2.7; - Fix "last arg as keyword arg" Ruby 2.7 warning on source code; - Disable "deprecated" warnings from Ruby 2.7; Rails 5.1 generates a lot of warnings with Ruby 2.7, mainly due to "capturing the given block with Proc.new", which is deprecated; - Improve RPM spec to consider only the distribution default Ruby version configured in OBS; - Improve RPM spec to remove Ruby 2.7 warnings regarding 'bundler. - Move nginx/vhosts.d directory to correct sub-package. They are needed together with nginx, not rmt-server. - Fix dependencies especially for containerized usage: - mariadb and nginx are not hard requires, could run on another host - Fix generic dependencies: - systemd ordering was missing - shadow is required for pre-install - Version 2.5.9 - rmt-server-pubcloud: enforce strict authentication - Version 2.5.8 - Use repomd_parser gem to remove repository metadata parsing code. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3147=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3147=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3147=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3147=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): rmt-server-2.6.5-3.34.1 rmt-server-config-2.6.5-3.34.1 rmt-server-debuginfo-2.6.5-3.34.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): rmt-server-2.6.5-3.34.1 rmt-server-config-2.6.5-3.34.1 rmt-server-debuginfo-2.6.5-3.34.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): rmt-server-2.6.5-3.34.1 rmt-server-config-2.6.5-3.34.1 rmt-server-debuginfo-2.6.5-3.34.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): rmt-server-2.6.5-3.34.1 rmt-server-config-2.6.5-3.34.1 rmt-server-debuginfo-2.6.5-3.34.1 References: https://www.suse.com/security/cve/CVE-2019-16770.html https://www.suse.com/security/cve/CVE-2019-5418.html https://www.suse.com/security/cve/CVE-2019-5419.html https://www.suse.com/security/cve/CVE-2019-5420.html https://www.suse.com/security/cve/CVE-2020-11076.html https://www.suse.com/security/cve/CVE-2020-11077.html https://www.suse.com/security/cve/CVE-2020-15169.html https://www.suse.com/security/cve/CVE-2020-5247.html https://www.suse.com/security/cve/CVE-2020-5249.html https://www.suse.com/security/cve/CVE-2020-5267.html https://www.suse.com/security/cve/CVE-2020-8164.html https://www.suse.com/security/cve/CVE-2020-8165.html https://www.suse.com/security/cve/CVE-2020-8166.html https://www.suse.com/security/cve/CVE-2020-8167.html https://www.suse.com/security/cve/CVE-2020-8184.html https://www.suse.com/security/cve/CVE-2020-8185.html https://bugzilla.suse.com/1172177 https://bugzilla.suse.com/1172182 https://bugzilla.suse.com/1172184 https://bugzilla.suse.com/1172186 https://bugzilla.suse.com/1173351 From sle-security-updates at lists.suse.com Wed Nov 4 07:19:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Nov 2020 15:19:10 +0100 (CET) Subject: SUSE-SU-2020:3152-1: important: Security update for apache-commons-httpclient Message-ID: <20201104141910.8A161FFA8@maintenance.suse.de> SUSE Security Update: Security update for apache-commons-httpclient ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3152-1 Rating: important References: #1178171 #945190 Cross-References: CVE-2014-3577 CVE-2015-5262 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for apache-commons-httpclient fixes the following issues: - http/conn/ssl/SSLConnectionSocketFactory.java ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262] - org.apache.http.conn.ssl.AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows MITM attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate. [bsc#1178171, CVE-2014-3577] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3152=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): apache-commons-httpclient-3.1-11.3.2 References: https://www.suse.com/security/cve/CVE-2014-3577.html https://www.suse.com/security/cve/CVE-2015-5262.html https://bugzilla.suse.com/1178171 https://bugzilla.suse.com/945190 From sle-security-updates at lists.suse.com Wed Nov 4 10:14:53 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Nov 2020 18:14:53 +0100 (CET) Subject: SUSE-SU-2020:3155-1: critical: Security update for salt Message-ID: <20201104171453.7B07FFFA8@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3155-1 Rating: critical References: #1159670 #1175987 #1176024 #1176294 #1176397 #1177867 #1178319 #1178361 #1178362 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has 6 fixes is now available. Description: This update for salt fixes the following issues: - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) - Fix disk.blkid to avoid unexpected keyword argument '__pub_user'. (bsc#1177867) - Ensure virt.update stop_on_reboot is updated with its default value. - Do not break package building for systemd OSes. - Drop wrong mock from chroot unit test. - Support systemd versions with dot. (bsc#1176294) - Fix for grains.test_core unit test. - Fix file/directory user and group ownership containing UTF-8 characters. (bsc#1176024) - Several changes to virtualization: * Fix virt update when cpu and memory are changed. * Memory Tuning GSoC. * Properly fix memory setting regression in virt.update. * Expose libvirt on_reboot in virt states. - Support transactional systems (MicroOS). - zypperpkg module ignores retcode 104 for search(). (bsc#1159670) - Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding file or block disk. (bsc#1175987) - Invalidate file list cache when cache file modified time is in the future. (bsc#1176397) - Prevent import errors when running test_btrfs unit tests. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-3155=1 - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2020-3155=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3155=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): salt-api-3000-4.20.1 salt-cloud-3000-4.20.1 salt-master-3000-4.20.1 salt-proxy-3000-4.20.1 salt-ssh-3000-4.20.1 salt-standalone-formulas-configuration-3000-4.20.1 salt-syndic-3000-4.20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): salt-fish-completion-3000-4.20.1 - SUSE Linux Enterprise Module for Python2 15-SP2 (aarch64 ppc64le s390x x86_64): python2-salt-3000-4.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): python3-salt-3000-4.20.1 salt-3000-4.20.1 salt-doc-3000-4.20.1 salt-minion-3000-4.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): salt-bash-completion-3000-4.20.1 salt-zsh-completion-3000-4.20.1 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1159670 https://bugzilla.suse.com/1175987 https://bugzilla.suse.com/1176024 https://bugzilla.suse.com/1176294 https://bugzilla.suse.com/1176397 https://bugzilla.suse.com/1177867 https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 From sle-security-updates at lists.suse.com Thu Nov 5 00:07:57 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 08:07:57 +0100 (CET) Subject: SUSE-CU-2020:623-1: Security update of ses/7/cephcsi/cephcsi Message-ID: <20201105070757.E6D75FFAC@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:623-1 Container Tags : ses/7/cephcsi/cephcsi:3.1.1 , ses/7/cephcsi/cephcsi:3.1.1.0.3.12 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus , ses/7/cephcsi/cephcsi:v3.1.1 , ses/7/cephcsi/cephcsi:v3.1.1.0 Container Release : 3.12 Severity : important Type : security References : 1104902 1126826 1126829 1126831 1140126 1142649 1143609 1153768 1153770 1154935 1157755 1160254 1160590 1163333 1163744 1165502 1167471 1173422 1174918 1176192 1176435 1176448 1176513 1176712 1176740 1176800 1176902 1177238 1177460 1177460 1178346 1178350 1178353 935885 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-17450 CVE-2019-17451 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3031-1 Released: Mon Oct 26 10:14:09 2020 Summary: Recommended update for libstoragemgmt Type: recommended Severity: moderate References: 1176448 This update for libstoragemgmt fixes the following issues: - Shipment of missing package python3-libstoragemgmt-clibs (bsc#1176448) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3048-1 Released: Tue Oct 27 16:04:52 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues: libzypp was updated to 17.25.1: - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902) - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - Link against libzstd to close libsolvs open references (as we link statically) yaml-cpp: - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency. No source changes were done to yaml-cpp. zypper was updated to 1.14.40: - info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3060-1 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Type: security Severity: moderate References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077 This update for binutils fixes the following issues: binutils was updated to version 2.35. (jsc#ECO-2373) Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a 'lint' mode to enable extra checks of the files it is processing. * Readelf will now display '[...]' when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to 'no'. * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3127-1 Released: Tue Nov 3 11:48:41 2020 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - Drop OFFSET from cephcsi image tag - Update helm chart to use appropriate version prefix for the final registry destination - Improve consistency with image tags ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) From sle-security-updates at lists.suse.com Thu Nov 5 00:09:32 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 08:09:32 +0100 (CET) Subject: SUSE-CU-2020:629-1: Security update of ses/7/ceph/ceph Message-ID: <20201105070932.A0D97FFAC@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:629-1 Container Tags : ses/7/ceph/ceph:15.2.5.514 , ses/7/ceph/ceph:15.2.5.514.3.558 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 3.558 Severity : important Type : security References : 1104902 1126826 1126829 1126831 1140126 1142649 1143609 1153768 1153770 1154935 1157755 1160254 1160590 1163333 1163744 1165502 1167471 1173422 1174918 1176192 1176435 1176448 1176513 1176712 1176740 1176800 1176902 1177238 1177460 1177460 1178346 1178350 1178353 935885 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-17450 CVE-2019-17451 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3031-1 Released: Mon Oct 26 10:14:09 2020 Summary: Recommended update for libstoragemgmt Type: recommended Severity: moderate References: 1176448 This update for libstoragemgmt fixes the following issues: - Shipment of missing package python3-libstoragemgmt-clibs (bsc#1176448) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3048-1 Released: Tue Oct 27 16:04:52 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues: libzypp was updated to 17.25.1: - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902) - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - Link against libzstd to close libsolvs open references (as we link statically) yaml-cpp: - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency. No source changes were done to yaml-cpp. zypper was updated to 1.14.40: - info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3060-1 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Type: security Severity: moderate References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077 This update for binutils fixes the following issues: binutils was updated to version 2.35. (jsc#ECO-2373) Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a 'lint' mode to enable extra checks of the files it is processing. * Readelf will now display '[...]' when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to 'no'. * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) From sle-security-updates at lists.suse.com Thu Nov 5 00:14:54 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 08:14:54 +0100 (CET) Subject: SUSE-CU-2020:648-1: Security update of ses/7/rook/ceph Message-ID: <20201105071454.154E8FFAC@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:648-1 Container Tags : ses/7/rook/ceph:1.4.6 , ses/7/rook/ceph:1.4.6.6 , ses/7/rook/ceph:1.4.6.6.1.1339 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1339 Severity : important Type : security References : 1104902 1126826 1126829 1126831 1140126 1142649 1143609 1153768 1153770 1154935 1157755 1160254 1160590 1163333 1163744 1165502 1167471 1173422 1174918 1176192 1176435 1176448 1176513 1176712 1176740 1176800 1176902 1177238 1177460 1177460 1178346 1178350 1178353 935885 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-17450 CVE-2019-17451 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3031-1 Released: Mon Oct 26 10:14:09 2020 Summary: Recommended update for libstoragemgmt Type: recommended Severity: moderate References: 1176448 This update for libstoragemgmt fixes the following issues: - Shipment of missing package python3-libstoragemgmt-clibs (bsc#1176448) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3048-1 Released: Tue Oct 27 16:04:52 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues: libzypp was updated to 17.25.1: - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902) - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - Link against libzstd to close libsolvs open references (as we link statically) yaml-cpp: - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency. No source changes were done to yaml-cpp. zypper was updated to 1.14.40: - info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3060-1 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Type: security Severity: moderate References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077 This update for binutils fixes the following issues: binutils was updated to version 2.35. (jsc#ECO-2373) Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a 'lint' mode to enable extra checks of the files it is processing. * Readelf will now display '[...]' when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to 'no'. * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3127-1 Released: Tue Nov 3 11:48:41 2020 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - Drop OFFSET from cephcsi image tag - Update helm chart to use appropriate version prefix for the final registry destination - Improve consistency with image tags ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) From sle-security-updates at lists.suse.com Thu Nov 5 07:16:13 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 15:16:13 +0100 (CET) Subject: SUSE-SU-2020:3159-1: important: Security update for java-11-openjdk Message-ID: <20201105141613.5DEA3FFA8@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3159-1 Rating: important References: #1177943 Cross-References: CVE-2020-14779 CVE-2020-14781 CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14798 CVE-2020-14803 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.9-11 (October 2020 CPU, bsc#1177943) * New features + JDK-8250784: Shenandoah: A Low-Pause-Time Garbage Collector * Security fixes + JDK-8233624: Enhance JNI linkage + JDK-8236196: Improve string pooling + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8240124: Better VM Interning + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Other changes + JDK-6532025: GIF reader throws misleading exception with truncated images + JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/ /PDialogTest.java needs update by removing an infinite loop + JDK-8022535: [TEST BUG] javax/swing/text/html/parser/ /Test8017492.java fails + JDK-8062947: Fix exception message to correctly represent LDAP connection failure + JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed + JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/ /CloseServerSocket.java fails intermittently with Address already in use + JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + JDK-8172404: Tools should warn if weak algorithms are used before restricting them + JDK-8193367: Annotated type variable bounds crash javac + JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset + JDK-8203026: java.rmi.NoSuchObjectException: no such object in table + JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called + JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass + JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout + JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java + JDK-8204963: javax.swing.border.TitledBorder has a memory leak + JDK-8204994: SA might fail to attach to process with "Windbg Error: WaitForEvent failed" + JDK-8205534: Remove SymbolTable dependency from serviceability agent + JDK-8206309: Tier1 SA tests fail + JDK-8208281: java/nio/channels/ /AsynchronousSocketChannel/Basic.java timed out + JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1 + JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect + JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent! + JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful + JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout + JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2 + JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC + JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java + JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ /ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code + JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3 + JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack + JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests + JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds + JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout + JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4 + JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject + JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test + JDK-8211694: JShell: Redeclared variable should be reset + JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent + JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest + JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 + JDK-8212807: tools/jar/multiRelease/Basic.java times out + JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent) + JDK-8213214: Set -Djava.io.tmpdir= when running tests + JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found + JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes + JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface + JDK-8214074: Ghash optimization using AVX instructions + JDK-8214491: Upgrade to JLine 3.9.0 + JDK-8214797: TestJmapCoreMetaspace.java timed out + JDK-8215243: JShell tests failing intermitently with "Problem cleaning up the following threads:" + JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed + JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions) + JDK-8215438: jshell tool: Ctrl-D causes EOF + JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows + JDK-8216974: HttpConnection not returned to the pool after 204 response + JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time + JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs + JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs + JDK-8221658: aarch64: add necessary predicate for ubfx patterns + JDK-8221759: Crash when completing "java.io.File.path" + JDK-8221918: runtime/SharedArchiveFile/serviceability/ /ReplaceCriticalClasses.java fails: Shared archive not found + JDK-8222074: Enhance auto vectorization for x86 + JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command + JDK-8223688: JShell: crash on the instantiation of raw anonymous class + JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error + JDK-8223940: Private key not supported by chosen signature algorithm + JDK-8224184: jshell got IOException at exiting with AIX + JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc + JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException + JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions + JDK-8226536: Catch OOM from deopt that fails rematerializing objects + JDK-8226575: OperatingSystemMXBean should be made container aware + JDK-8226697: Several tests which need the @key headful keyword are missing it. + JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + JDK-8227059: sun/security/tools/keytool/ /DefaultSignatureAlgorithm.java timed out + JDK-8227269: Slow class loading when running with JDWP + JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to "exitValue = 6" + JDK-8228448: Jconsole can't connect to itself + JDK-8228967: Trust/Key store and SSL context utilities for tests + JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + JDK-8229815: Upgrade Jline to 3.12.1 + JDK-8230000: some httpclients testng tests run zero test + JDK-8230002: javax/xml/jaxp/unittest/transform/ /SecureProcessingTest.java runs zero test + JDK-8230010: Remove jdk8037819/BasicTest1.java + JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter + JDK-8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?" + JDK-8230767: FlightRecorderListener returns null recording + JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java + JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + JDK-8231586: enlarge encoding space for OopMapValue offsets + JDK-8231953: Wrong assumption in assertion in oop::register_oop + JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + JDK-8232083: Minimal VM is broken after JDK-8231586 + JDK-8232161: Align some one-way conversion in MS950 charset with Windows + JDK-8232855: jshell missing word in /help help + JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration + JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR + JDK-8233386: Initialize NULL fields for unused decorations + JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result + JDK-8233686: XML transformer uses excessive amount of memory + JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions + JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment + JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose + JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() + JDK-8234058: runtime/CompressedOops/ /CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr + JDK-8234149: Several regression tests do not dispose Frame at end + JDK-8234347: "Turkey" meta time zone does not generate composed localized names + JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/ /bug6980209.java fails in linux nightly + JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC + JDK-8234541: C1 emits an empty message when it inlines successfully + JDK-8234687: change javap reporting on unknown attributes + JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11 + JDK-8236548: Localized time zone name inconsistency between English and other locales + JDK-8236617: jtreg test containers/docker/ /TestMemoryAwareness.java fails after 8226575 + JDK-8237182: Update copyright header for shenandoah and epsilon files + JDK-8237888: security/infra/java/security/cert/ /CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval + JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java + JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response + JDK-8238284: [macos] Zero VM build fails due to an obvious typo + JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 + JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10 + JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 + JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code + JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "shou ld be non-static concrete method"); + JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + JDK-8240169: javadoc fails to link to non-modular api docs + JDK-8240295: hs_err elapsed time in seconds is not accurate enough + JDK-8240360: NativeLibraryEvent has wrong library name on Linux + JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + JDK-8241065: Shenandoah: remove leftover code after JDK-8231086 + JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException + JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector + JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark + JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME + JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + JDK-8241750: x86_32 build failure after JDK-8227269 + JDK-8242184: CRL generation error with RSASSA-PSS + JDK-8242283: Can't start JVM when java home path includes non-ASCII character + JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + JDK-8243029: Rewrite javax/net/ssl/compatibility/ /Compatibility.java with a flexible interop test framework + JDK-8243138: Enhance BaseLdapServer to support starttls extended request + JDK-8243320: Add SSL root certificates to Oracle Root CA program + JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + JDK-8243389: enhance os::pd_print_cpu_info on linux + JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment + JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp + JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) + JDK-8244087: 2020-04-24 public suffix list update + JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base + JDK-8244196: adjust output in os_linux + JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + JDK-8244287: JFR: Methods samples have line number 0 + JDK-8244703: "platform encoding not initialized" exceptions with debugger, JNI + JDK-8244719: CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it" + JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb + JDK-8244763: Update --release 8 symbol information after JSR 337 MR3 + JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + JDK-8245151: jarsigner should not raise duplicate warnings on verification + JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9 + JDK-8245714: "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch + JDK-8245801: StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!" + JDK-8245832: JDK build make-static-libs should build all JDK libraries + JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan + JDK-8245981: Upgrade to jQuery 3.5.1 + JDK-8246027: Minimal fastdebug build broken after JDK-8245801 + JDK-8246094: [macos] Sound Recording and playback is not working + JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode + JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ + JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError + JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN + JDK-8246330: Add TLS Tests for Legacy ECDSA curves + JDK-8246453: TestClone crashes with "all collected exceptions must come from the same place" + JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods + JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node + JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code + JDK-8247615: Initialize the bytes left for the heap sampler + JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand + JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' + JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg + JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield + JDK-8248348: Regression caused by the update to BCEL 6.0 + JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1 + JDK-8248495: [macos] zerovm is broken due to libffi headers location + JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows + JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650 + JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. + JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel + JDK-8249255: Build fails if source code in cygwin home dir + JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11 + JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList + JDK-8249560: Shenandoah: Fix racy GC request handling + JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle + JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets + JDK-8250609: C2 crash in IfNode::fold_compares + JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java + JDK-8250787: Provider.put no longer registering aliases in FIPS env + JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM + JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk + JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds + JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure + JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U + JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase + JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured" + JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility + JDK-8252258: [11u] JDK-8242154 changes the default vendor + JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011 + JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 + JDK-8253283: [11u] Test build/translations/ /VerifyTranslations.java failing after JDK-8252258 + JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes + Fix regression "8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)" introduced in jdk 11.0.9 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3159=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.9.0-3.15.1 java-11-openjdk-debuginfo-11.0.9.0-3.15.1 java-11-openjdk-debugsource-11.0.9.0-3.15.1 java-11-openjdk-demo-11.0.9.0-3.15.1 java-11-openjdk-devel-11.0.9.0-3.15.1 java-11-openjdk-headless-11.0.9.0-3.15.1 References: https://www.suse.com/security/cve/CVE-2020-14779.html https://www.suse.com/security/cve/CVE-2020-14781.html https://www.suse.com/security/cve/CVE-2020-14782.html https://www.suse.com/security/cve/CVE-2020-14792.html https://www.suse.com/security/cve/CVE-2020-14796.html https://www.suse.com/security/cve/CVE-2020-14797.html https://www.suse.com/security/cve/CVE-2020-14798.html https://www.suse.com/security/cve/CVE-2020-14803.html https://bugzilla.suse.com/1177943 From sle-security-updates at lists.suse.com Thu Nov 5 07:17:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 15:17:09 +0100 (CET) Subject: SUSE-SU-2020:3162-1: moderate: Security update for ImageMagick Message-ID: <20201105141709.D0CB1FFA8@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3162-1 Rating: moderate References: #1178067 Cross-References: CVE-2020-27560 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ImageMagick fixes the following issues: - CVE-2020-27560: Fixed potential denial of service in OptimizeLayerFrames function in MagickCore/layer.c (bsc#1178067). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-3162=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-3162=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-3.85.1 ImageMagick-debugsource-7.0.7.34-3.85.1 perl-PerlMagick-7.0.7.34-3.85.1 perl-PerlMagick-debuginfo-7.0.7.34-3.85.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): ImageMagick-7.0.7.34-3.85.1 ImageMagick-config-7-SUSE-7.0.7.34-3.85.1 ImageMagick-debuginfo-7.0.7.34-3.85.1 ImageMagick-debugsource-7.0.7.34-3.85.1 ImageMagick-devel-7.0.7.34-3.85.1 libMagick++-7_Q16HDRI4-7.0.7.34-3.85.1 libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-3.85.1 libMagick++-devel-7.0.7.34-3.85.1 libMagickCore-7_Q16HDRI6-7.0.7.34-3.85.1 libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-3.85.1 libMagickWand-7_Q16HDRI6-7.0.7.34-3.85.1 libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-3.85.1 References: https://www.suse.com/security/cve/CVE-2020-27560.html https://bugzilla.suse.com/1178067 From sle-security-updates at lists.suse.com Thu Nov 5 07:18:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 15:18:09 +0100 (CET) Subject: SUSE-SU-2020:3164-1: moderate: Security update for ImageMagick Message-ID: <20201105141809.6A0BEFFA8@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3164-1 Rating: moderate References: #1106272 #1178067 Cross-References: CVE-2020-27560 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for ImageMagick fixes the following issues: - CVE-2020-27560: Fixed potential denial of service in OptimizeLayerFrames function in MagickCore/layer.c (bsc#1178067). - Fixed greyish image produced by incorrect colorspace (bsc#1106272). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-3164=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3164=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-10.3.1 ImageMagick-debugsource-7.0.7.34-10.3.1 perl-PerlMagick-7.0.7.34-10.3.1 perl-PerlMagick-debuginfo-7.0.7.34-10.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): ImageMagick-7.0.7.34-10.3.1 ImageMagick-config-7-SUSE-7.0.7.34-10.3.1 ImageMagick-debuginfo-7.0.7.34-10.3.1 ImageMagick-debugsource-7.0.7.34-10.3.1 ImageMagick-devel-7.0.7.34-10.3.1 libMagick++-7_Q16HDRI4-7.0.7.34-10.3.1 libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-10.3.1 libMagick++-devel-7.0.7.34-10.3.1 libMagickCore-7_Q16HDRI6-7.0.7.34-10.3.1 libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-10.3.1 libMagickWand-7_Q16HDRI6-7.0.7.34-10.3.1 libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-10.3.1 References: https://www.suse.com/security/cve/CVE-2020-27560.html https://bugzilla.suse.com/1106272 https://bugzilla.suse.com/1178067 From sle-security-updates at lists.suse.com Thu Nov 5 07:19:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 15:19:19 +0100 (CET) Subject: SUSE-SU-2020:3166-1: moderate: Security update for wireshark Message-ID: <20201105141919.F13ADFFA8@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3166-1 Rating: moderate References: #1175204 #1176908 #1176909 #1176910 Cross-References: CVE-2020-17498 CVE-2020-25862 CVE-2020-25863 CVE-2020-25866 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for wireshark fixes the following issues: - Update to wireshark 3.2.7: * CVE-2020-25863: MIME Multipart dissector crash (bsc#1176908) * CVE-2020-25862: TCP dissector crash (bsc#1176909) * CVE-2020-25866: BLIP dissector crash (bsc#1176910) * CVE-2020-17498: Kafka dissector crash (bsc#1175204) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3166=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-3166=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3166=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3166=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): wireshark-debuginfo-3.2.7-3.41.1 wireshark-debugsource-3.2.7-3.41.1 wireshark-devel-3.2.7-3.41.1 wireshark-ui-qt-3.2.7-3.41.1 wireshark-ui-qt-debuginfo-3.2.7-3.41.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): wireshark-debuginfo-3.2.7-3.41.1 wireshark-debugsource-3.2.7-3.41.1 wireshark-devel-3.2.7-3.41.1 wireshark-ui-qt-3.2.7-3.41.1 wireshark-ui-qt-debuginfo-3.2.7-3.41.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libwireshark13-3.2.7-3.41.1 libwireshark13-debuginfo-3.2.7-3.41.1 libwiretap10-3.2.7-3.41.1 libwiretap10-debuginfo-3.2.7-3.41.1 libwsutil11-3.2.7-3.41.1 libwsutil11-debuginfo-3.2.7-3.41.1 wireshark-3.2.7-3.41.1 wireshark-debuginfo-3.2.7-3.41.1 wireshark-debugsource-3.2.7-3.41.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libwireshark13-3.2.7-3.41.1 libwireshark13-debuginfo-3.2.7-3.41.1 libwiretap10-3.2.7-3.41.1 libwiretap10-debuginfo-3.2.7-3.41.1 libwsutil11-3.2.7-3.41.1 libwsutil11-debuginfo-3.2.7-3.41.1 wireshark-3.2.7-3.41.1 wireshark-debuginfo-3.2.7-3.41.1 wireshark-debugsource-3.2.7-3.41.1 References: https://www.suse.com/security/cve/CVE-2020-17498.html https://www.suse.com/security/cve/CVE-2020-25862.html https://www.suse.com/security/cve/CVE-2020-25863.html https://www.suse.com/security/cve/CVE-2020-25866.html https://bugzilla.suse.com/1175204 https://bugzilla.suse.com/1176908 https://bugzilla.suse.com/1176909 https://bugzilla.suse.com/1176910 From sle-security-updates at lists.suse.com Thu Nov 5 07:20:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 15:20:40 +0100 (CET) Subject: SUSE-SU-2020:3165-1: moderate: Security update for bluez Message-ID: <20201105142040.18A63FFA8@maintenance.suse.de> SUSE Security Update: Security update for bluez ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3165-1 Rating: moderate References: #1177895 Cross-References: CVE-2020-27153 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for bluez fixes the following issues: - CVE-2020-27153: Fixed possible crash on disconnect (bsc#1177895). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3165=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-3165=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3165=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): bluez-cups-5.48-5.28.1 bluez-cups-debuginfo-5.48-5.28.1 bluez-debuginfo-5.48-5.28.1 bluez-debugsource-5.48-5.28.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): bluez-5.48-5.28.1 bluez-debuginfo-5.48-5.28.1 bluez-debugsource-5.48-5.28.1 bluez-devel-5.48-5.28.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.48-5.28.1 bluez-debugsource-5.48-5.28.1 libbluetooth3-5.48-5.28.1 libbluetooth3-debuginfo-5.48-5.28.1 References: https://www.suse.com/security/cve/CVE-2020-27153.html https://bugzilla.suse.com/1177895 From sle-security-updates at lists.suse.com Thu Nov 5 07:21:37 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 15:21:37 +0100 (CET) Subject: SUSE-SU-2020:3160-1: important: Security update for rmt-server Message-ID: <20201105142137.F09E3FFA8@maintenance.suse.de> SUSE Security Update: Security update for rmt-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3160-1 Rating: important References: #1172177 #1172182 #1172184 #1172186 #1173351 Cross-References: CVE-2019-16770 CVE-2019-5418 CVE-2019-5419 CVE-2019-5420 CVE-2020-11076 CVE-2020-11077 CVE-2020-15169 CVE-2020-5247 CVE-2020-5249 CVE-2020-5267 CVE-2020-8164 CVE-2020-8165 CVE-2020-8166 CVE-2020-8167 CVE-2020-8184 CVE-2020-8185 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for rmt-server fixes the following issues: - Version 2.6.5 - Solved potential bug of SCC repository URLs changing over time. RMT now self heals by removing the previous invalid repository and creating the correct one. - Version 2.6.4 - Add web server settings to /etc/rmt.conf: Now it's possible to configure the minimum and maximum threads count as well the number of web server workers to be booted through /etc/rmt.conf. - Version 2.6.3 - Instead of using an MD5 of URLs for custom repository friendly_ids, RMT now builds an ID from the name. - Version 2.6.2 - Fix RMT file caching based on timestamps: Previously, RMT sent GET requests with the header 'If-Modified-Since' to a repository server and if the response had a 304 (Not Modified), it would copy a file from the local cache instead of downloading. However, if the local file timestamp accidentally changed to a date newer than the one on the repository server, RMT would have an outdated file, which caused some errors. Now, RMT makes HEAD requests to the repositories servers and inspect the 'Last-Modified' header to decide whether to download a file or copy it from cache, by comparing the equalness of timestamps. - Version 2.6.1 - Fixed an issue where relative paths supplied to `rmt-cli import repos` caused the command to fail. - Version 2.6.0 - Friendlier IDs for custom repositories: In an effort to simplify the handling of SCC and custom repositories, RMT now has friendly IDs. For SCC repositories, it's the same SCC ID as before. For custom repositories, it can either be user provided or RMT generated (MD5 of the provided URL). Benefits: * `rmt-cli mirror repositories` now works for custom repositories. * Custom repository IDs can be the same across RMT instances. * No more confusing "SCC ID" vs "ID" in `rmt-cli` output. Deprecation Warnings: * RMT now uses a different ID for custom repositories than before. RMT still supports that old ID, but it's recommended to start using the new ID to ensure future compatibility. - Version 2.5.20 - Updated rails from 6.0.3.2 to 6.0.3.3: - actionview (CVE-2020-15169) - Version 2.5.19 - RMT now has the ability to remove local systems with the command `rmt-cli systems remove`. - Version 2.5.18 - Fixed exit code for `rmt-cli mirror` and its subcommands. Now it exits with 1 whenever an error occurs during mirroring - Improved message logging for `rtm-cli mirror`. Instead of logging an error when it occurs, the command summarize all errors at the end of execution. Now log messages have colors to better identify failure/success. - Version 2.5.17 - RMT no longer provides the installer updates repository to systems via its zypper service. This repository is used during the installation process, as it provides an up-to-date installation experience, but it has no use on an already installed system. - Version 2.5.16 - Updated RMT's rails and puma dependencies. - puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249, CVE-2020-5247 CVE-2019-16770) - actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166) - actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418, CVE-2019-5419) - activesupport (CVE-2020-8165) - railties (CVE-2019-5420) - Version 2.5.15 - RMT now checks if repositories are fully mirrored during the activation process. Previously, RMT only checked if the repositories were enabled to be mirrored, but not that they were actually mirrored. In this case, RMTs were not able to provide the repository data which systems assumed it had. - Version 2.5.14 - Enable 'Installer-Updates' repositories by default - Fixed deprecation warning when thor encountered an error. Also, instead of returning 0 for thor errors, rmt-cli will return 1 instead. - Version 2.5.13 - Added `rmt-cli repos clean` command to remove locally mirrored files of repositories which are not marked to be mirrored. - Previously, RMT didn't track deduplicated files in its database. Now, to accommodate `rmt-cli repos clean`, RMT will track all mirrored files. - Move the nginx reload to the configuration package which contain nginx config files, don't reload nginx unconditionally from main package. - Version 2.5.12 - Update rack to version 2.2.3 (CVE-2020-8184: bsc#1173351) - Update Rails to version 5.2.4.3: - actionpack (CVE-2020-8164: bsc#1172177) - actionpack (CVE-2020-8166: bsc#1172182) - activesupport (CVE-2020-8165: bsc#1172186) - actionview (CVE-2020-8167: bsc#1172184) - Version 2.5.11 - rmt-server-pubcloud: - SLES11 EOL - Extension activation verification based on the available subscriptions - Added a manual instance verification script - Version 2.5.10 - Support rmt-server to run with Ruby 2.7 (Factory/Tumbleweed): - Bump gem 'config' version from 1.7.2 to 2.2.1 to fix incompatibility Ruby 2.7 OpenStruct class; - Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order to also bump gem 'ethon' version, which caused a 'rb_safe_level' warning on Ruby 2.7; - Fix "last arg as keyword arg" Ruby 2.7 warning on source code; - Disable "deprecated" warnings from Ruby 2.7; Rails 5.1 generates a lot of warnings with Ruby 2.7, mainly due to "capturing the given block with Proc.new", which is deprecated; - Improve RPM spec to consider only the distribution default Ruby version configured in OBS; - Improve RPM spec to remove Ruby 2.7 warnings regarding 'bundler. - Move nginx/vhosts.d directory to correct sub-package. They are needed together with nginx, not rmt-server. - Fix dependencies especially for containerized usage: - mariadb and nginx are not hard requires, could run on another host - Fix generic dependencies: - systemd ordering was missing - shadow is required for pre-install - Version 2.5.9 - rmt-server-pubcloud: enforce strict authentication - Version 2.5.8 - Use repomd_parser gem to remove repository metadata parsing code. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-3160=1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-3160=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): rmt-server-2.6.5-3.18.1 rmt-server-config-2.6.5-3.18.1 rmt-server-debuginfo-2.6.5-3.18.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (aarch64 ppc64le s390x x86_64): rmt-server-debuginfo-2.6.5-3.18.1 rmt-server-pubcloud-2.6.5-3.18.1 References: https://www.suse.com/security/cve/CVE-2019-16770.html https://www.suse.com/security/cve/CVE-2019-5418.html https://www.suse.com/security/cve/CVE-2019-5419.html https://www.suse.com/security/cve/CVE-2019-5420.html https://www.suse.com/security/cve/CVE-2020-11076.html https://www.suse.com/security/cve/CVE-2020-11077.html https://www.suse.com/security/cve/CVE-2020-15169.html https://www.suse.com/security/cve/CVE-2020-5247.html https://www.suse.com/security/cve/CVE-2020-5249.html https://www.suse.com/security/cve/CVE-2020-5267.html https://www.suse.com/security/cve/CVE-2020-8164.html https://www.suse.com/security/cve/CVE-2020-8165.html https://www.suse.com/security/cve/CVE-2020-8166.html https://www.suse.com/security/cve/CVE-2020-8167.html https://www.suse.com/security/cve/CVE-2020-8184.html https://www.suse.com/security/cve/CVE-2020-8185.html https://bugzilla.suse.com/1172177 https://bugzilla.suse.com/1172182 https://bugzilla.suse.com/1172184 https://bugzilla.suse.com/1172186 https://bugzilla.suse.com/1173351 From sle-security-updates at lists.suse.com Thu Nov 5 07:23:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 15:23:06 +0100 (CET) Subject: SUSE-SU-2020:3163-1: moderate: Security update for ImageMagick Message-ID: <20201105142306.DAB58FFA8@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3163-1 Rating: moderate References: #1178067 Cross-References: CVE-2020-27560 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ImageMagick fixes the following issues: - CVE-2020-27560: Fixed potential denial of service in OptimizeLayerFrames function in MagickCore/layer.c (bsc#1178067). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-3163=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3163=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3163=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): ImageMagick-6.8.8.1-71.147.1 ImageMagick-debuginfo-6.8.8.1-71.147.1 ImageMagick-debugsource-6.8.8.1-71.147.1 libMagick++-6_Q16-3-6.8.8.1-71.147.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.147.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.147.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.147.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ImageMagick-6.8.8.1-71.147.1 ImageMagick-config-6-SUSE-6.8.8.1-71.147.1 ImageMagick-config-6-upstream-6.8.8.1-71.147.1 ImageMagick-debuginfo-6.8.8.1-71.147.1 ImageMagick-debugsource-6.8.8.1-71.147.1 ImageMagick-devel-6.8.8.1-71.147.1 libMagick++-6_Q16-3-6.8.8.1-71.147.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.147.1 libMagick++-devel-6.8.8.1-71.147.1 perl-PerlMagick-6.8.8.1-71.147.1 perl-PerlMagick-debuginfo-6.8.8.1-71.147.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ImageMagick-config-6-SUSE-6.8.8.1-71.147.1 ImageMagick-config-6-upstream-6.8.8.1-71.147.1 ImageMagick-debuginfo-6.8.8.1-71.147.1 ImageMagick-debugsource-6.8.8.1-71.147.1 libMagickCore-6_Q16-1-6.8.8.1-71.147.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.147.1 libMagickWand-6_Q16-1-6.8.8.1-71.147.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.147.1 References: https://www.suse.com/security/cve/CVE-2020-27560.html https://bugzilla.suse.com/1178067 From sle-security-updates at lists.suse.com Thu Nov 5 07:24:03 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 15:24:03 +0100 (CET) Subject: SUSE-SU-2020:3161-1: important: Security update for u-boot Message-ID: <20201105142403.F30DBFFA8@maintenance.suse.de> SUSE Security Update: Security update for u-boot ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3161-1 Rating: important References: #1162198 #1167209 Cross-References: CVE-2020-10648 CVE-2020-8432 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for u-boot fixes the following issues: - CVE-2020-8432: Fixed a double free in the cmd/gpt.c do_rename_gpt_parts() function, which allowed an attacker to execute arbitrary code (bsc#1162198) - CVE-2020-10648: Fixed improper signature verification during verified boot (bsc#1167209). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3161=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): u-boot-tools-2020.01-10.9.1 u-boot-tools-debuginfo-2020.01-10.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64): u-boot-rpiarm64-2020.01-10.9.1 u-boot-rpiarm64-doc-2020.01-10.9.1 References: https://www.suse.com/security/cve/CVE-2020-10648.html https://www.suse.com/security/cve/CVE-2020-8432.html https://bugzilla.suse.com/1162198 https://bugzilla.suse.com/1167209 From sle-security-updates at lists.suse.com Thu Nov 5 10:15:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 18:15:02 +0100 (CET) Subject: SUSE-SU-2020:3171-1: critical: Security update for salt Message-ID: <20201105171502.1825EFFAB@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3171-1 Rating: critical References: #1178319 #1178361 #1178362 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for salt fixes the following issues: - Fix for CVE-2020-25592 (bsc#1178319), CVE-2020-16846, (bsc#1178361), and CVE-2020-17490 (bsc#1178362). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3171=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): salt-2016.11.4-48.13.1 salt-api-2016.11.4-48.13.1 salt-master-2016.11.4-48.13.1 salt-minion-2016.11.4-48.13.1 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 From sle-security-updates at lists.suse.com Thu Nov 5 10:16:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 18:16:16 +0100 (CET) Subject: SUSE-SU-2020:3178-1: important: Security update for the Linux Kernel (Live Patch 20 for SLE 15) Message-ID: <20201105171616.BAF85FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 20 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3178-1 Rating: important References: #1173942 #1176012 #1176382 #1176896 Cross-References: CVE-2020-0431 CVE-2020-11668 CVE-2020-14381 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_58 fixes several issues. The following security issues were fixed: - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722) - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). - CVE-2020-11668: Fixed an out of bounds write to the heap in drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) caused by mishandling invalid descriptors (bsc#1168952). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-3178=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_58-default-2-2.1 kernel-livepatch-4_12_14-150_58-default-debuginfo-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-11668.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1173942 https://bugzilla.suse.com/1176012 https://bugzilla.suse.com/1176382 https://bugzilla.suse.com/1176896 From sle-security-updates at lists.suse.com Thu Nov 5 10:18:51 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 18:18:51 +0100 (CET) Subject: SUSE-SU-2020:3188-1: important: Security update for the Linux Kernel (Live Patch 15 for SLE 15 SP1) Message-ID: <20201105171851.1D83DFFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 15 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3188-1 Rating: important References: #1176012 #1176382 Cross-References: CVE-2020-14381 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-197_56 fixes several issues. The following security issues were fixed: - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-3188=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_56-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1176012 https://bugzilla.suse.com/1176382 From sle-security-updates at lists.suse.com Thu Nov 5 10:19:51 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 18:19:51 +0100 (CET) Subject: SUSE-SU-2020:3190-1: important: Security update for the Linux Kernel (Live Patch 13 for SLE 15 SP1) Message-ID: <20201105171951.A8A2DFFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 13 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3190-1 Rating: important References: #1175992 #1176012 #1176072 #1176382 Cross-References: CVE-2020-14381 CVE-2020-14386 CVE-2020-24394 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-197_48 fixes several issues. The following security issues were fixed: - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). - CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069). - CVE-2020-24394: The NFS server code can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support. This occurs because the current umask is not considered (bsc#1175518). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-3172=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3189=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3190=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_45-default-3-2.2 kernel-livepatch-4_12_14-197_48-default-3-2.1 kernel-livepatch-4_12_14-197_51-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14386.html https://www.suse.com/security/cve/CVE-2020-24394.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1175992 https://bugzilla.suse.com/1176012 https://bugzilla.suse.com/1176072 https://bugzilla.suse.com/1176382 From sle-security-updates at lists.suse.com Thu Nov 5 10:21:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 18:21:04 +0100 (CET) Subject: SUSE-SU-2020:3187-1: important: Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP2) Message-ID: <20201105172104.C3C50FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3187-1 Rating: important References: #1175992 #1176072 #1176382 Cross-References: CVE-2020-14386 CVE-2020-24394 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 5.3.18-22 fixes several issues. The following security issues were fixed: - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). - CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069). - CVE-2020-24394: The NFS server code can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support. This occurs because the current umask is not considered (bsc#1175518). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2020-3187=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-22-default-3-8.2 kernel-livepatch-5_3_18-22-default-debuginfo-3-8.2 kernel-livepatch-SLE15-SP2_Update_0-debugsource-3-8.2 References: https://www.suse.com/security/cve/CVE-2020-14386.html https://www.suse.com/security/cve/CVE-2020-24394.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1175992 https://bugzilla.suse.com/1176072 https://bugzilla.suse.com/1176382 From sle-security-updates at lists.suse.com Thu Nov 5 10:22:14 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 18:22:14 +0100 (CET) Subject: SUSE-SU-2020:3186-1: important: Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP2) Message-ID: <20201105172214.52A47FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3186-1 Rating: important References: #1176072 #1176382 Cross-References: CVE-2020-14386 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 5.3.18-24_12 fixes several issues. The following security issues were fixed: - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). - CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2020-3184=1 SUSE-SLE-Module-Live-Patching-15-SP2-2020-3186=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_12-default-2-2.1 kernel-livepatch-5_3_18-24_12-default-debuginfo-2-2.1 kernel-livepatch-5_3_18-24_9-default-3-2.1 kernel-livepatch-5_3_18-24_9-default-debuginfo-3-2.1 kernel-livepatch-SLE15-SP2_Update_1-debugsource-3-2.1 kernel-livepatch-SLE15-SP2_Update_2-debugsource-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-14386.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1176072 https://bugzilla.suse.com/1176382 From sle-security-updates at lists.suse.com Thu Nov 5 10:24:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 18:24:17 +0100 (CET) Subject: SUSE-SU-2020:3181-1: important: Security update for the Linux Kernel (Live Patch 4 for SLE 15 SP2) Message-ID: <20201105172417.3AED2FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 4 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3181-1 Rating: important References: #1176382 Cross-References: CVE-2020-25212 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 5.3.18-24_24 fixes one issue. The following security issue was fixed: - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2020-3181=1 SUSE-SLE-Module-Live-Patching-15-SP2-2020-3182=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_15-default-2-2.1 kernel-livepatch-5_3_18-24_15-default-debuginfo-2-2.1 kernel-livepatch-5_3_18-24_24-default-2-2.1 kernel-livepatch-5_3_18-24_24-default-debuginfo-2-2.1 kernel-livepatch-SLE15-SP2_Update_3-debugsource-2-2.1 kernel-livepatch-SLE15-SP2_Update_4-debugsource-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1176382 From sle-security-updates at lists.suse.com Thu Nov 5 10:31:24 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 18:31:24 +0100 (CET) Subject: SUSE-SU-2020:3180-1: important: Security update for the Linux Kernel (Live Patch 18 for SLE 15) Message-ID: <20201105173124.31FD1FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 18 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3180-1 Rating: important References: #1175992 #1176012 #1176072 #1176382 #1176896 Cross-References: CVE-2020-0431 CVE-2020-14381 CVE-2020-14386 CVE-2020-24394 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_52 fixes several issues. The following security issues were fixed: - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722) - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). - CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069). - CVE-2020-24394: The NFS server code can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support. This occurs because the current umask is not considered (bsc#1175518). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-3173=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3174=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3175=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3176=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3177=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-3179=1 SUSE-SLE-Module-Live-Patching-15-2020-3180=1 SUSE-SLE-Module-Live-Patching-15-2020-3183=1 SUSE-SLE-Module-Live-Patching-15-2020-3185=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_26-default-7-2.2 kernel-livepatch-4_12_14-197_29-default-7-2.2 kernel-livepatch-4_12_14-197_34-default-6-2.2 kernel-livepatch-4_12_14-197_37-default-6-2.2 kernel-livepatch-4_12_14-197_40-default-5-2.2 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_41-default-7-2.2 kernel-livepatch-4_12_14-150_41-default-debuginfo-7-2.2 kernel-livepatch-4_12_14-150_47-default-7-2.2 kernel-livepatch-4_12_14-150_47-default-debuginfo-7-2.2 kernel-livepatch-4_12_14-150_52-default-3-2.2 kernel-livepatch-4_12_14-150_52-default-debuginfo-3-2.2 kernel-livepatch-4_12_14-150_55-default-3-2.1 kernel-livepatch-4_12_14-150_55-default-debuginfo-3-2.1 References: https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14386.html https://www.suse.com/security/cve/CVE-2020-24394.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1175992 https://bugzilla.suse.com/1176012 https://bugzilla.suse.com/1176072 https://bugzilla.suse.com/1176382 https://bugzilla.suse.com/1176896 From sle-security-updates at lists.suse.com Thu Nov 5 13:15:01 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Nov 2020 21:15:01 +0100 (CET) Subject: SUSE-SU-2020:3191-1: important: Security update for java-1_8_0-openjdk Message-ID: <20201105201501.320F7FFAC@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3191-1 Rating: important References: #1171352 #1174157 #1177943 Cross-References: CVE-2020-14556 CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14583 CVE-2020-14593 CVE-2020-14621 CVE-2020-14779 CVE-2020-14781 CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14798 CVE-2020-14803 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: - Fix regression "8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)", introduced in October 2020 CPU. - Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU, bsc#1174157, and October 2020 CPU, bsc#1177943) * New features + JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7 + PR3796: Allow the number of curves supported to be specified * Security fixes + JDK-8028431, CVE-2020-14579: NullPointerException in DerValue.equals(DerValue) + JDK-8028591, CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString() + JDK-8230613: Better ASCII conversions + JDK-8231800: Better listing of arrays + JDK-8232014: Expand DTD support + JDK-8233255: Better Swing Buttons + JDK-8233624: Enhance JNI linkage + JDK-8234032: Improve basic calendar services + JDK-8234042: Better factory production of certificates + JDK-8234418: Better parsing with CertificateFactory + JDK-8234836: Improve serialization handling + JDK-8236191: Enhance OID processing + JDK-8236196: Improve string pooling + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + JDK-8237592, CVE-2020-14577: Enhance certificate verification + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8238002, CVE-2020-14581: Better matrix operations + JDK-8238804: Enhance key handling process + JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + JDK-8238843: Enhanced font handing + JDK-8238920, CVE-2020-14583: Better Buffer support + JDK-8238925: Enhance WAV file playback + JDK-8240119, CVE-2020-14593: Less Affine Transformations + JDK-8240124: Better VM Interning + JDK-8240482: Improved WAV file playback + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8241379: Update JCEKS support + JDK-8241522: Manifest improved jar headers redux + JDK-8242136, CVE-2020-14621: Better XML namespace handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Import of OpenJDK 8 u262 build 01 + JDK-4949105: Access Bridge lacks html tags parsing + JDK-8003209: JFR events for network utilization + JDK-8030680: 292 cleanup from default method code assessment + JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java and some tests failed on windows intermittently + JDK-8041626: Shutdown tracing event + JDK-8141056: Erroneous assignment in HeapRegionSet.cpp + JDK-8149338: JVM Crash caused by Marlin renderer not handling NaN coordinates + JDK-8151582: (ch) test java/nio/channels/ /AsyncCloseAndInterrupt.java failing due to "Connection succeeded" + JDK-8165675: Trace event for thread park has incorrect unit for timeout + JDK-8176182: 4 security tests are not run + JDK-8178910: Problemlist sample tests + JDK-8183925: Decouple crash protection from watcher thread + JDK-8191393: Random crashes during cfree+0x1c + JDK-8195817: JFR.stop should require name of recording + JDK-8195818: JFR.start should increase autogenerated name by one + JDK-8195819: Remove recording=x from jcmd JFR.check output + JDK-8199712: Flight Recorder + JDK-8202578: Revisit location for class unload events + JDK-8202835: jfr/event/os/TestSystemProcess.java fails on missing events + JDK-8203287: Zero fails to build after JDK-8199712 (Flight Recorder) + JDK-8203346: JFR: Inconsistent signature of jfr_add_string_constant + JDK-8203664: JFR start failure after AppCDS archive created with JFR StartFlightRecording + JDK-8203921: JFR thread sampling is missing fixes from JDK-8194552 + JDK-8203929: Limit amount of data for JFR.dump + JDK-8205516: JFR tool + JDK-8207392: [PPC64] Implement JFR profiling + JDK-8207829: FlightRecorderMXBeanImpl is leaking the first classloader which calls it + JDK-8209960: -Xlog:jfr* doesn't work with the JFR + JDK-8210024: JFR calls virtual is_Java_thread from ~Thread() + JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD 1.0.7 + JDK-8211239: Build fails without JFR: empty JFR events signatures mismatch + JDK-8212232: Wrong metadata for the configuration of the cutoff for old object sample events + JDK-8213015: Inconsistent settings between JFR.configure and -XX:FlightRecorderOptions + JDK-8213421: Line number information for execution samples always 0 + JDK-8213617: JFR should record the PID of the recorded process + JDK-8213734: SAXParser.parse(File, ..) does not close resources when Exception occurs. + JDK-8213914: [TESTBUG] Several JFR VM events are not covered by tests + JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by test + JDK-8213966: The ZGC JFR events should be marked as experimental + JDK-8214542: JFR: Old Object Sample event slow on a deep heap in debug builds + JDK-8214750: Unnecessary

tags in jfr classes + JDK-8214896: JFR Tool left files behind + JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java fails with UnsatisfiedLinkError + JDK-8214925: JFR tool fails to execute + JDK-8215175: Inconsistencies in JFR event metadata + JDK-8215237: jdk.jfr.Recording javadoc does not compile + JDK-8215284: Reduce noise induced by periodic task getFileSize() + JDK-8215355: Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1) + JDK-8215362: JFR GTest JfrTestNetworkUtilization fails + JDK-8215771: The jfr tool should pretty print reference chains + JDK-8216064: -XX:StartFlightRecording:settings= doesn't work properly + JDK-8216486: Possibility of integer overflow in JfrThreadSampler::run() + JDK-8216528: test/jdk/java/rmi/transport/ /runtimeThreadInheritanceLeak/ /RuntimeThreadInheritanceLeak.java failing with Xcomp + JDK-8216559: [JFR] Native libraries not correctly parsed from /proc/self/maps + JDK-8216578: Remove unused/obsolete method in JFR code + JDK-8216995: Clean up JFR command line processing + JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some systems due to process surviving SIGINT + JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR TestShutdownEvent + JDK-8218935: Make jfr strncpy uses GCC 8.x friendly + JDK-8223147: JFR Backport + JDK-8223689: Add JFR Thread Sampling Support + JDK-8223690: Add JFR BiasedLock Event Support + JDK-8223691: Add JFR G1 Region Type Change Event Support + JDK-8223692: Add JFR G1 Heap Summary Event Support + JDK-8224172: assert(jfr_is_event_enabled(id)) failed: invariant + JDK-8224475: JTextPane does not show images in HTML rendering + JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden. + JDK-8226779: [TESTBUG] Test JFR API from Java agent + JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys + JDK-8227011: Starting a JFR recording in response to JVMTI VMInit and / or Java agent premain corrupts memory + JDK-8227605: Kitchensink fails "assert((((klass)->trace_id() & (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0)) failed: invariant" + JDK-8229366: JFR backport allows unchecked writing to memory + JDK-8229401: Fix JFR code cache test failures + JDK-8229708: JFR backport code does not initialize + JDK-8229873: 8229401 broke jdk8u-jfr-incubator + JDK-8230448: [test] JFRSecurityTestSuite.java is failing on Windows + JDK-8230707: JFR related tests are failing + JDK-8230782: Robot.createScreenCapture() fails if "awt.robot.gtk" is set to false + JDK-8230856: Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return + JDK-8230947: TestLookForUntestedEvents.java is failing after JDK-8230707 + JDK-8231995: two jtreg tests failed after 8229366 is fixed + JDK-8233623: Add classpath exception to copyright in EventHandlerProxyCreator.java file + JDK-8236002: CSR for JFR backport suggests not leaving out the package-info + JDK-8236008: Some backup files were accidentally left in the hotspot tree + JDK-8236074: Missed package-info + JDK-8236174: Should update javadoc since tags + JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport + JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01 + JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB + JDK-8238589: Necessary code cleanup in JFR for JDK8u + JDK-8238590: Enable JFR by default during compilation in 8u + JDK-8239055: Wrong implementation of VMState.hasListener + JDK-8239476: JDK-8238589 broke windows build by moving OrderedPair + JDK-8239479: minimal1 and zero builds are failing + JDK-8239867: correct over use of INCLUDE_JFR macro + JDK-8240375: Disable JFR by default for July 2020 release + JDK-8241444: Metaspace::_class_vsm not initialized if compressed class pointers are disabled + JDK-8241902: AIX Build broken after integration of JDK-8223147 (JFR Backport) + JDK-8242788: Non-PCH build is broken after JDK-8191393 * Import of OpenJDK 8 u262 build 02 + JDK-8130737: AffineTransformOp can't handle child raster with non-zero x-offset + JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation in java/awt/image/Raster/TestChildRasterOp.java + JDK-8230926: [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout + JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges + JDK-8242883: Incomplete backport of JDK-8078268: backport test part * Import of OpenJDK 8 u262 build 03 + JDK-8037866: Replace the Fun class in tests with lambdas + JDK-8146612: C2: Precedence edges specification violated + JDK-8150986: serviceability/sa/jmap-hprof/ /JMapHProfLargeHeapTest.java failing because expects HPROF JAVA PROFILE 1.0.1 file format + JDK-8229888: (zipfs) Updating an existing zip file does not preserve original permissions + JDK-8230597: Update GIFlib library to the 5.2.1 + JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return + JDK-8233880, PR3798: Support compilers with multi-digit major version numbers + JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed + JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set + JDK-8243059: Build fails when --with-vendor-name contains a comma + JDK-8243474: [TESTBUG] removed three tests of 0 bytes + JDK-8244461: [JDK 8u] Build fails with glibc 2.32 + JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result * Import of OpenJDK 8 u262 build 04 + JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null + JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering + JDK-8171934: ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification() does not recognize OpenJDK's HotSpot VM + JDK-8196969: JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE + JDK-8243539: Copyright info (Year) should be updated for fix of 8241638 + JDK-8244777: ClassLoaderStats VM Op uses constant hash value * Import of OpenJDK 8 u262 build 05 + JDK-7147060: com/sun/org/apache/xml/internal/security/ /transforms/ClassLoaderTest.java doesn't run in agentvm mode + JDK-8178374: Problematic ByteBuffer handling in CipherSpi.bufferCrypt method + JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds + JDK-8227269: Slow class loading when running with JDWP + JDK-8229899: Make java.io.File.isInvalid() less racy + JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing + JDK-8241750: x86_32 build failure after JDK-8227269 + JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in + JDK-8244843: JapanEraNameCompatTest fails * Import of OpenJDK 8 u262 build 06 + JDK-8246223: Windows build fails after JDK-8227269 * Import of OpenJDK 8 u262 build 07 + JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing + JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a + JDK-8245167: Top package in method profiling shows null in JMC + JDK-8246703: [TESTBUG] Add test for JDK-8233197 * Import of OpenJDK 8 u262 build 08 + JDK-8220293: Deadlock in JFR string pool + JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020 + JDK-8225069: Remove Comodo root certificate that is expiring in May 2020 * Import of OpenJDK 8 u262 build 09 + JDK-8248399: Build installs jfr binary when JFR is disabled * Import of OpenJDK 8 u262 build 10 + JDK-8248715: New JavaTimeSupplementary localisation for 'in' installed in wrong package * Import of OpenJDK 8 u265 build 01 + JDK-8249677: Regression in 8u after JDK-8237117: Better ForkJoinPool behavior + JDK-8250546: Expect changed behaviour reported in JDK-8249846 * Import of OpenJDK 8 u272 build 01 + JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY test/compiler/7177917/Test7177917.java + JDK-8035493: JVMTI PopFrame capability must instruct compilers not to prune locals + JDK-8036088: Replace strtok() with its safe equivalent strtok_s() in DefaultProxySelector.c + JDK-8039082: [TEST_BUG] Test java/awt/dnd/ /BadSerializationTest/BadSerializationTest.java fails + JDK-8075774: Small readability and performance improvements for zipfs + JDK-8132206: move ScanTest.java into OpenJDK + JDK-8132376: Add @requires os.family to the client tests with access to internal OS-specific API + JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java + JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/ /appletviewer/IOExceptionIfEncodedURLTest/ /IOExceptionIfEncodedURLTest.sh + JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/ /MTGraphicsAccessTest.java hangs on Win. 8 + JDK-8151788: NullPointerException from ntlm.Client.type3 + JDK-8151834: Test SmallPrimeExponentP.java times out intermittently + JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary public + JDK-8156169: Some sound tests rarely hangs because of incorrect synchronization + JDK-8165936: Potential Heap buffer overflow when seaching timezone info files + JDK-8166148: Fix for JDK-8165936 broke solaris builds + JDK-8167300: Scheduling failures during gcm should be fatal + JDK-8167615: Opensource unit/regression tests for JavaSound + JDK-8172012: [TEST_BUG] delays needed in javax/swing/JTree/4633594/bug4633594.java + JDK-8177628: Opensource unit/regression tests for ImageIO + JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java + JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/ /AppletContextTest/BadPluginConfigurationTest.sh + JDK-8193137: Nashorn crashes when given an empty script file + JDK-8194298: Add support for per Socket configuration of TCP keepalive + JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java throws error + JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java fails + JDK-8210147: adjust some WSAGetLastError usages in windows network coding + JDK-8211714: Need to update vm_version.cpp to recognise VS2017 minor versions + JDK-8214862: assert(proj != __null) at compile.cpp:3251 + JDK-8217606: LdapContext#reconnect always opens a new connection + JDK-8217647: JFR: recordings on 32-bit systems unreadable + JDK-8226697: Several tests which need the @key headful keyword are missing it. + JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + JDK-8230303: JDB hangs when running monitor command + JDK-8230711: ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG + JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion + JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version + JDK-8235325: build failure on Linux after 8235243 + JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink + JDK-8237951: CTW: C2 compilation fails with "malformed control flow" + JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary + JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + JDK-8239819: XToolkit: Misread of screen information memory + JDK-8240295: hs_err elapsed time in seconds is not accurate enough + JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one + JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash + JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + JDK-8246310: Clean commented-out code about ModuleEntry and PackageEntry in JFR + JDK-8246384: Enable JFR by default on supported architectures for October 2020 release + JDK-8248643: Remove extra leading space in JDK-8240295 8u backport + JDK-8249610: Make sun.security.krb5.Config.getBooleanObject(String... keys) method public * Import of OpenJDK 8 u272 build 02 + JDK-8023697: failed class resolution reports different class name in detail message for the first and subsequent times + JDK-8025886: replace [[ and == bash extensions in regtest + JDK-8046274: Removing dependency on jakarta-regexp + JDK-8048933: -XX:+TraceExceptions output should include the message + JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/ /fileaccess/FontFile.java fails + JDK-8148854: Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent + JDK-8154313: Generated javadoc scattered all over the place + JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k + JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java fails with compiler.whitebox.SimpleTestCaseHelper(int) must be compiled + JDK-8183349: Better cleanup for jdk/test/javax/imageio/ /plugins/shared/CanWriteSequence.java and WriteAfterAbort.java + JDK-8191678: [TESTBUG] Add keyword headful in java/awt FocusTransitionTest test. + JDK-8201633: Problems with AES-GCM native acceleration + JDK-8211049: Second parameter of "initialize" method is not used + JDK-8219566: JFR did not collect call stacks when MaxJavaStackTraceDepth is set to zero + JDK-8220165: Encryption using GCM results in RuntimeException- input length out of bound + JDK-8220555: JFR tool shows potentially misleading message when it cannot access a file + JDK-8224217: RecordingInfo should use textual representation of path + JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate + JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 + JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/ /SctpNet.c "multiple definition" link errors with GCC10 + JDK-8238388, PR3798: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 + JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + JDK-8250755: Better cleanup for jdk/test/javax/imageio/ /plugins/shared/CanWriteSequence.java * Import of OpenJDK 8 u272 build 03 + JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes + JDK-8148754: C2 loop unrolling fails due to unexpected graph shape + JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied + JDK-8203357: Container Metrics + JDK-8209113: Use WeakReference for lastFontStrike for created Fonts + JDK-8216283: Allow shorter method sampling interval than 10 ms + JDK-8221569: JFR tool produces incorrect output when both --categories and --events are specified + JDK-8233097: Fontmetrics for large Fonts has zero width + JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + JDK-8250875: Incorrect parameter type for update_number in JDK_Version::jdk_update * Import of OpenJDK 8 u272 build 04 + JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws IllegalArgumentException for flags of type double + JDK-8177334: Update xmldsig implementation to Apache Santuario 2.1.1 + JDK-8217878: ENVELOPING XML signature no longer works in JDK 11 + JDK-8218629: XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10 + JDK-8243138: Enhance BaseLdapServer to support starttls extended request * Import of OpenJDK 8 u272 build 05 + JDK-8026236: Add PrimeTest for BigInteger + JDK-8057003: Large reference arrays cause extremely long synchronization times + JDK-8060721: Test runtime/SharedArchiveFile/ /LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler + JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings + JDK-8168517: java/lang/ProcessBuilder/Basic.java failed + JDK-8211163: UNIX version of Java_java_io_Console_echo does not return a clean boolean + JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in docker container only works with debug JVMs + JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo + JDK-8236645: JDK 8u231 introduces a regression with incompatible handling of XML messages + JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + JDK-8249158: THREAD_START and THREAD_END event posted in primordial phase + JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + JDK-8251546: 8u backport of JDK-8194298 breaks AIX and Solaris builds + JDK-8252084: Minimal VM fails to bootcycle: undefined symbol: AgeTableTracer::is_tenuring_distribution_event_enabled * Import of OpenJDK 8 u272 build 06 + JDK-8064319: Need to enable -XX:+TraceExceptions in release builds + JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11 v2.40 support + JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions() not working + JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface license + JDK-8184762: ZapStackSegments should use optimized memset + JDK-8193234: When using -Xcheck:jni an internally allocated buffer can leak + JDK-8219919: RuntimeStub name lost with PrintFrameConverterAssembly + JDK-8220313: [TESTBUG] Update base image for Docker testing to OL 7.6 + JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + JDK-8225695: 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) + JDK-8226575: OperatingSystemMXBean should be made container aware + JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + JDK-8228835: Memory leak in PKCS11 provider when using AES GCM + JDK-8233621: Mismatch in jsse.enableMFLNExtension property name + JDK-8238898, PR3801: Missing hash characters for header on license file + JDK-8243320: Add SSL root certificates to Oracle Root CA program + JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + JDK-8245467: Remove 8u TLSv1.2 implementation files + JDK-8245469: Remove DTLS protocol implementation + JDK-8245470: Fix JDK8 compatibility issues + JDK-8245471: Revert JDK-8148188 + JDK-8245472: Backport JDK-8038893 to JDK8 + JDK-8245473: OCSP stapling support + JDK-8245474: Add TLS_KRB5 cipher suites support according to RFC-2712 + JDK-8245476: Disable TLSv1.3 protocol in the ClientHello message by default + JDK-8245477: Adjust TLS tests location + JDK-8245653: Remove 8u TLS tests + JDK-8245681: Add TLSv1.3 regression test from 11.0.7 + JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is set to either true or false + JDK-8251341: Minimal Java specification change + JDK-8251478: Backport TLSv1.3 regression tests to JDK8u * Import of OpenJDK 8 u272 build 07 + JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ * Import of OpenJDK 8 u272 build 08 + JDK-8062947: Fix exception message to correctly represent LDAP connection failure + JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + JDK-8252573: 8u: Windows build failed after 8222079 backport * Import of OpenJDK 8 u272 build 09 + JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java : Compilation failed * Import of OpenJDK 8 u272 build 10 + JDK-8254673: Call to JvmtiExport::post_vm_start() was removed by the fix for JDK-8249158 + JDK-8254937: Revert JDK-8148854 for 8u272 * Backports + JDK-8038723, PR3806: Openup some PrinterJob tests + JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when JTable contains certain string + JDK-8058779, PR3805: Faster implementation of String.replace(CharSequence, CharSequence) + JDK-8130125, PR3806: [TEST_BUG] add @modules to the several client tests unaffected by the automated bulk update + JDK-8144015, PR3806: [PIT] failures of text layout font tests + JDK-8144023, PR3806: [PIT] failure of text measurements in javax/swing/text/html/parser/Parser/6836089/bug6836089.java + JDK-8144240, PR3806: [macosx][PIT] AIOOB in closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java + JDK-8145542, PR3806: The case failed automatically and thrown java.lang.ArrayIndexOutOfBoundsException exception + JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when displaying Devanagari text in JEditorPane + JDK-8152358, PR3800: code and comment cleanups found during the hunt for 8077392 + JDK-8152545, PR3804: Use preprocessor instead of compiling a program to generate native nio constants + JDK-8152680, PR3806: Regression in GlyphVector.getGlyphCharIndex behaviour + JDK-8158924, PR3806: Incorrect i18n text document layout + JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for javax/swing/text/GlyphPainter2/6427244/bug6427244.java + JDK-8166068, PR3806: test/java/awt/font/GlyphVector/ /GetGlyphCharIndexTest.java does not compile + JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/ /GlyphPainter2/6427244/bug6427244.java - compilation failed + JDK-8191512, PR3806: T2K font rasterizer code removal + JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from JDK sources + JDK-8236512, PR3801: PKCS11 Connection closed after Cipher.doFinal and NoPadding + JDK-8254177, PR3809: (tz) Upgrade time-zone data to tzdata2020b * Bug fixes + PR3798: Fix format-overflow error on GCC 10, caused by passing NULL to a '%s' directive + PR3795: ECDSAUtils for XML digital signatures should support the same curve set as the rest of the JDK + PR3799: Adapt elliptic curve patches to JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7 + PR3808: IcedTea does not install the JFR *.jfc files + PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has fixed its use with Shenandoah + PR3811: Don't attempt to install JFR files when JFR is disabled * Shenandoah + [backport] 8221435: Shenandoah should not mark through weak roots + [backport] 8221629: Shenandoah: Cleanup class unloading logic + [backport] 8222992: Shenandoah: Pre-evacuate all roots + [backport] 8223215: Shenandoah: Support verifying subset of roots + [backport] 8223774: Shenandoah: Refactor ShenandoahRootProcessor and family + [backport] 8224210: Shenandoah: Refactor ShenandoahRootScanner to support scanning CSet codecache roots + [backport] 8224508: Shenandoah: Need to update thread roots in final mark for piggyback ref update cycle + [backport] 8224579: ResourceMark not declared in shenandoahRootProcessor.inline.hpp with --disable-precompiled-headers + [backport] 8224679: Shenandoah: Make ShenandoahParallelCodeCacheIterator noncopyable + [backport] 8224751: Shenandoah: Shenandoah Verifier should select proper roots according to current GC cycle + [backport] 8225014: Separate ShenandoahRootScanner method for object_iterate + [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't work for Shenandoah + [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to ensure roots to-space invariant + [backport] 8225590: Shenandoah: Refactor ShenandoahClassLoaderDataRoots API + [backport] 8226413: Shenandoah: Separate root scanner for SH::object_iterate() + [backport] 8230853: Shenandoah: replace leftover assert(is_in(...)) with rich asserts + [backport] 8231198: Shenandoah: heap walking should visit all roots most of the time + [backport] 8231244: Shenandoah: all-roots heap walking misses some weak roots + [backport] 8237632: Shenandoah: accept NULL fwdptr to cooperate with JVMTI and JFR + [backport] 8239786: Shenandoah: print per-cycle statistics + [backport] 8239926: Shenandoah: Shenandoah needs to mark nmethod's metadata + [backport] 8240671: Shenandoah: refactor ShenandoahPhaseTimings + [backport] 8240749: Shenandoah: refactor ShenandoahUtils + [backport] 8240750: Shenandoah: remove leftover files and mentions of ShenandoahAllocTracker + [backport] 8240868: Shenandoah: remove CM-with-UR piggybacking cycles + [backport] 8240872: Shenandoah: Avoid updating new regions from start of evacuation + [backport] 8240873: Shenandoah: Short-cut arraycopy barriers + [backport] 8240915: Shenandoah: Remove unused fields in init mark tasks + [backport] 8240948: Shenandoah: cleanup not-forwarded-objects paths after JDK-8240868 + [backport] 8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + [backport] 8241062: Shenandoah: rich asserts trigger "empty statement" inspection + [backport] 8241081: Shenandoah: Do not modify update-watermark concurrently + [backport] 8241093: Shenandoah: editorial changes in flag descriptions + [backport] 8241139: Shenandoah: distribute mark-compact work exactly to minimize fragmentation + [backport] 8241142: Shenandoah: should not use parallel reference processing with single GC thread + [backport] 8241351: Shenandoah: fragmentation metrics overhaul + [backport] 8241435: Shenandoah: avoid disabling pacing with "aggressive" + [backport] 8241520: Shenandoah: simplify region sequence numbers handling + [backport] 8241534: Shenandoah: region status should include update watermark + [backport] 8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + [backport] 8241583: Shenandoah: turn heap lock asserts into macros + [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not derive from ContiguousSpace + [backport] 8241673: Shenandoah: refactor anti-false-sharing padding + [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at shenandoahSupport.cpp:2858 with java/util/Collections/FindSubList.java + [backport] 8241692: Shenandoah: remove ShenandoahHeapRegion::_reserved + [backport] 8241700: Shenandoah: Fold ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier + [backport] 8241740: Shenandoah: remove ShenandoahHeapRegion::_heap + [backport] 8241743: Shenandoah: refactor and inline ShenandoahHeap::heap() + [backport] 8241748: Shenandoah: inline MarkingContext TAMS methods + [backport] 8241838: Shenandoah: no need to trash cset during final mark + [backport] 8241841: Shenandoah: ditch one of allocation type counters in ShenandoahHeapRegion + [backport] 8241842: Shenandoah: inline ShenandoahHeapRegion::region_number + [backport] 8241844: Shenandoah: rename ShenandoahHeapRegion::region_number + [backport] 8241845: Shenandoah: align ShenandoahHeapRegions to cache lines + [backport] 8241926: Shenandoah: only print heap changes for operations that directly affect it + [backport] 8241983: Shenandoah: simplify FreeSet logging + [backport] 8241985: Shenandoah: simplify collectable garbage logging + [backport] 8242040: Shenandoah: print allocation failure type + [backport] 8242041: Shenandoah: adaptive heuristics should account evac reserve in free target + [backport] 8242042: Shenandoah: tune down ShenandoahGarbageThreshold + [backport] 8242054: Shenandoah: New incremental-update mode + [backport] 8242075: Shenandoah: rename ShenandoahHeapRegionSize flag + [backport] 8242082: Shenandoah: Purge Traversal mode + [backport] 8242083: Shenandoah: split "Prepare Evacuation" tracking into cset/freeset counters + [backport] 8242089: Shenandoah: per-worker stats should be summed up, not averaged + [backport] 8242101: Shenandoah: coalesce and parallelise heap region walks during the pauses + [backport] 8242114: Shenandoah: remove ShenandoahHeapRegion::reset_alloc_metadata_to_shared + [backport] 8242130: Shenandoah: Simplify arraycopy-barrier dispatching + [backport] 8242211: Shenandoah: remove ShenandoahHeuristics::RegionData::_seqnum_last_alloc + [backport] 8242212: Shenandoah: initialize ShenandoahHeuristics::_region_data eagerly + [backport] 8242213: Shenandoah: remove ShenandoahHeuristics::_bytes_in_cset + [backport] 8242217: Shenandoah: Enable GC mode to be diagnostic/experimental and have a name + [backport] 8242227: Shenandoah: transit regions to cset state when adding to collection set + [backport] 8242228: Shenandoah: remove unused ShenandoahCollectionSet methods + [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion liveness-related methods + [backport] 8242267: Shenandoah: regions space needs to be aligned by os::vm_allocation_granularity() + [backport] 8242271: Shenandoah: add test to verify GC mode unlock + [backport] 8242273: Shenandoah: accept either SATB or IU barriers, but not both + [backport] 8242301: Shenandoah: Inline LRB runtime call + [backport] 8242316: Shenandoah: Turn NULL-check into assert in SATB slow-path entry + [backport] 8242353: Shenandoah: micro-optimize region liveness handling + [backport] 8242365: Shenandoah: use uint16_t instead of jushort for liveness cache + [backport] 8242375: Shenandoah: Remove ShenandoahHeuristic::record_gc_start/end methods + [backport] 8242641: Shenandoah: clear live data and update TAMS optimistically + [backport] 8243238: Shenandoah: explicit GC request should wait for a complete GC cycle + [backport] 8243301: Shenandoah: ditch ShenandoahAllowMixedAllocs + [backport] 8243307: Shenandoah: remove ShCollectionSet::live_data + [backport] 8243395: Shenandoah: demote guarantee in ShenandoahPhaseTimings::record_workers_end + [backport] 8243463: Shenandoah: ditch total_pause counters + [backport] 8243464: Shenandoah: print statistic counters in time order + [backport] 8243465: Shenandoah: ditch unused pause_other, conc_other counters + [backport] 8243487: Shenandoah: make _num_phases illegal phase type + [backport] 8243494: Shenandoah: set counters once per cycle + [backport] 8243573: Shenandoah: rename GCParPhases and related code + [backport] 8243848: Shenandoah: Windows build fails after JDK-8239786 + [backport] 8244180: Shenandoah: carry Phase to ShWorkerTimingsTracker explicitly + [backport] 8244200: Shenandoah: build breakages after JDK-8241743 + [backport] 8244226: Shenandoah: per-cycle statistics contain worker data from previous cycles + [backport] 8244326: Shenandoah: global statistics should not accept bogus samples + [backport] 8244509: Shenandoah: refactor ShenandoahBarrierC2Support::test_* methods + [backport] 8244551: Shenandoah: Fix racy update of update_watermark + [backport] 8244667: Shenandoah: SBC2Support::test_gc_state takes loop for wrong control + [backport] 8244730: Shenandoah: gc/shenandoah/options/ /TestHeuristicsUnlock.java should only verify the heuristics + [backport] 8244732: Shenandoah: move heuristics code to gc/shenandoah/heuristics + [backport] 8244737: Shenandoah: move mode code to gc/shenandoah/mode + [backport] 8244739: Shenandoah: break superclass dependency on ShenandoahNormalMode + [backport] 8244740: Shenandoah: rename ShenandoahNormalMode to ShenandoahSATBMode + [backport] 8245461: Shenandoah: refine mode name()-s + [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings constructor arguments + [backport] 8245464: Shenandoah: allocate collection set bitmap at lower addresses + [backport] 8245465: Shenandoah: test_in_cset can use more efficient encoding + [backport] 8245726: Shenandoah: lift/cleanup ShenandoahHeuristics names and properties + [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch + [backport] 8245757: Shenandoah: AlwaysPreTouch should not disable heap resizing or uncommits + [backport] 8245773: Shenandoah: Windows assertion failure after JDK-8245464 + [backport] 8245812: Shenandoah: compute root phase parallelism + [backport] 8245814: Shenandoah: reconsider format specifiers for stats + [backport] 8245825: Shenandoah: Remove diagnostic flag ShenandoahConcurrentScanCodeRoots + [backport] 8246162: Shenandoah: full GC does not mark code roots when class unloading is off + [backport] 8247310: Shenandoah: pacer should not affect interrupt status + [backport] 8247358: Shenandoah: reconsider free budget slice for marking + [backport] 8247367: Shenandoah: pacer should wait on lock instead of exponential backoff + [backport] 8247474: Shenandoah: Windows build warning after JDK-8247310 + [backport] 8247560: Shenandoah: heap iteration holds root locks all the time + [backport] 8247593: Shenandoah: should not block pacing reporters + [backport] 8247751: Shenandoah: options tests should run with smaller heaps + [backport] 8247754: Shenandoah: mxbeans tests can be shorter + [backport] 8247757: Shenandoah: split heavy tests by heuristics to improve parallelism + [backport] 8247860: Shenandoah: add update watermark line in rich assert failure message + [backport] 8248041: Shenandoah: pre-Full GC root updates may miss some roots + [backport] 8248652: Shenandoah: SATB buffer handling may assume no forwarded objects + [backport] 8249560: Shenandoah: Fix racy GC request handling + [backport] 8249649: Shenandoah: provide per-cycle pacing stats + [backport] 8249801: Shenandoah: Clear soft-refs on requested GC cycle + [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + Fix slowdebug build after JDK-8230853 backport + JDK-8252096: Shenandoah: adjust SerialPageShiftCount for x86_32 and JFR + JDK-8252366: Shenandoah: revert/cleanup changes in graphKit.cpp + Shenandoah: add JFR roots to root processor after JFR integration + Shenandoah: add root statistics for string dedup table/queues + Shenandoah: enable low-frequency STW class unloading + Shenandoah: fix build failures after JDK-8244737 backport + Shenandoah: Fix build failure with +JFR -PCH + Shenandoah: fix forceful pacer claim + Shenandoah: fix formats in ShenandoahStringSymbolTableUnlinkTask + Shenandoah: fix runtime linking failure due to non-compiled shenandoahBarrierSetC1 + Shenandoah: hook statistics printing to PrintGCDetails, not PrintGC + Shenandoah: JNI weak roots are always cleared before Full GC mark + Shenandoah: missing SystemDictionary roots in ShenandoahHeapIterationRootScanner + Shenandoah: move barrier sets to their proper locations + Shenandoah: move parallelCleaning.* to shenandoah/ + Shenandoah: pacer should use proper Atomics for intptr_t + Shenandoah: properly deallocates class loader metadata + Shenandoah: specialize String Table scans for better pause performance + Shenandoah: Zero build fails after recent Atomic cleanup in Pacer * AArch64 port + JDK-8161072, PR3797: AArch64: jtreg compiler/uncommontrap/TestDeoptOOM failure + JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java generates guarantee failure in C1 + JDK-8183925, PR3797: [AArch64] Decouple crash protection from watcher thread + JDK-8199712, PR3797: [AArch64] Flight Recorder + JDK-8203481, PR3797: Incorrect constraint for unextended_sp in frame:safe_for_sender + JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall fails with SIGILL on aarch64 + JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command + JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java fails on AArch64 + JDK-8216989, PR3797: CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier() does not check for zero length on AARCH64 + JDK-8217368, PR3797: AArch64: C2 recursive stack locking optimisation not triggered + JDK-8221658, PR3797: aarch64: add necessary predicate for ubfx patterns + JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a BufferBlob + JDK-8246482, PR3797: Build failures with +JFR -PCH + JDK-8247979, PR3797: aarch64: missing side effect of killing flags for clearArray_reg_reg + JDK-8248219, PR3797: aarch64: missing memory barrier in fast_storefield and fast_accessfield - Ignore whitespaces after the header or footer in PEM X.509 cert (bsc#1171352) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3191=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3191=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3191=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3191=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3191=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3191=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3191=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3191=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3191=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3191=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3191=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3191=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3191=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3191=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3191=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3191=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE OpenStack Cloud 9 (x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE OpenStack Cloud 8 (x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 - HPE Helion Openstack 8 (x86_64): java-1_8_0-openjdk-1.8.0.272-27.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-debugsource-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-1.8.0.272-27.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-1.8.0.272-27.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-1.8.0.272-27.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-27.48.1 References: https://www.suse.com/security/cve/CVE-2020-14556.html https://www.suse.com/security/cve/CVE-2020-14577.html https://www.suse.com/security/cve/CVE-2020-14578.html https://www.suse.com/security/cve/CVE-2020-14579.html https://www.suse.com/security/cve/CVE-2020-14581.html https://www.suse.com/security/cve/CVE-2020-14583.html https://www.suse.com/security/cve/CVE-2020-14593.html https://www.suse.com/security/cve/CVE-2020-14621.html https://www.suse.com/security/cve/CVE-2020-14779.html https://www.suse.com/security/cve/CVE-2020-14781.html https://www.suse.com/security/cve/CVE-2020-14782.html https://www.suse.com/security/cve/CVE-2020-14792.html https://www.suse.com/security/cve/CVE-2020-14796.html https://www.suse.com/security/cve/CVE-2020-14797.html https://www.suse.com/security/cve/CVE-2020-14798.html https://www.suse.com/security/cve/CVE-2020-14803.html https://bugzilla.suse.com/1171352 https://bugzilla.suse.com/1174157 https://bugzilla.suse.com/1177943 From sle-security-updates at lists.suse.com Fri Nov 6 13:15:29 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:15:29 +0100 (CET) Subject: SUSE-SU-2020:3250-1: critical: Security update for SUSE Manager 4.0 Message-ID: <20201106201529.61925FFAC@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager 4.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3250-1 Rating: critical References: #1178319 #1178361 #1178362 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This security update for SUSE Manager 4.0 provides the following fixes: py26-compat-salt: - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) spacewalk-java: - Use correct eauth module and credentials for Salt SSH calls. (bsc#1178319, CVE-2020-25592) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-3250=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): py26-compat-salt-2016.11.10-10.17.1 spacewalk-java-4.0.39-3.45.1 spacewalk-java-config-4.0.39-3.45.1 spacewalk-java-lib-4.0.39-3.45.1 spacewalk-java-postgresql-4.0.39-3.45.1 spacewalk-taskomatic-4.0.39-3.45.1 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 From sle-security-updates at lists.suse.com Fri Nov 6 13:16:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:16:41 +0100 (CET) Subject: SUSE-SU-2020:14538-1: critical: Security update for SUSE Manager Client Tools Message-ID: <20201106201641.234D7FFAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14538-1 Rating: critical References: #1167907 #1169664 #1176978 #1178319 #1178361 #1178362 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update fixes the following issues: cobbler: - Fix parsing cobbler dictionary options with values containing "=", e.g. kernel params containing "=" (bsc#1176978) mgr-daemon: - Update translation strings salt: - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) spacecmd: - Python3 fixes for errata in spacecmd (bsc#1169664) - Added support for i18n of user-facing strings - Python3 fix for sorted usage (bsc#1167907) spacewalk-client-tools: - Remove RH references in Python/Ruby localization and use the product name instead Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS: zypper in -t patch slesctsp4-client-tools-202010-14538=1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS: zypper in -t patch slesctsp3-client-tools-202010-14538=1 Package List: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): koan-2.2.2-0.68.12.1 mgr-daemon-4.1.3-5.20.1 mgr-daemon-debuginfo-4.1.3-5.20.1 mgr-daemon-debugsource-4.1.3-5.20.1 python2-spacewalk-check-4.1.7-27.38.1 python2-spacewalk-client-setup-4.1.7-27.38.1 python2-spacewalk-client-tools-4.1.7-27.38.1 salt-2016.11.10-43.63.1 salt-doc-2016.11.10-43.63.1 salt-minion-2016.11.10-43.63.1 spacecmd-4.1.8-18.72.1 spacewalk-check-4.1.7-27.38.1 spacewalk-client-setup-4.1.7-27.38.1 spacewalk-client-tools-4.1.7-27.38.1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): koan-2.2.2-0.68.12.1 mgr-daemon-4.1.3-5.20.1 mgr-daemon-debuginfo-4.1.3-5.20.1 mgr-daemon-debugsource-4.1.3-5.20.1 python2-spacewalk-check-4.1.7-27.38.1 python2-spacewalk-client-setup-4.1.7-27.38.1 python2-spacewalk-client-tools-4.1.7-27.38.1 salt-2016.11.10-43.63.1 salt-doc-2016.11.10-43.63.1 salt-minion-2016.11.10-43.63.1 spacecmd-4.1.8-18.72.1 spacewalk-check-4.1.7-27.38.1 spacewalk-client-setup-4.1.7-27.38.1 spacewalk-client-tools-4.1.7-27.38.1 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1167907 https://bugzilla.suse.com/1169664 https://bugzilla.suse.com/1176978 https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 From sle-security-updates at lists.suse.com Fri Nov 6 13:18:15 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:18:15 +0100 (CET) Subject: SUSE-SU-2020:3245-1: critical: Security update for Salt Message-ID: <20201106201815.6A1A0FFAB@maintenance.suse.de> SUSE Security Update: Security update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3245-1 Rating: critical References: #1159670 #1175987 #1176024 #1176294 #1176397 #1177867 #1178319 #1178361 #1178362 #1178485 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Manager Tools 12 SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 SUSE Linux Enterprise Point of Sale 12-SP2 SUSE Linux Enterprise Module for Advanced Systems Management 12 ______________________________________________________________________________ An update that solves three vulnerabilities and has 7 fixes is now available. Description: This update fixes the following issues: salt: - Fix disk.blkid to avoid unexpected keyword argument '__pub_user' (bsc#1177867) - Ensure virt.update stop_on_reboot is updated with its default value - Do not break package building for systemd OSes - Drop wrong mock from chroot unit test - Support systemd versions with dot (bsc#1176294) - Fix for grains.test_core unit test - Fix file/directory user and group ownership containing UTF-8 characters (bsc#1176024) - Several changes to virtualization: - Fix virt update when cpu and memory are changed - Memory Tuning GSoC - Properly fix memory setting regression in virt.update - Expose libvirt on_reboot in virt states - Support transactional systems (MicroOS) - Zypperpkg module ignores retcode 104 for search() (bsc#1159670) - Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding file or block disk (bsc#1175987) - Invalidate file list cache when cache file modified time is in the future (bsc#1176397) - Prevent import errors when running test_btrfs unit tests - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) - Avoid regression on "salt-master": set passphrase for salt-ssh keys to empty string (bsc#1178485) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2020-3245=1 - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-3245=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-3245=1 - SUSE Linux Enterprise Point of Sale 12-SP2: zypper in -t patch SUSE-SLE-POS-12-SP2-2020-3245=1 - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2020-3245=1 Package List: - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): python2-salt-3000-46.114.1 python3-salt-3000-46.114.1 salt-3000-46.114.1 salt-doc-3000-46.114.1 salt-minion-3000-46.114.1 - SUSE Manager Server 3.2 (ppc64le s390x x86_64): python2-salt-3000-46.114.1 python3-salt-3000-46.114.1 salt-3000-46.114.1 salt-api-3000-46.114.1 salt-cloud-3000-46.114.1 salt-doc-3000-46.114.1 salt-master-3000-46.114.1 salt-minion-3000-46.114.1 salt-proxy-3000-46.114.1 salt-ssh-3000-46.114.1 salt-standalone-formulas-configuration-3000-46.114.1 salt-syndic-3000-46.114.1 - SUSE Manager Server 3.2 (noarch): salt-bash-completion-3000-46.114.1 salt-zsh-completion-3000-46.114.1 - SUSE Manager Proxy 3.2 (x86_64): python2-salt-3000-46.114.1 python3-salt-3000-46.114.1 salt-3000-46.114.1 salt-minion-3000-46.114.1 - SUSE Linux Enterprise Point of Sale 12-SP2 (x86_64): python2-salt-3000-46.114.1 salt-3000-46.114.1 salt-minion-3000-46.114.1 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): python2-salt-3000-46.114.1 salt-3000-46.114.1 salt-api-3000-46.114.1 salt-cloud-3000-46.114.1 salt-doc-3000-46.114.1 salt-master-3000-46.114.1 salt-minion-3000-46.114.1 salt-proxy-3000-46.114.1 salt-ssh-3000-46.114.1 salt-standalone-formulas-configuration-3000-46.114.1 salt-syndic-3000-46.114.1 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (noarch): salt-bash-completion-3000-46.114.1 salt-zsh-completion-3000-46.114.1 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1159670 https://bugzilla.suse.com/1175987 https://bugzilla.suse.com/1176024 https://bugzilla.suse.com/1176294 https://bugzilla.suse.com/1176397 https://bugzilla.suse.com/1177867 https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 https://bugzilla.suse.com/1178485 From sle-security-updates at lists.suse.com Fri Nov 6 13:20:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:20:08 +0100 (CET) Subject: SUSE-SU-2020:3235-1: important: Security update for SUSE Manager Server 4.1 Message-ID: <20201106202008.9F2B7FFAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3235-1 Rating: important References: #1144447 #1167907 #1169664 #1173199 #1175843 #1175876 #1176159 #1176307 #1176413 #1176603 #1176629 #1176765 #1177092 #1177235 #1177396 #1177478 #1177524 #1177730 #1177790 #1177892 #1178060 #1178145 #1178204 #1178319 #1178361 #1178362 Cross-References: CVE-2020-15168 CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 ______________________________________________________________________________ An update that solves four vulnerabilities and has 22 fixes is now available. Description: This update fixes the following issues: bind-formula: - Temporarily disable dnssec-validation as hotfix for bsc#1177790 grafana-formula: - Use variable for product name - Add HA/SAP dashboards - Add support for system groups in Client Systems dashboard image-sync-formula: - Do not use .gz suffix for default initrd symlink - Keep the old symlink "initrd.gz" for compatibility prometheus-exporters-formula: - Fix empty directory values initialization - Add systemd collector as default for node_exporters since otherwise some SAP/HA grafana dashboards will be empty - Disable reverse proxy on default prometheus-formula: - Disable Alertmanager clustering (bsc#1178145) - Use variable for product name pxe-formula: - Change default to "initrd" without .gz suffix py26-compat-salt: - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) python-susemanager-retail: - Use name "initrd" without .gz suffix salt-netapi-client: - Version 0.18.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.18.0 saltboot-formula: - Allow setting terminal kernel parameters in saltboot formula spacecmd: - Python3 fixes for errata in spacecmd (bsc#1169664) - Added support for i18n of user-facing strings - Python3 fix for sorted usage (bsc#1167907) spacewalk-admin: - Show info message when applying schema upgrade spacewalk-backend: - Prevent IntegrityError during mgr-inter-sync execution (bsc#1177235) spacewalk-branding: - Enable to switch to multiple webUI theme spacewalk-client-tools: - Remove RH references in Python/Ruby localization and use the product name instead spacewalk-java: - Use correct eauth module and credentials for Salt SSH calls (bsc#1178319) - Remove expiration date from ics files (bsc#1177892) - Execute Salt SSH actions in parallel (bsc#1173199) - Enable to switch to multiple webUI theme - Fix action chain resuming when patches updating salt-minion don't cause service to be restarted (bsc#1144447) - Renaming autoinstall distro didn't change the name of the Cobbler distro (bsc#1175876) - Fix the links for downloading the binaries in the package details UI (bsc#1176603) - Allow nightly ISS sync to also cover custom channels - Fix: reinspecting a container image (bsc#1177092) - Add power management xmlrpc api - Remove hostname from /var/lib/salt/.ssh/known_hosts when deleting system (bsc#1176159) - Log exception trace on fatal Taskomatic startup error - Fix max password length check at user creation (bsc#1176765) - Notify about missing libvirt or hypervisor on virtual host - Redesign maintenance schedule systems table to use paginated data from server - Fix SP migration after dry run for cloned channels (bsc#1176307) - Filter not available optional channels out spacewalk-search: - Change default maximum memory to 512 MB, preventing OutOfMemoryError spacewalk-web: - Enable to switch to multiple webUI theme - Only refresh the virtual storage list when pool events are received - Drop node-fetch to fix CVE-2020-15168 - Notify about missing libvirt or hypervisor on virtual host - Redesign maintenance schedule systems table to use paginated data from server susemanager: - Create bootstrap repo should not flush by default (bsc#1175843) - Improve detection of base channels for products (bsc#1177478) - Add LTSS PIDs for SLE12SP1, SLE12SP2, SLE12SP3 and SLE12SP4 to the bootstrap definitions as some packages from LTSS are required (bsc#1177524) - Fix logrotate config - Add missing packages to ubuntu20.04 bootstrap data (bsc#1176629) susemanager-build-keys: - Replace "SuSE" user-facing references with "SUSE" susemanager-doc-indexes: - Documented zypper autorefresh feature in Upgrade Guide - Update SP Migration chapter in Client Configuration Guide - In Client Configuration and Upgrade Guide, add link to valid autoyast upgrade settings - Move client upgrade related sections from Reference and Upgrade Guide to Client Configuration Guide - Updated Requirements chapter in Installation Guide. - Edits OpenSCAP section in Admin Guide (bsc#1176413) - Updated Terminology section in Salt Guide - Added on-demand images content to Install Guide - Adds webUI locale choice to Ref & Admin Guides - Adds new System Types section to Client Cfg - Updates supported client matrix in Install Guide - Add note about log file to Upgrade Guide - Removes outdated content from Activation Keys section (bsc#1177396) - Adds note about PAM Auth during migration (bsc#1177730) - Fixed broken table in admin guide susemanager-docs_en: - Documented zypper autorefresh feature in Upgrade Guide - Update SP Migration chapter in Client Configuration Guide - In Client Configuration and Upgrade Guide, add link to valid autoyast upgrade settings - Move client upgrade related sections from Reference and Upgrade Guide to Client Configuration Guide - Updated Requirements chapter in Installation Guide. - Edits OpenSCAP section in Admin Guide (bsc#1176413) - Updated Terminology section in Salt Guide - Added on-demand images content to Install Guide - Adds webUI locale choice to Ref & Admin Guides - Adds new System Types section to Client Cfg - Updates supported client matrix in Install Guide - Add note about log file to Upgrade Guide - Removes outdated content from Activation Keys section (bsc#1177396) - Adds note about PAM Auth during migration (bsc#1177730) - Fixed broken table in admin guide susemanager-schema: - Add web_theme user preferences column (bsc#1178204) - Execute Salt SSH actions in parallel (bsc#1173199) - Show info message when applying schema upgrade susemanager-sls: - Fix action chain resuming when patches updating salt-minion don't cause service to be restarted (bsc#1144447) - Make grub2 autoinstall kernel path relative to the boot partition root (bsc#1175876) - Move channel token information from sources.list to auth.conf on Debian 10 and Ubuntu 18 and newer - Add support for activation keys on server configuration Salt modules - Ensure the yum/dnf plugins are enabled - Remove hostname from /var/lib/salt/.ssh/known_hosts when deleting system (bsc#1176159) - Fix grub2 autoinstall kernel path (bsc#1178060) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2020-3235=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64): spacewalk-branding-4.1.11-3.9.6 susemanager-4.1.21-3.11.6 susemanager-tools-4.1.21-3.11.6 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): bind-formula-0.1.1603299886.60e4bcf-3.3.2 grafana-formula-0.3.0-3.3.2 image-sync-formula-0.1.1602150122.f08af0a-3.6.2 prometheus-exporters-formula-0.8.0-3.16.2 prometheus-formula-0.3.0-3.3.1 pxe-formula-0.1.1602490840.4f32148-3.3.2 py26-compat-salt-2016.11.10-6.3.3 python3-spacewalk-client-tools-4.1.7-4.6.4 python3-susemanager-retail-1.0.1602150122.f08af0a-3.3.2 salt-netapi-client-0.18.0-15.7.5 saltboot-formula-0.1.1602150122.f08af0a-3.6.2 spacecmd-4.1.8-4.9.2 spacewalk-admin-4.1.7-3.6.3 spacewalk-backend-4.1.16-4.11.5 spacewalk-backend-app-4.1.16-4.11.5 spacewalk-backend-applet-4.1.16-4.11.5 spacewalk-backend-config-files-4.1.16-4.11.5 spacewalk-backend-config-files-common-4.1.16-4.11.5 spacewalk-backend-config-files-tool-4.1.16-4.11.5 spacewalk-backend-iss-4.1.16-4.11.5 spacewalk-backend-iss-export-4.1.16-4.11.5 spacewalk-backend-package-push-server-4.1.16-4.11.5 spacewalk-backend-server-4.1.16-4.11.5 spacewalk-backend-sql-4.1.16-4.11.5 spacewalk-backend-sql-postgresql-4.1.16-4.11.5 spacewalk-backend-tools-4.1.16-4.11.5 spacewalk-backend-xml-export-libs-4.1.16-4.11.5 spacewalk-backend-xmlrpc-4.1.16-4.11.5 spacewalk-base-4.1.19-3.9.5 spacewalk-base-minimal-4.1.19-3.9.5 spacewalk-base-minimal-config-4.1.19-3.9.5 spacewalk-client-tools-4.1.7-4.6.4 spacewalk-html-4.1.19-3.9.5 spacewalk-java-4.1.22-3.16.4 spacewalk-java-config-4.1.22-3.16.4 spacewalk-java-lib-4.1.22-3.16.4 spacewalk-java-postgresql-4.1.22-3.16.4 spacewalk-search-4.1.3-3.3.7 spacewalk-taskomatic-4.1.22-3.16.4 susemanager-build-keys-15.2.2-3.6.3 susemanager-build-keys-web-15.2.2-3.6.3 susemanager-doc-indexes-4.1-11.17.1 susemanager-docs_en-4.1-11.17.1 susemanager-docs_en-pdf-4.1-11.17.1 susemanager-retail-tools-1.0.1602150122.f08af0a-3.3.2 susemanager-schema-4.1.15-3.11.2 susemanager-sls-4.1.17-3.13.6 susemanager-web-libs-4.1.19-3.9.5 uyuni-config-modules-4.1.17-3.13.6 References: https://www.suse.com/security/cve/CVE-2020-15168.html https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1144447 https://bugzilla.suse.com/1167907 https://bugzilla.suse.com/1169664 https://bugzilla.suse.com/1173199 https://bugzilla.suse.com/1175843 https://bugzilla.suse.com/1175876 https://bugzilla.suse.com/1176159 https://bugzilla.suse.com/1176307 https://bugzilla.suse.com/1176413 https://bugzilla.suse.com/1176603 https://bugzilla.suse.com/1176629 https://bugzilla.suse.com/1176765 https://bugzilla.suse.com/1177092 https://bugzilla.suse.com/1177235 https://bugzilla.suse.com/1177396 https://bugzilla.suse.com/1177478 https://bugzilla.suse.com/1177524 https://bugzilla.suse.com/1177730 https://bugzilla.suse.com/1177790 https://bugzilla.suse.com/1177892 https://bugzilla.suse.com/1178060 https://bugzilla.suse.com/1178145 https://bugzilla.suse.com/1178204 https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 From sle-security-updates at lists.suse.com Fri Nov 6 13:24:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:24:50 +0100 (CET) Subject: SUSE-SU-2020:14535-1: critical: Security update for SUSE Manager Client Tools Message-ID: <20201106202450.2FD27FFAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14535-1 Rating: critical References: #1159670 #1167907 #1169664 #1175987 #1176024 #1176294 #1176397 #1177867 #1178319 #1178361 #1178362 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Manager Ubuntu 16.04-CLIENT-TOOLS ______________________________________________________________________________ An update that solves three vulnerabilities and has 8 fixes is now available. Description: This update fixes the following issues: salt: - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) - Fix disk.blkid to avoid unexpected keyword argument '__pub_user' (bsc#1177867) - Ensure virt.update stop_on_reboot is updated with its default value - Do not break package building for systemd OSes - Drop wrong mock from chroot unit test - Support systemd versions with dot (bsc#1176294) - Fix for grains.test_core unit test - Fix file/directory user and group ownership containing UTF-8 characters (bsc#1176024) - Several changes to virtualization: - - Fix virt update when cpu and memory are changed - - Memory Tuning GSoC - - Properly fix memory setting regression in virt.update - - Expose libvirt on_reboot in virt states - Support transactional systems (MicroOS) - Zypperpkg module ignores retcode 104 for search() (bsc#1159670) - Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding file or block disk (bsc#1175987) - Invalidate file list cache when cache file modified time is in the future (bsc#1176397) - Prevent import errors when running test_btrfs unit tests spacecmd: - Python3 fixes for errata in spacecmd (bsc#1169664) - Added support for i18n of user-facing strings - Python3 fix for sorted usage (bsc#1167907) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS: zypper in -t patch suse-ubu164ct-client-tools-202010-14535=1 Package List: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS (all): salt-common-3000+ds-1+58.1 salt-minion-3000+ds-1+58.1 spacecmd-4.1.8-14.2 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1159670 https://bugzilla.suse.com/1167907 https://bugzilla.suse.com/1169664 https://bugzilla.suse.com/1175987 https://bugzilla.suse.com/1176024 https://bugzilla.suse.com/1176294 https://bugzilla.suse.com/1176397 https://bugzilla.suse.com/1177867 https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 From sle-security-updates at lists.suse.com Fri Nov 6 13:29:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:29:56 +0100 (CET) Subject: SUSE-SU-2020:3244-1: critical: Security update for Salt Message-ID: <20201106202956.45C5DFFAB@maintenance.suse.de> SUSE Security Update: Security update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3244-1 Rating: critical References: #1159670 #1175987 #1176024 #1176294 #1176397 #1177867 #1178319 #1178361 #1178362 #1178485 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves three vulnerabilities and has 7 fixes is now available. Description: This update fixes the following issues: salt: - Avoid regression on "salt-master": set passphrase for salt-ssh keys to empty string (bsc#1178485) - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) - Fix disk.blkid to avoid unexpected keyword argument '__pub_user' (bsc#1177867) - Ensure virt.update stop_on_reboot is updated with its default value - Do not break package building for systemd OSes - Drop wrong mock from chroot unit test - Support systemd versions with dot (bsc#1176294) - Fix for grains.test_core unit test - Fix file/directory user and group ownership containing UTF-8 characters (bsc#1176024) - Several changes to virtualization: - Fix virt update when cpu and memory are changed - Memory Tuning GSoC - Properly fix memory setting regression in virt.update - Expose libvirt on_reboot in virt states - Support transactional systems (MicroOS) - Zypperpkg module ignores retcode 104 for search() (bsc#1159670) - Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding file or block disk (bsc#1175987) - Invalidate file list cache when cache file modified time is in the future (bsc#1176397) - Prevent import errors when running test_btrfs unit tests Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3244=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3244=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3244=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3244=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): python2-salt-3000-5.91.1 python3-salt-3000-5.91.1 salt-3000-5.91.1 salt-api-3000-5.91.1 salt-cloud-3000-5.91.1 salt-doc-3000-5.91.1 salt-master-3000-5.91.1 salt-minion-3000-5.91.1 salt-proxy-3000-5.91.1 salt-ssh-3000-5.91.1 salt-standalone-formulas-configuration-3000-5.91.1 salt-syndic-3000-5.91.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): salt-bash-completion-3000-5.91.1 salt-fish-completion-3000-5.91.1 salt-zsh-completion-3000-5.91.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): python2-salt-3000-5.91.1 python3-salt-3000-5.91.1 salt-3000-5.91.1 salt-api-3000-5.91.1 salt-cloud-3000-5.91.1 salt-doc-3000-5.91.1 salt-master-3000-5.91.1 salt-minion-3000-5.91.1 salt-proxy-3000-5.91.1 salt-ssh-3000-5.91.1 salt-standalone-formulas-configuration-3000-5.91.1 salt-syndic-3000-5.91.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): salt-bash-completion-3000-5.91.1 salt-fish-completion-3000-5.91.1 salt-zsh-completion-3000-5.91.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): python2-salt-3000-5.91.1 python3-salt-3000-5.91.1 salt-3000-5.91.1 salt-api-3000-5.91.1 salt-cloud-3000-5.91.1 salt-doc-3000-5.91.1 salt-master-3000-5.91.1 salt-minion-3000-5.91.1 salt-proxy-3000-5.91.1 salt-ssh-3000-5.91.1 salt-standalone-formulas-configuration-3000-5.91.1 salt-syndic-3000-5.91.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): salt-bash-completion-3000-5.91.1 salt-fish-completion-3000-5.91.1 salt-zsh-completion-3000-5.91.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): python2-salt-3000-5.91.1 python3-salt-3000-5.91.1 salt-3000-5.91.1 salt-api-3000-5.91.1 salt-cloud-3000-5.91.1 salt-doc-3000-5.91.1 salt-master-3000-5.91.1 salt-minion-3000-5.91.1 salt-proxy-3000-5.91.1 salt-ssh-3000-5.91.1 salt-standalone-formulas-configuration-3000-5.91.1 salt-syndic-3000-5.91.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): salt-bash-completion-3000-5.91.1 salt-fish-completion-3000-5.91.1 salt-zsh-completion-3000-5.91.1 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1159670 https://bugzilla.suse.com/1175987 https://bugzilla.suse.com/1176024 https://bugzilla.suse.com/1176294 https://bugzilla.suse.com/1176397 https://bugzilla.suse.com/1177867 https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 https://bugzilla.suse.com/1178485 From sle-security-updates at lists.suse.com Fri Nov 6 13:32:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:32:05 +0100 (CET) Subject: SUSE-SU-2020:3225-1: important: Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) Message-ID: <20201106203205.C37E6FFAB@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3225-1 Rating: important References: #1176012 #1176072 #1176382 #1176896 #1176931 Cross-References: CVE-2020-0429 CVE-2020-0431 CVE-2020-14381 CVE-2020-14386 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.180-94_107 fixes several issues. The following security issues were fixed: - CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724) - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722) - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). - CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3202=1 SUSE-SLE-SAP-12-SP3-2020-3209=1 SUSE-SLE-SAP-12-SP3-2020-3218=1 SUSE-SLE-SAP-12-SP3-2020-3220=1 SUSE-SLE-SAP-12-SP3-2020-3221=1 SUSE-SLE-SAP-12-SP3-2020-3225=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3227=1 SUSE-SLE-SAP-12-SP2-2020-3228=1 SUSE-SLE-SAP-12-SP2-2020-3229=1 SUSE-SLE-SAP-12-SP2-2020-3233=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3202=1 SUSE-SLE-SERVER-12-SP3-2020-3209=1 SUSE-SLE-SERVER-12-SP3-2020-3218=1 SUSE-SLE-SERVER-12-SP3-2020-3220=1 SUSE-SLE-SERVER-12-SP3-2020-3221=1 SUSE-SLE-SERVER-12-SP3-2020-3225=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3227=1 SUSE-SLE-SERVER-12-SP2-2020-3228=1 SUSE-SLE-SERVER-12-SP2-2020-3229=1 SUSE-SLE-SERVER-12-SP2-2020-3233=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_107-default-8-2.2 kgraft-patch-4_4_180-94_107-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_113-default-7-2.2 kgraft-patch-4_4_180-94_113-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_116-default-4-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-4-2.2 kgraft-patch-4_4_180-94_121-default-3-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-3-2.2 kgraft-patch-4_4_180-94_124-default-3-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-3-2.2 kgraft-patch-4_4_180-94_127-default-3-2.1 kgraft-patch-4_4_180-94_127-default-debuginfo-3-2.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_125-default-8-2.2 kgraft-patch-4_4_121-92_129-default-5-2.2 kgraft-patch-4_4_121-92_135-default-3-2.2 kgraft-patch-4_4_121-92_138-default-3-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_107-default-8-2.2 kgraft-patch-4_4_180-94_107-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_113-default-7-2.2 kgraft-patch-4_4_180-94_113-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_116-default-4-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-4-2.2 kgraft-patch-4_4_180-94_121-default-3-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-3-2.2 kgraft-patch-4_4_180-94_124-default-3-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-3-2.2 kgraft-patch-4_4_180-94_127-default-3-2.1 kgraft-patch-4_4_180-94_127-default-debuginfo-3-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_125-default-8-2.2 kgraft-patch-4_4_121-92_129-default-5-2.2 kgraft-patch-4_4_121-92_135-default-3-2.2 kgraft-patch-4_4_121-92_138-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2020-0429.html https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14386.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1176012 https://bugzilla.suse.com/1176072 https://bugzilla.suse.com/1176382 https://bugzilla.suse.com/1176896 https://bugzilla.suse.com/1176931 From sle-security-updates at lists.suse.com Fri Nov 6 13:33:34 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:33:34 +0100 (CET) Subject: SUSE-SU-2020:3222-1: important: Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP5) Message-ID: <20201106203334.BD2ABFFAB@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3222-1 Rating: important References: #1176012 #1176382 Cross-References: CVE-2020-14381 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_37 fixes several issues. The following security issues were fixed: - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-3222=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-3207=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_37-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_60-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1176012 https://bugzilla.suse.com/1176382 From sle-security-updates at lists.suse.com Fri Nov 6 13:35:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:35:56 +0100 (CET) Subject: SUSE-SU-2020:3204-1: important: Security update for the Linux Kernel (Live Patch 4 for SLE 12 SP5) Message-ID: <20201106203556.B73A1FFAC@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 4 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3204-1 Rating: important References: #1175992 #1176012 #1176072 #1176382 #1176896 Cross-References: CVE-2020-0431 CVE-2020-14381 CVE-2020-14386 CVE-2020-24394 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_20 fixes several issues. The following security issues were fixed: - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722) - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). - CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069). - CVE-2020-24394: The NFS server code can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support. This occurs because the current umask is not considered (bsc#1175518). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-3204=1 SUSE-SLE-Live-Patching-12-SP5-2020-3205=1 SUSE-SLE-Live-Patching-12-SP5-2020-3206=1 SUSE-SLE-Live-Patching-12-SP5-2020-3208=1 SUSE-SLE-Live-Patching-12-SP5-2020-3211=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-3213=1 SUSE-SLE-Live-Patching-12-SP4-2020-3214=1 SUSE-SLE-Live-Patching-12-SP4-2020-3215=1 SUSE-SLE-Live-Patching-12-SP4-2020-3216=1 SUSE-SLE-Live-Patching-12-SP4-2020-3217=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_17-default-6-2.2 kgraft-patch-4_12_14-122_20-default-5-2.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le x86_64): kgraft-patch-4_12_14-120-default-7-18.2 kgraft-patch-4_12_14-120-default-debuginfo-7-18.2 kgraft-patch-4_12_14-122_12-default-7-2.2 kgraft-patch-4_12_14-122_7-default-7-2.2 kgraft-patch-SLE12-SP5_Update_0-debugsource-7-18.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_51-default-5-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_37-default-8-2.2 kgraft-patch-4_12_14-95_40-default-7-2.2 kgraft-patch-4_12_14-95_45-default-7-2.2 kgraft-patch-4_12_14-95_48-default-6-2.2 References: https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14386.html https://www.suse.com/security/cve/CVE-2020-24394.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1175992 https://bugzilla.suse.com/1176012 https://bugzilla.suse.com/1176072 https://bugzilla.suse.com/1176382 https://bugzilla.suse.com/1176896 From sle-security-updates at lists.suse.com Fri Nov 6 13:37:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:37:22 +0100 (CET) Subject: SUSE-SU-2020:14537-1: critical: Security update for SUSE Manager Client Tools Message-ID: <20201106203722.D2C88FFAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14537-1 Rating: critical References: #1159670 #1167907 #1169664 #1175987 #1176024 #1176294 #1176397 #1177867 #1178319 #1178361 #1178362 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Manager Ubuntu 20.04-CLIENT-TOOLS ______________________________________________________________________________ An update that solves three vulnerabilities and has 8 fixes is now available. Description: This update fixes the following issues: salt: - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) - Fix disk.blkid to avoid unexpected keyword argument '__pub_user' (bsc#1177867) - Ensure virt.update stop_on_reboot is updated with its default value - Do not break package building for systemd OSes - Drop wrong mock from chroot unit test - Support systemd versions with dot (bsc#1176294) - Fix for grains.test_core unit test - Fix file/directory user and group ownership containing UTF-8 characters (bsc#1176024) - Several changes to virtualization: - - Fix virt update when cpu and memory are changed - - Memory Tuning GSoC - - Properly fix memory setting regression in virt.update - - Expose libvirt on_reboot in virt states - Support transactional systems (MicroOS) - Zypperpkg module ignores retcode 104 for search() (bsc#1159670) - Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding file or block disk (bsc#1175987) - Invalidate file list cache when cache file modified time is in the future (bsc#1176397) - Prevent import errors when running test_btrfs unit tests spacecmd: - Python3 fixes for errata in spacecmd (bsc#1169664) - Added support for i18n of user-facing strings - Python3 fix for sorted usage (bsc#1167907) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS: zypper in -t patch suse-ubu204ct-client-tools-202010-14537=1 Package List: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS (amd64): prometheus-exporter-exporter-0.4.0-1 - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS (all): salt-common-3000+ds-1+2.18.1 salt-minion-3000+ds-1+2.18.1 spacecmd-4.1.8-2.12.2 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1159670 https://bugzilla.suse.com/1167907 https://bugzilla.suse.com/1169664 https://bugzilla.suse.com/1175987 https://bugzilla.suse.com/1176024 https://bugzilla.suse.com/1176294 https://bugzilla.suse.com/1176397 https://bugzilla.suse.com/1177867 https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 From sle-security-updates at lists.suse.com Fri Nov 6 13:39:26 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:39:26 +0100 (CET) Subject: SUSE-SU-2020:3243-1: critical: Security update for salt Message-ID: <20201106203926.E0F17FFAB@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3243-1 Rating: critical References: #1159670 #1175987 #1176024 #1176294 #1176397 #1177867 #1178319 #1178361 #1178362 #1178485 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has 7 fixes is now available. Description: This update for salt fixes the following issues: - Avoid regression on "salt-master": set passphrase for salt-ssh keys to empty string (bsc#1178485) - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) - Fix disk.blkid to avoid unexpected keyword argument '__pub_user'. (bsc#1177867) - Ensure virt.update stop_on_reboot is updated with its default value. - Do not break package building for systemd OSes. - Drop wrong mock from chroot unit test. - Support systemd versions with dot. (bsc#1176294) - Fix for grains.test_core unit test. - Fix file/directory user and group ownership containing UTF-8 characters. (bsc#1176024) - Several changes to virtualization: * Fix virt update when cpu and memory are changed. * Memory Tuning GSoC. * Properly fix memory setting regression in virt.update. * Expose libvirt on_reboot in virt states. - Support transactional systems (MicroOS). - zypperpkg module ignores retcode 104 for search(). (bsc#1159670) - Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding file or block disk. (bsc#1175987) - Invalidate file list cache when cache file modified time is in the future. (bsc#1176397) - Prevent import errors when running test_btrfs unit tests Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-3243=1 - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-3243=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3243=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): salt-api-3000-6.51.1 salt-cloud-3000-6.51.1 salt-master-3000-6.51.1 salt-proxy-3000-6.51.1 salt-ssh-3000-6.51.1 salt-standalone-formulas-configuration-3000-6.51.1 salt-syndic-3000-6.51.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): salt-fish-completion-3000-6.51.1 - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python2-salt-3000-6.51.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): python3-salt-3000-6.51.1 salt-3000-6.51.1 salt-doc-3000-6.51.1 salt-minion-3000-6.51.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): salt-bash-completion-3000-6.51.1 salt-zsh-completion-3000-6.51.1 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1159670 https://bugzilla.suse.com/1175987 https://bugzilla.suse.com/1176024 https://bugzilla.suse.com/1176294 https://bugzilla.suse.com/1176397 https://bugzilla.suse.com/1177867 https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 https://bugzilla.suse.com/1178485 From sle-security-updates at lists.suse.com Fri Nov 6 13:41:28 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:41:28 +0100 (CET) Subject: SUSE-SU-2020:3231-1: moderate: Security update for yast2-multipath Message-ID: <20201106204128.715E2FFAB@maintenance.suse.de> SUSE Security Update: Security update for yast2-multipath ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3231-1 Rating: moderate References: #1117592 Cross-References: CVE-2018-17955 Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for yast2-multipath to version 3.2.2 fixes the following issues: - CVE-2018-17955: Use random file name instead of static names (bsc#1117592). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-3231=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-3231=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2020-3231=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (noarch): yast2-multipath-3.2.2-3.3.30 - SUSE Linux Enterprise High Availability 12-SP4 (noarch): yast2-multipath-3.2.2-3.3.30 - SUSE Linux Enterprise High Availability 12-SP3 (noarch): yast2-multipath-3.2.2-3.3.30 References: https://www.suse.com/security/cve/CVE-2018-17955.html https://bugzilla.suse.com/1117592 From sle-security-updates at lists.suse.com Fri Nov 6 13:42:31 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:42:31 +0100 (CET) Subject: SUSE-SU-2020:3210-1: important: Security update for the Linux Kernel (Live Patch 6 for SLE 12 SP5) Message-ID: <20201106204231.6DFA3FFAB@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 6 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3210-1 Rating: important References: #1175992 #1176012 #1176072 #1176382 Cross-References: CVE-2020-14381 CVE-2020-14386 CVE-2020-24394 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_26 fixes several issues. The following security issues were fixed: - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). - CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069). - CVE-2020-24394: The NFS server code can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support. This occurs because the current umask is not considered (bsc#1175518). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-3203=1 SUSE-SLE-Live-Patching-12-SP5-2020-3223=1 SUSE-SLE-Live-Patching-12-SP5-2020-3224=1 SUSE-SLE-Live-Patching-12-SP5-2020-3232=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-3210=1 SUSE-SLE-Live-Patching-12-SP4-2020-3212=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_23-default-3-2.2 kgraft-patch-4_12_14-122_26-default-3-2.2 kgraft-patch-4_12_14-122_29-default-3-2.1 kgraft-patch-4_12_14-122_32-default-3-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_54-default-3-2.2 kgraft-patch-4_12_14-95_57-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14386.html https://www.suse.com/security/cve/CVE-2020-24394.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1175992 https://bugzilla.suse.com/1176012 https://bugzilla.suse.com/1176072 https://bugzilla.suse.com/1176382 From sle-security-updates at lists.suse.com Fri Nov 6 13:43:48 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:43:48 +0100 (CET) Subject: SUSE-SU-2020:3235-1: moderate: Security update for SUSE Manager Server 4.1 Message-ID: <20201106204348.688DFFFAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3235-1 Rating: moderate References: #1144447 #1167907 #1169664 #1173199 #1175843 #1175876 #1176159 #1176307 #1176413 #1176603 #1176629 #1176765 #1177092 #1177235 #1177396 #1177478 #1177524 #1177730 #1177790 #1177892 #1178060 #1178145 #1178204 #1178319 #1178361 #1178362 Cross-References: CVE-2020-15168 CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 ______________________________________________________________________________ An update that solves four vulnerabilities and has 22 fixes is now available. Description: This update fixes the following issues: bind-formula: - Temporarily disable dnssec-validation as hotfix for bsc#1177790 grafana-formula: - Use variable for product name - Add HA/SAP dashboards - Add support for system groups in Client Systems dashboard image-sync-formula: - Do not use .gz suffix for default initrd symlink - Keep the old symlink "initrd.gz" for compatibility prometheus-exporters-formula: - Fix empty directory values initialization - Add systemd collector as default for node_exporters since otherwise some SAP/HA grafana dashboards will be empty - Disable reverse proxy on default prometheus-formula: - Disable Alertmanager clustering (bsc#1178145) - Use variable for product name pxe-formula: - Change default to "initrd" without .gz suffix py26-compat-salt: - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) python-susemanager-retail: - Use name "initrd" without .gz suffix salt-netapi-client: - Version 0.18.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.18.0 saltboot-formula: - Allow setting terminal kernel parameters in saltboot formula spacecmd: - Python3 fixes for errata in spacecmd (bsc#1169664) - Added support for i18n of user-facing strings - Python3 fix for sorted usage (bsc#1167907) spacewalk-admin: - Show info message when applying schema upgrade spacewalk-backend: - Prevent IntegrityError during mgr-inter-sync execution (bsc#1177235) spacewalk-branding: - Enable to switch to multiple webUI theme spacewalk-client-tools: - Remove RH references in Python/Ruby localization and use the product name instead spacewalk-java: - Use correct eauth module and credentials for Salt SSH calls (bsc#1178319) - Remove expiration date from ics files (bsc#1177892) - Execute Salt SSH actions in parallel (bsc#1173199) - Enable to switch to multiple webUI theme - Fix action chain resuming when patches updating salt-minion don't cause service to be restarted (bsc#1144447) - Renaming autoinstall distro didn't change the name of the Cobbler distro (bsc#1175876) - Fix the links for downloading the binaries in the package details UI (bsc#1176603) - Allow nightly ISS sync to also cover custom channels - Fix: reinspecting a container image (bsc#1177092) - Add power management xmlrpc api - Remove hostname from /var/lib/salt/.ssh/known_hosts when deleting system (bsc#1176159) - Log exception trace on fatal Taskomatic startup error - Fix max password length check at user creation (bsc#1176765) - Notify about missing libvirt or hypervisor on virtual host - Redesign maintenance schedule systems table to use paginated data from server - Fix SP migration after dry run for cloned channels (bsc#1176307) - Filter not available optional channels out spacewalk-search: - Change default maximum memory to 512 MB, preventing OutOfMemoryError spacewalk-web: - Enable to switch to multiple webUI theme - Only refresh the virtual storage list when pool events are received - Drop node-fetch to fix CVE-2020-15168 - Notify about missing libvirt or hypervisor on virtual host - Redesign maintenance schedule systems table to use paginated data from server susemanager: - Create bootstrap repo should not flush by default (bsc#1175843) - Improve detection of base channels for products (bsc#1177478) - Add LTSS PIDs for SLE12SP1, SLE12SP2, SLE12SP3 and SLE12SP4 to the bootstrap definitions as some packages from LTSS are required (bsc#1177524) - Fix logrotate config - Add missing packages to ubuntu20.04 bootstrap data (bsc#1176629) susemanager-build-keys: - Replace "SuSE" user-facing references with "SUSE" susemanager-doc-indexes: - Documented zypper autorefresh feature in Upgrade Guide - Update SP Migration chapter in Client Configuration Guide - In Client Configuration and Upgrade Guide, add link to valid autoyast upgrade settings - Move client upgrade related sections from Reference and Upgrade Guide to Client Configuration Guide - Updated Requirements chapter in Installation Guide. - Edits OpenSCAP section in Admin Guide (bsc#1176413) - Updated Terminology section in Salt Guide - Added on-demand images content to Install Guide - Adds webUI locale choice to Ref & Admin Guides - Adds new System Types section to Client Cfg - Updates supported client matrix in Install Guide - Add note about log file to Upgrade Guide - Removes outdated content from Activation Keys section (bsc#1177396) - Adds note about PAM Auth during migration (bsc#1177730) - Fixed broken table in admin guide susemanager-docs_en: - Documented zypper autorefresh feature in Upgrade Guide - Update SP Migration chapter in Client Configuration Guide - In Client Configuration and Upgrade Guide, add link to valid autoyast upgrade settings - Move client upgrade related sections from Reference and Upgrade Guide to Client Configuration Guide - Updated Requirements chapter in Installation Guide. - Edits OpenSCAP section in Admin Guide (bsc#1176413) - Updated Terminology section in Salt Guide - Added on-demand images content to Install Guide - Adds webUI locale choice to Ref & Admin Guides - Adds new System Types section to Client Cfg - Updates supported client matrix in Install Guide - Add note about log file to Upgrade Guide - Removes outdated content from Activation Keys section (bsc#1177396) - Adds note about PAM Auth during migration (bsc#1177730) - Fixed broken table in admin guide susemanager-schema: - Add web_theme user preferences column (bsc#1178204) - Execute Salt SSH actions in parallel (bsc#1173199) - Show info message when applying schema upgrade susemanager-sls: - Fix action chain resuming when patches updating salt-minion don't cause service to be restarted (bsc#1144447) - Make grub2 autoinstall kernel path relative to the boot partition root (bsc#1175876) - Move channel token information from sources.list to auth.conf on Debian 10 and Ubuntu 18 and newer - Add support for activation keys on server configuration Salt modules - Ensure the yum/dnf plugins are enabled - Remove hostname from /var/lib/salt/.ssh/known_hosts when deleting system (bsc#1176159) - Fix grub2 autoinstall kernel path (bsc#1178060) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2020-3235=1 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.1-2020-3235=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64): spacewalk-branding-4.1.11-3.9.6 susemanager-4.1.21-3.11.6 susemanager-tools-4.1.21-3.11.6 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): bind-formula-0.1.1603299886.60e4bcf-3.3.2 grafana-formula-0.3.0-3.3.2 image-sync-formula-0.1.1602150122.f08af0a-3.6.2 prometheus-exporters-formula-0.8.0-3.16.2 prometheus-formula-0.3.0-3.3.1 pxe-formula-0.1.1602490840.4f32148-3.3.2 py26-compat-salt-2016.11.10-6.3.3 python3-spacewalk-client-tools-4.1.7-4.6.4 python3-susemanager-retail-1.0.1602150122.f08af0a-3.3.2 salt-netapi-client-0.18.0-15.7.5 saltboot-formula-0.1.1602150122.f08af0a-3.6.2 spacecmd-4.1.8-4.9.2 spacewalk-admin-4.1.7-3.6.3 spacewalk-backend-4.1.16-4.11.5 spacewalk-backend-app-4.1.16-4.11.5 spacewalk-backend-applet-4.1.16-4.11.5 spacewalk-backend-config-files-4.1.16-4.11.5 spacewalk-backend-config-files-common-4.1.16-4.11.5 spacewalk-backend-config-files-tool-4.1.16-4.11.5 spacewalk-backend-iss-4.1.16-4.11.5 spacewalk-backend-iss-export-4.1.16-4.11.5 spacewalk-backend-package-push-server-4.1.16-4.11.5 spacewalk-backend-server-4.1.16-4.11.5 spacewalk-backend-sql-4.1.16-4.11.5 spacewalk-backend-sql-postgresql-4.1.16-4.11.5 spacewalk-backend-tools-4.1.16-4.11.5 spacewalk-backend-xml-export-libs-4.1.16-4.11.5 spacewalk-backend-xmlrpc-4.1.16-4.11.5 spacewalk-base-4.1.19-3.9.5 spacewalk-base-minimal-4.1.19-3.9.5 spacewalk-base-minimal-config-4.1.19-3.9.5 spacewalk-client-tools-4.1.7-4.6.4 spacewalk-html-4.1.19-3.9.5 spacewalk-java-4.1.22-3.16.4 spacewalk-java-config-4.1.22-3.16.4 spacewalk-java-lib-4.1.22-3.16.4 spacewalk-java-postgresql-4.1.22-3.16.4 spacewalk-search-4.1.3-3.3.7 spacewalk-taskomatic-4.1.22-3.16.4 susemanager-build-keys-15.2.2-3.6.3 susemanager-build-keys-web-15.2.2-3.6.3 susemanager-doc-indexes-4.1-11.17.1 susemanager-docs_en-4.1-11.17.1 susemanager-docs_en-pdf-4.1-11.17.1 susemanager-retail-tools-1.0.1602150122.f08af0a-3.3.2 susemanager-schema-4.1.15-3.11.2 susemanager-sls-4.1.17-3.13.6 susemanager-web-libs-4.1.19-3.9.5 uyuni-config-modules-4.1.17-3.13.6 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (noarch): mgr-daemon-4.1.3-2.6.3 python3-spacewalk-check-4.1.7-4.6.4 python3-spacewalk-client-setup-4.1.7-4.6.4 python3-spacewalk-client-tools-4.1.7-4.6.4 spacecmd-4.1.8-4.9.2 spacewalk-backend-4.1.16-4.11.5 spacewalk-base-minimal-4.1.19-3.9.5 spacewalk-base-minimal-config-4.1.19-3.9.5 spacewalk-check-4.1.7-4.6.4 spacewalk-client-setup-4.1.7-4.6.4 spacewalk-client-tools-4.1.7-4.6.4 susemanager-build-keys-15.2.2-3.6.3 susemanager-build-keys-web-15.2.2-3.6.3 References: https://www.suse.com/security/cve/CVE-2020-15168.html https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1144447 https://bugzilla.suse.com/1167907 https://bugzilla.suse.com/1169664 https://bugzilla.suse.com/1173199 https://bugzilla.suse.com/1175843 https://bugzilla.suse.com/1175876 https://bugzilla.suse.com/1176159 https://bugzilla.suse.com/1176307 https://bugzilla.suse.com/1176413 https://bugzilla.suse.com/1176603 https://bugzilla.suse.com/1176629 https://bugzilla.suse.com/1176765 https://bugzilla.suse.com/1177092 https://bugzilla.suse.com/1177235 https://bugzilla.suse.com/1177396 https://bugzilla.suse.com/1177478 https://bugzilla.suse.com/1177524 https://bugzilla.suse.com/1177730 https://bugzilla.suse.com/1177790 https://bugzilla.suse.com/1177892 https://bugzilla.suse.com/1178060 https://bugzilla.suse.com/1178145 https://bugzilla.suse.com/1178204 https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 From sle-security-updates at lists.suse.com Fri Nov 6 13:51:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:51:09 +0100 (CET) Subject: SUSE-SU-2020:3219-1: important: Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) Message-ID: <20201106205109.4BD64FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3219-1 Rating: important References: #1165631 #1173942 #1176012 #1176382 #1176896 #1176931 Cross-References: CVE-2020-0429 CVE-2020-0431 CVE-2020-11668 CVE-2020-14381 CVE-2020-1749 CVE-2020-25212 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.180-94_130 fixes several issues. The following security issues were fixed: - CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724) - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722) - CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381). - CVE-2020-11668: Fixed an out of bounds write to the heap in drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) caused by mishandling invalid descriptors (bsc#1168952). - CVE-2020-1749: A flaw was found in the implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link, rather sending the data unencrypted. This would have allowed anyone in between the two endpoints to read the traffic unencrypted. (bsc#1165629) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3219=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3226=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3219=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3226=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_130-default-2-2.1 kgraft-patch-4_4_180-94_130-default-debuginfo-2-2.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_141-default-2-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_130-default-2-2.1 kgraft-patch-4_4_180-94_130-default-debuginfo-2-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_141-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-0429.html https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-11668.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-1749.html https://www.suse.com/security/cve/CVE-2020-25212.html https://bugzilla.suse.com/1165631 https://bugzilla.suse.com/1173942 https://bugzilla.suse.com/1176012 https://bugzilla.suse.com/1176382 https://bugzilla.suse.com/1176896 https://bugzilla.suse.com/1176931 From sle-security-updates at lists.suse.com Fri Nov 6 13:52:33 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:52:33 +0100 (CET) Subject: SUSE-SU-2020:3251-1: critical: Security update for SUSE Manager 3.2 Message-ID: <20201106205233.62517FFA8@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager 3.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3251-1 Rating: critical References: #1178319 #1178361 #1178362 Cross-References: CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Affected Products: SUSE Manager Server 3.2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This security update for SUSE Manager 3.2 fixes the following issues: py26-compat-salt: - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) spacewalk-java: - Use correct eauth module and credentials for Salt SSH calls (bsc#1178319, CVE-2020-25592) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-3251=1 Package List: - SUSE Manager Server 3.2 (noarch): py26-compat-salt-2016.11.10-6.41.1 spacewalk-java-2.8.78.31-3.56.1 spacewalk-java-config-2.8.78.31-3.56.1 spacewalk-java-lib-2.8.78.31-3.56.1 spacewalk-java-oracle-2.8.78.31-3.56.1 spacewalk-java-postgresql-2.8.78.31-3.56.1 spacewalk-taskomatic-2.8.78.31-3.56.1 References: https://www.suse.com/security/cve/CVE-2020-16846.html https://www.suse.com/security/cve/CVE-2020-17490.html https://www.suse.com/security/cve/CVE-2020-25592.html https://bugzilla.suse.com/1178319 https://bugzilla.suse.com/1178361 https://bugzilla.suse.com/1178362 From sle-security-updates at lists.suse.com Fri Nov 6 13:53:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Nov 2020 21:53:41 +0100 (CET) Subject: SUSE-SU-2020:3230-1: important: Security update for the Linux Kernel Message-ID: <20201106205341.A9224FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3230-1 Rating: important References: #1065600 #1155798 #1168468 #1171675 #1175599 #1175718 #1176019 #1176381 #1176588 #1176979 #1177027 #1177121 #1177193 #1177194 #1177206 #1177258 #1177283 #1177284 #1177285 #1177286 #1177297 #1177384 #1177511 #954532 Cross-References: CVE-2020-25212 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP2 ______________________________________________________________________________ An update that solves four vulnerabilities and has 20 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel RT was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381). - CVE-2020-25643: Added range checks in ppp_cp_parse_cr() (bsc#1177206). - CVE-2020-25641: Allowed for_each_bvec to support zero len bvec (bsc#1177121). - CVE-2020-25645: Added transport ports in route lookup for geneve (bsc#1177511). The following non-security bugs were fixed: - 9p: Fix memory leak in v9fs_mount (git-fixes). - ACPI: EC: Reference count query handlers under lock (git-fixes). - airo: Fix read overflows sending packets (git-fixes). - ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter (git-fixes). - ASoC: img-i2s-out: Fix runtime PM imbalance on error (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 (git-fixes). - ASoC: kirkwood: fix IRQ error handling (git-fixes). - ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions (git-fixes). - ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 (git-fixes). - ath10k: fix array out-of-bounds access (git-fixes). - ath10k: fix memory leak for tpc_stats_final (git-fixes). - ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read (git-fixes). - Bluetooth: Fix refcount use-after-free issue (git-fixes). - Bluetooth: guard against controllers sending zero'd events (git-fixes). - Bluetooth: Handle Inquiry Cancel error after Inquiry Complete (git-fixes). - Bluetooth: L2CAP: handle l2cap config request during open state (git-fixes). - Bluetooth: prefetch channel before killing sock (git-fixes). - brcmfmac: Fix double freeing in the fmac usb data path (git-fixes). - btrfs: block-group: do not set the wrong READA flag for btrfs_read_block_groups() (bsc#1176019). - btrfs: block-group: fix free-space bitmap threshold (bsc#1176019). - btrfs: block-group: refactor how we delete one block group item (bsc#1176019). - btrfs: block-group: refactor how we insert a block group item (bsc#1176019). - btrfs: block-group: refactor how we read one block group item (bsc#1176019). - btrfs: block-group: rename write_one_cache_group() (bsc#1176019). - btrfs: do not take an extra root ref at allocation time (bsc#1176019). - btrfs: drop logs when we've aborted a transaction (bsc#1176019). - btrfs: fix a race between scrub and block group removal/allocation (bsc#1176019). - btrfs: fix crash during unmount due to race with delayed inode workers (bsc#1176019). - btrfs: free block groups after free'ing fs trees (bsc#1176019). - btrfs: hold a ref on the root on the dead roots list (bsc#1176019). - btrfs: kill the subvol_srcu (bsc#1176019). - btrfs: make btrfs_cleanup_fs_roots use the radix tree lock (bsc#1176019). - btrfs: make inodes hold a ref on their roots (bsc#1176019). - btrfs: make the extent buffer leak check per fs info (bsc#1176019). - btrfs: move ino_cache_inode dropping out of btrfs_free_fs_root (bsc#1176019). - btrfs: move the block group freeze/unfreeze helpers into block-group.c (bsc#1176019). - btrfs: move the root freeing stuff into btrfs_put_root (bsc#1176019). - btrfs: remove no longer necessary chunk mutex locking cases (bsc#1176019). - btrfs: rename member 'trimming' of block group to a more generic name (bsc#1176019). - btrfs: scrub, only lookup for csums if we are dealing with a data extent (bsc#1176019). - bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal (git-fixes). - clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED (git-fixes). - clk: socfpga: stratix10: fix the divider for the emac_ptp_free_clk (git-fixes). - clk: tegra: Always program PLL_E when enabled (git-fixes). - clk/ti/adpll: allocate room for terminating null (git-fixes). - clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() (git-fixes). - clocksource/drivers/timer-gx6605s: Fixup counter reload (git-fixes). - cpuidle: Poll for a minimum of 30ns and poll for a tick if lower c-states are disabled (bnc#1176588). - crypto: dh - check validity of Z before export (bsc#1175718). - crypto: dh - SP800-56A rev 3 local public key validation (bsc#1175718). - crypto: ecc - SP800-56A rev 3 local public key validation (bsc#1175718). - crypto: ecdh - check validity of Z before export (bsc#1175718). - dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails (git-fixes). - dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all (git-fixes). - dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all (git-fixes). - dmaengine: tegra-apb: Prevent race conditions on channel's freeing (git-fixes). - dmaengine: zynqmp_dma: fix burst length configuration (git-fixes). - dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) (git-fixes). - drivers: char: tlclk.c: Avoid data race between init and interrupt handler (git-fixes). - drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config (git-fixes). - drm/radeon: revert "Prefer lower feedback dividers" (bsc#1177384). - e1000: Do not perform reset in reset_task if we are already down (git-fixes). - ftrace: Move RCU is watching check after recursion check (git-fixes). - fuse: do not ignore errors from fuse_writepages_fill() (bsc#1177193). - gpio: mockup: fix resource leak in error path (git-fixes). - gpio: rcar: Fix runtime PM imbalance on error (git-fixes). - gpio: siox: explicitly support only threaded irqs (git-fixes). - gpio: sprd: Clear interrupt when setting the type as edge (git-fixes). - gpio: tc35894: fix up tc35894 interrupt configuration (git-fixes). - hwmon: (applesmc) check status earlier (git-fixes). - i2c: aspeed: Mask IRQ status to relevant bits (git-fixes). - i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() (git-fixes). - i2c: i801: Exclude device from suspend direct complete optimization (git-fixes). - i2c: tegra: Prevent interrupt triggering after transfer timeout (git-fixes). - i2c: tegra: Restore pinmux on system resume (git-fixes). - ieee802154/adf7242: check status of adf7242_read_reg (git-fixes). - ieee802154: fix one possible memleak in ca8210_dev_com_init (git-fixes). - iio: adc: qcom-spmi-adc5: fix driver name (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (bsc#954532). - Input: trackpoint - enable Synaptics trackpoints (git-fixes). - iommu/amd: Fix IOMMU AVIC not properly update the is_run bit in IRTE (bsc#1177297). - iommu/amd: Fix potential @entry null deref (bsc#1177283). - iommu/amd: Re-factor guest virtual APIC (de-)activation code (bsc#1177284). - iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode (bsc#1177285). - iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() (bsc#1177286). - kABI: Fix kABI for 12856e7acde4 PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979). - leds: mlxreg: Fix possible buffer overflow (git-fixes). - lib/mpi: Add mpi_sub_ui() (bsc#1175718). - locking/rwsem: Disable reader optimistic spinning (bnc#1176588). - mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes). - mac80211: skip mpath lookup also for control port tx (git-fixes). - mac802154: tx: fix use-after-free (git-fixes). - media: mc-device.c: fix memleak in media_device_register_entity (git-fixes). - media: smiapp: Fix error handling at NVM reading (git-fixes). - media: ti-vpe: cal: Restrict DMA to avoid memory corruption (git-fixes). - mfd: mfd-core: Protect against NULL call-back function pointer (git-fixes). - mmc: core: Rework wp-gpio handling (git-fixes). - mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS models (git-fixes). - mt76: add missing locking around ampdu action (git-fixes). - mt76: clear skb pointers from rx aggregation reorder buffer during cleanup (git-fixes). - mt76: do not use devm API for led classdev (git-fixes). - mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw (git-fixes). - mt76: fix LED link time failure (git-fixes). - mtd: cfi_cmdset_0002: do not free cfi->cfiq in error path of cfi_amdstd_setup() (git-fixes). - mtd: rawnand: gpmi: Fix runtime PM imbalance on error (git-fixes). - mtd: rawnand: omap_elm: Fix runtime PM imbalance on error (git-fixes). - net: phy: realtek: fix rtl8211e rx/tx delay config (git-fixes). - nfs: Fix security label length not being reset (bsc#1176381). - PCI: Avoid double hpmemsize MMIO window assignment (git-fixes). - PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979). - PCI: tegra194: Fix runtime PM imbalance on error (git-fixes). - PCI: tegra: Fix runtime PM imbalance on error (git-fixes). - phy: ti: am654: Fix a leak in serdes_am654_probe() (git-fixes). - pinctrl: mvebu: Fix i2c sda definition for 98DX3236 (git-fixes). - Platform: OLPC: Fix memleak in olpc_ec_probe (git-fixes). - platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP (git-fixes). - platform/x86: fix kconfig dependency warning for LG_LAPTOP (git-fixes). - platform/x86: intel_pmc_core: do not create a static struct device (git-fixes). - platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting (bsc#1175599). - platform/x86: thinkpad_acpi: initialize tp_nvram_state variable (git-fixes). - platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse (git-fixes). - power: supply: max17040: Correct voltage reading (git-fixes). - Refresh patches.suse/fnic-to-not-call-scsi_done-for-unhandled-commands.patch (bsc#1168468, bsc#1171675). - rtc: ds1374: fix possible race condition (git-fixes). - rtc: sa1100: fix possible race condition (git-fixes). - s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979). - sched/fair: Ignore cache hotness for SMT migration (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/fair: Use dst group while checking imbalance for NUMA balancer (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/numa: Avoid creating large imbalances at task creation time (bnc#1176588). - sched/numa: Check numa balancing information only when enabled (bnc#1176588). - sched/numa: Use runnable_avg to classify node (bnc#1155798 (CPU scheduler functional and performance backports)). - scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258). - serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout (git-fixes). - serial: 8250_omap: Fix sleeping function called from invalid context during probe (git-fixes). - serial: 8250_port: Do not service RX FIFO if throttled (git-fixes). - serial: uartps: Wait for tx_empty in console setup (git-fixes). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - staging:r8188eu: avoid skb_clone for amsdu to msdu conversion (git-fixes). - thermal: rcar_thermal: Handle probe error gracefully (git-fixes). - Update config files. Enable ACPI_PCI_SLOT and HOTPLUG_PCI_ACPI (bsc#1177194). - usb: dwc3: Increase timeout for CmdAct cleared by device controller (git-fixes). - USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() (git-fixes). - USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int (git-fixes). - USB: gadget: f_ncm: Fix NDP16 datagram validation (git-fixes). - vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn (bsc#1176979). - vmxnet3: fix cksum offload issues for non-udp tunnels (git-fixes). - wlcore: fix runtime pm imbalance in wl1271_tx_work (git-fixes). - wlcore: fix runtime pm imbalance in wlcore_regdomain_config (git-fixes). - xen/events: do not use chip_data for legacy IRQs (bsc#1065600). - yam: fix possible memory leak in yam_init_driver (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP2: zypper in -t patch SUSE-SLE-Module-RT-15-SP2-2020-3230=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP2 (x86_64): cluster-md-kmp-rt-5.3.18-13.1 cluster-md-kmp-rt-debuginfo-5.3.18-13.1 dlm-kmp-rt-5.3.18-13.1 dlm-kmp-rt-debuginfo-5.3.18-13.1 gfs2-kmp-rt-5.3.18-13.1 gfs2-kmp-rt-debuginfo-5.3.18-13.1 kernel-rt-5.3.18-13.1 kernel-rt-debuginfo-5.3.18-13.1 kernel-rt-debugsource-5.3.18-13.1 kernel-rt-devel-5.3.18-13.1 kernel-rt-devel-debuginfo-5.3.18-13.1 kernel-rt_debug-debuginfo-5.3.18-13.1 kernel-rt_debug-debugsource-5.3.18-13.1 kernel-rt_debug-devel-5.3.18-13.1 kernel-rt_debug-devel-debuginfo-5.3.18-13.1 kernel-syms-rt-5.3.18-13.1 ocfs2-kmp-rt-5.3.18-13.1 ocfs2-kmp-rt-debuginfo-5.3.18-13.1 - SUSE Linux Enterprise Module for Realtime 15-SP2 (noarch): kernel-devel-rt-5.3.18-13.1 kernel-source-rt-5.3.18-13.1 References: https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25641.html https://www.suse.com/security/cve/CVE-2020-25643.html https://www.suse.com/security/cve/CVE-2020-25645.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1155798 https://bugzilla.suse.com/1168468 https://bugzilla.suse.com/1171675 https://bugzilla.suse.com/1175599 https://bugzilla.suse.com/1175718 https://bugzilla.suse.com/1176019 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176588 https://bugzilla.suse.com/1176979 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177121 https://bugzilla.suse.com/1177193 https://bugzilla.suse.com/1177194 https://bugzilla.suse.com/1177206 https://bugzilla.suse.com/1177258 https://bugzilla.suse.com/1177283 https://bugzilla.suse.com/1177284 https://bugzilla.suse.com/1177285 https://bugzilla.suse.com/1177286 https://bugzilla.suse.com/1177297 https://bugzilla.suse.com/1177384 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/954532 From sle-security-updates at lists.suse.com Mon Nov 9 04:26:21 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Nov 2020 12:26:21 +0100 (CET) Subject: SUSE-CU-2020:661-1: Security update of sles12/portus Message-ID: <20201109112621.B142CFFAB@maintenance.suse.de> SUSE Container Update Advisory: sles12/portus ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:661-1 Container Tags : sles12/portus:2.4.3 Container Release : 2.10.117 Severity : important Type : security References : 1010996 1010996 1043983 1048072 1055265 1056286 1056782 1058754 1058755 1058757 1062452 1069607 1069632 1071152 1071152 1071390 1071390 1073002 1078782 1082007 1082008 1082009 1082010 1082011 1082014 1082058 1082318 1084671 1087433 1087434 1087436 1087437 1087440 1087441 1100415 1100415 1102840 1104780 1112530 1112532 1120629 1120630 1120631 1121446 1127155 1130611 1130617 1130620 1130622 1130623 1130627 1131823 1137977 1144169 1149332 1149995 1152590 1152990 1152992 1152994 1152995 1154256 1154609 1154871 1156159 1156276 1157315 1159928 1160039 1160160 1161262 1161436 1161517 1161521 1162698 1162879 1163834 1164538 1165633 1165784 1165915 1165915 1165919 1165919 1166301 1166510 1167622 1167898 1168195 1169488 1169582 1170601 1170715 1170771 1171145 1171517 1171550 1171550 1171863 1171864 1171866 1171878 1172021 1172055 1172085 1172265 1172275 1172295 1172399 1172698 1172704 1173027 1173227 1173593 1174080 1174537 1174660 1174673 1176013 1176123 1176179 1176410 1177143 1177460 1177460 1177864 1178346 1178350 1178353 888534 973042 CVE-2015-9096 CVE-2016-2339 CVE-2016-7798 CVE-2017-0898 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 CVE-2017-0903 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 CVE-2017-9228 CVE-2017-9229 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 CVE-2018-16395 CVE-2018-16396 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2019-18197 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 CVE-2020-10029 CVE-2020-10543 CVE-2020-10663 CVE-2020-10878 CVE-2020-12243 CVE-2020-12723 CVE-2020-24977 CVE-2020-25219 CVE-2020-26154 CVE-2020-2752 CVE-2020-2812 CVE-2020-7595 CVE-2020-8023 CVE-2020-8177 ----------------------------------------------------------------- The container sles12/portus was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:50-1 Released: Thu Jan 15 16:33:18 2015 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 888534 The system root SSL certificates were updated to match Mozilla NSS 2.2. Some removed/disabled 1024 bit certificates were temporarily reenabled/readded, as openssl and gnutls have a different handling of intermediates than mozilla nss and would otherwise not recognize SSL certificates from commonly used sites like Amazon. Updated to 2.2 (bnc#888534) - The following CAs were added: + COMODO_RSA_Certification_Authority codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R4 codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R5 codeSigning emailProtection serverAuth + USERTrust_ECC_Certification_Authority codeSigning emailProtection serverAuth + USERTrust_RSA_Certification_Authority codeSigning emailProtection serverAuth + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal - The following CAs were changed: + Equifax_Secure_eBusiness_CA_1 remote code signing and https trust, leave email trust + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2 only trust emailProtection - Updated to 2.1 (bnc#888534) - The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority - TDC Internet Root CA - The following CA certificates were added: - Certification Authority of WoSign - CA ??????????????? - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 - The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Ra??z Certic??mara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado Temporary reenable some root ca trusts, as openssl/gnutls have trouble using intermediates as root CA. - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - ValiCert Class 1 VA - ValiCert Class 2 VA - RSA Root Certificate 1 - Entrust.net Secure Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:587-1 Released: Fri Apr 8 17:06:56 2016 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 973042 The root SSL certificate store ca-certificates-mozilla was updated to version 2.7 of the Mozilla NSS equivalent. (bsc#973042) - Newly added CAs: * CA WoSign ECC Root * Certification Authority of WoSign * Certification Authority of WoSign G2 * Certinomis - Root CA * Certum Trusted Network CA 2 * CFCA EV ROOT * COMODO RSA Certification Authority * DigiCert Assured ID Root G2 * DigiCert Assured ID Root G3 * DigiCert Global Root G2 * DigiCert Global Root G3 * DigiCert Trusted Root G4 * Entrust Root Certification Authority - EC1 * Entrust Root Certification Authority - G2 * GlobalSign * IdenTrust Commercial Root CA 1 * IdenTrust Public Sector Root CA 1 * OISTE WISeKey Global Root GB CA * QuoVadis Root CA 1 G3 * QuoVadis Root CA 2 G3 * QuoVadis Root CA 3 G3 * Staat der Nederlanden EV Root CA * Staat der Nederlanden Root CA - G3 * S-TRUST Universal Root CA * SZAFIR ROOT CA2 * T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H5 * T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H6 * USERTrust ECC Certification Authority * USERTrust RSA Certification Authority * ??????????????? - Removed CAs: * AOL CA * A Trust nQual 03 * Buypass Class 3 CA 1 * CA Disig * Digital Signature Trust Co Global CA 1 * Digital Signature Trust Co Global CA 3 * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi * NetLock Expressz (Class C) Tanusitvanykiado * NetLock Kozjegyzoi (Class A) Tanusitvanykiado * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado * NetLock Uzleti (Class B) Tanusitvanykiado * SG TRUST SERVICES RACINE * Staat der Nederlanden Root CA * TC TrustCenter Class 2 CA II * TC TrustCenter Universal CA I * TDC Internet Root CA * UTN DATACorp SGC Root CA * Verisign Class 1 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * Verisign Class 3 Public Primary Certification Authority - G2 - Removed server trust from: * AC Ra??z Certic??mara S.A. * ComSign Secured CA * NetLock Uzleti (Class B) Tanusitvanykiado * NetLock Business (Class B) Root * NetLock Expressz (Class C) Tanusitvanykiado * TC TrustCenter Class 3 CA II * TURKTRUST Certificate Services Provider Root 1 * TURKTRUST Certificate Services Provider Root 2 * Equifax Secure Global eBusiness CA-1 * Verisign Class 4 Public Primary Certification Authority G3 - Enable server trust for: * Actalis Authentication Root CA ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:265-1 Released: Tue Feb 6 14:58:28 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1010996,1071152,1071390 This update for ca-certificates-mozilla fixes the following issues: The system SSL root certificate store was updated to Mozilla certificate version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996) We removed the old 1024 bit legacy CAs that were temporary left in to allow in-chain root certificates as openssl is now able to handle it. Further changes coming from Mozilla: - New Root CAs added: * Amazon Root CA 1: (email protection, server auth) * Amazon Root CA 2: (email protection, server auth) * Amazon Root CA 3: (email protection, server auth) * Amazon Root CA 4: (email protection, server auth) * Certplus Root CA G1: (email protection, server auth) * Certplus Root CA G2: (email protection, server auth) * D-TRUST Root CA 3 2013: (email protection) * GDCA TrustAUTH R5 ROOT: (server auth) * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth) * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth) * ISRG Root X1: (server auth) * LuxTrust Global Root 2: (server auth) * OpenTrust Root CA G1: (email protection, server auth) * OpenTrust Root CA G2: (email protection, server auth) * OpenTrust Root CA G3: (email protection, server auth) * SSL.com EV Root Certification Authority ECC: (server auth) * SSL.com EV Root Certification Authority RSA R2: (server auth) * SSL.com Root Certification Authority ECC: (email protection, server auth) * SSL.com Root Certification Authority RSA: (email protection, server auth) * Symantec Class 1 Public Primary Certification Authority - G4: (email protection) * Symantec Class 1 Public Primary Certification Authority - G6: (email protection) * Symantec Class 2 Public Primary Certification Authority - G4: (email protection) * Symantec Class 2 Public Primary Certification Authority - G6: (email protection) * TrustCor ECA-1: (email protection, server auth) * TrustCor RootCert CA-1: (email protection, server auth) * TrustCor RootCert CA-2: (email protection, server auth) * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth) - Removed root CAs: * AddTrust Public Services Root * AddTrust Public CA Root * AddTrust Qualified CA Root * ApplicationCA - Japanese Government * Buypass Class 2 CA 1 * CA Disig Root R1 * CA WoSign ECC Root * Certification Authority of WoSign G2 * Certinomis - Autorit?? Racine * Certum Root CA * China Internet Network Information Center EV Certificates Root * CNNIC ROOT * Comodo Secure Services root * Comodo Trusted Services root * ComSign Secured CA * EBG Elektronik Sertifika Hizmet Sa??lay??c??s?? * Equifax Secure CA * Equifax Secure eBusiness CA 1 * Equifax Secure Global eBusiness CA * GeoTrust Global CA 2 * IGC/A * Juur-SK * Microsec e-Szigno Root CA * PSCProcert * Root CA Generalitat Valenciana * RSA Security 2048 v3 * Security Communication EV RootCA1 * Sonera Class 1 Root CA * StartCom Certification Authority * StartCom Certification Authority G2 * S-TRUST Authentication and Encryption Root CA 2005 PN * Swisscom Root CA 1 * Swisscom Root EV CA 2 * T??B??TAK UEKAE K??k Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3 * T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? * T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H6 * UTN USERFirst Hardware Root CA * UTN USERFirst Object Root CA * VeriSign Class 3 Secure Server CA - G2 * Verisign Class 1 Public Primary Certification Authority * Verisign Class 2 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * WellsSecure Public Root Certificate Authority * Certification Authority of WoSign * WoSign China - Removed Code Signing rights from a lot of CAs (not listed here). - Removed Server Auth rights from: * AddTrust Low-Value Services Root * Camerfirma Chambers of Commerce Root * Camerfirma Global Chambersign Root * Swisscom Root CA 2 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1643-1 Released: Thu Aug 16 17:41:07 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store. Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1763-1 Released: Mon Aug 27 09:30:15 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - Removed server auth from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Removed CAs - ComSign CA - Added new CAs - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:149-1 Released: Wed Jan 23 17:58:18 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2240-1 Released: Wed Aug 28 14:57:51 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: - Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169) - Removed Root CAs: - Certinomis - Root CA - Added root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:596-1 Released: Thu Mar 5 15:23:51 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1010996,1071152,1071390,1082318,1100415,1154871,1160160 This update for ca-certificates-mozilla fixes the following issues: The following non-security bugs were fixed: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email Added certificates: - Entrust Root Certification Authority - G4 - Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). - Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415). - Use %license instead of %doc (bsc#1082318). - Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:652-1 Released: Thu Mar 12 09:53:23 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1165915,1165919,1166301 This update for ca-certificates-mozilla fixes the following issues: This reverts a previous change to the generated pem structure, as it require a p11-kit tools update installed first, which can not always ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:786-1 Released: Wed Mar 25 06:47:18 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1165915,1165919 This update for p11-kit fixes the following issues: - tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY' provides so we can pull it in. (bsc#1165915 bsc#1165919) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:915-1 Released: Fri Apr 3 13:15:11 2020 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1168195 This update for openldap2 fixes the following issue: - The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:920-1 Released: Fri Apr 3 17:13:04 2020 Summary: Security update for libxslt Type: security Severity: moderate References: 1154609,CVE-2019-18197 This update for libxslt fixes the following issue: - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1168-1 Released: Mon May 4 14:06:46 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1162879 This update for libgcrypt fixes the following issues: - FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1193-1 Released: Tue May 5 16:26:05 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1312-1 Released: Mon May 18 10:36:15 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1325-1 Released: Mon May 18 11:50:19 2020 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1156276 This update for coreutils fixes the following issues: -Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1329-1 Released: Mon May 18 17:17:54 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:822-1 Released: Fri May 22 10:59:33 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb to a separate package pam-extra (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1489-1 Released: Wed May 27 18:29:21 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1570-1 Released: Tue Jun 9 11:15:12 2020 Summary: Security update for ruby2.1 Type: security Severity: important References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275,CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663 This update for ruby2.1 fixes the following issues: Security issues fixed: - CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983). - CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265). - CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755). - CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286). - CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286). - CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286). - CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286). - CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452). - CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607). - CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632). - CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754). - CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757). - CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782). - CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002). - CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434). - CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782). - CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441). - CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436). - CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433). - CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440). - CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437). - CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530). - CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532). - CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007). - CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008). - CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014). - CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009). - CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010). - CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011). - CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058). - CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627). - CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623). - CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622). - CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620). - CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617). - CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611). - CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994). - CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995). - CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992). - CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990). - CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517). Non-security issue fixed: - Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072). Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1612-1 Released: Fri Jun 12 09:43:17 2020 Summary: Security update for adns Type: security Severity: important References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109 This update for adns fixes the following issues: - CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265). - CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265). - CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265). - CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1625-1 Released: Tue Jun 16 09:28:28 2020 Summary: Security update for mariadb Type: security Severity: moderate References: 1171550,CVE-2020-2752,CVE-2020-2812 This update for mariadb fixes the following issues: mariadb was updated to version 10.0.44 (bsc#1171550) - CVE-2020-2752: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-2812: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1662-1 Released: Thu Jun 18 11:13:05 2020 Summary: Security update for perl Type: security Severity: important References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601). - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1689-1 Released: Fri Jun 19 11:03:49 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) - Fix hang on startup. (bsc#1156159) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1732-1 Released: Wed Jun 24 09:42:55 2020 Summary: Security update for curl Type: security Severity: important References: 1173027,CVE-2020-8177 This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1842-1 Released: Fri Jul 3 22:40:42 2020 Summary: Security update for systemd Type: security Severity: moderate References: 1084671,1154256,1157315,1161262,1161436,1162698,1164538,1165633,1167622,1171145,CVE-2019-20386 This update for systemd fixes the following issues: - CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436). - Renamed the persistent link for ATA devices (bsc#1164538) - shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) - tmpfiles: removed unnecessary assert (bsc#1171145) - pid1: by default make user units inherit their umask from the user manager (bsc#1162698) - manager: fixed job mode when signalled to shutdown etc (bsc#1161262) - coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622) - udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1859-1 Released: Mon Jul 6 17:08:28 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170715,1172698,1172704,CVE-2020-8023 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). - Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1861-1 Released: Mon Jul 6 18:11:32 2020 Summary: Recommended update for mariadb Type: recommended Severity: moderate References: 1171550,1172399 This update for mariadb contains the following fixes: - Use -DCMAKE_SKIP_RPATH=OFF and 'DCMAKE_SKIP_INSTALL_RPATH=ON': (bsc#1171550) This allows to link with -rpath during build and fixes quite a few test suite failures. When installing the file -rpath is still disabled, so this should not have any effect on the installed binaries. Fixes failed tests reported within (bsc#1171550). - Fix updating tablespace ID in the index tree root pages. (bsc#1172399) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2059-1 Released: Tue Jul 28 11:32:56 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1163834 This update for grep fixes the following issues: Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2287-1 Released: Thu Aug 20 16:07:37 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1174080 This update for grep fixes the following issues: - Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2294-1 Released: Fri Aug 21 16:59:17 2020 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1174537 This update for openldap2 fixes the following issues: - Fixes an issue where slapd failed to start due to the missing pwdMaxRecordedFailure attribute (bsc#1174537) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2410-1 Released: Tue Sep 1 13:15:48 2020 Summary: Recommended update for pam Type: recommended Severity: low References: 1173593 This update of pam fixes the following issue: - On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com a pam version with a higher release number than the last update of pam was delivered. This update releases pam with a higher release number to align it with this media. (bsc#1173593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2428-1 Released: Tue Sep 1 22:07:35 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1174673 This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: - AddTrust External CA Root - AddTrust Class 1 CA Root - LuxTrust Global Root 2 - Staat der Nederlanden Root CA - G2 - Symantec Class 1 Public Primary Certification Authority - G4 - Symantec Class 2 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: - certSIGN Root CA G2 - e-Szigno Root CA 2017 - Microsoft ECC Root Certificate Authority 2017 - Microsoft RSA Root Certificate Authority 2017 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2587-1 Released: Wed Sep 9 22:03:04 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1174660 This update for procps fixes the following issues: - Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2609-1 Released: Fri Sep 11 10:58:59 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,1172021,1176179,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). - Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2660-1 Released: Wed Sep 16 16:15:10 2020 Summary: Security update for libsolv Type: security Severity: moderate References: 1120629,1120630,1120631,1127155,1131823,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libsolv fixes the following issues: This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products. libsolv was updated to version 0.6.36 fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629). - CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630). - CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631). Non-security issues fixed: - Made cleandeps jobs on patterns work (bsc#1137977). - Fixed an issue multiversion packages that obsolete their own name (bsc#1127155). - Keep consistent package name if there are multiple alternatives (bsc#1131823). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2738-1 Released: Thu Sep 24 14:54:13 2020 Summary: Recommended update for mariadb Type: recommended Severity: low References: This update for mariadb fixes the following issue: - Enable checking of hostnames from SubjectAlternativeNames. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2777-1 Released: Tue Sep 29 11:26:41 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1169488,1173227 This update for systemd fixes the following issues: - Fixes some file mode inconsistencies for some ghost files (bsc#1173227) - Fixes an issue where the system could hang on reboot (bsc#1169488) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2900-1 Released: Tue Oct 13 14:20:15 2020 Summary: Security update for libproxy Type: security Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2959-1 Released: Tue Oct 20 12:33:48 2020 Summary: Recommended update for file Type: recommended Severity: moderate References: 1176123 This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3024-1 Released: Fri Oct 23 14:21:54 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1165784,1171878,1172085,1176013,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784) - Use posix_spawn on popen (bsc#1149332, bsc#1176013) - Correct locking and cancellation cleanup in syslog functions (bsc#1172085) - Fixed concurrent changes on nscd aware files (bsc#1171878) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3100-1 Released: Thu Oct 29 19:34:18 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3139-1 Released: Tue Nov 3 13:18:28 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. - Fiji starts DST later than usual, on 2020-12-20. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3156-1 Released: Wed Nov 4 15:21:49 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority From sle-security-updates at lists.suse.com Mon Nov 9 07:14:59 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Nov 2020 15:14:59 +0100 (CET) Subject: SUSE-SU-2020:3256-1: important: Security update for u-boot Message-ID: <20201109141459.60CC8FFAC@maintenance.suse.de> SUSE Security Update: Security update for u-boot ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3256-1 Rating: important References: #1134157 #1134853 #1143463 #1143777 #1143817 #1143818 #1143819 #1143820 #1143821 #1143823 #1143824 #1143825 #1143827 #1143828 #1143830 #1143831 #1144656 #1144675 #1162198 #1167209 Cross-References: CVE-2019-11059 CVE-2019-11690 CVE-2019-13103 CVE-2019-13104 CVE-2019-13106 CVE-2019-14192 CVE-2019-14193 CVE-2019-14194 CVE-2019-14195 CVE-2019-14196 CVE-2019-14197 CVE-2019-14198 CVE-2019-14199 CVE-2019-14200 CVE-2019-14201 CVE-2019-14202 CVE-2019-14203 CVE-2019-14204 CVE-2020-10648 CVE-2020-8432 Affected Products: SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes 20 vulnerabilities is now available. Description: This update for u-boot fixes the following issues: Fix CVE-2019-13106 (bsc#1144656), CVE-2019-13104 (bsc#1144675), CVE-2019-14192 (bsc#1143777), CVE-2019-14193 (bsc#1143817), CVE-2019-14199 (bsc#1143824), CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827), CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831), CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819), CVE-2019-14196 (bsc#1143820), CVE-2019-13103 (bsc#1143463), CVE-2020-8432 (bsc#1162198), CVE-2019-11059 (bsc#1134853), CVE-2019-11690 (bsc#1134157) and CVE-2020-10648 (bsc#1167209) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3256=1 Package List: - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64): u-boot-rpi3-2018.03-4.3.1 u-boot-tools-2018.03-4.3.1 u-boot-tools-debuginfo-2018.03-4.3.1 References: https://www.suse.com/security/cve/CVE-2019-11059.html https://www.suse.com/security/cve/CVE-2019-11690.html https://www.suse.com/security/cve/CVE-2019-13103.html https://www.suse.com/security/cve/CVE-2019-13104.html https://www.suse.com/security/cve/CVE-2019-13106.html https://www.suse.com/security/cve/CVE-2019-14192.html https://www.suse.com/security/cve/CVE-2019-14193.html https://www.suse.com/security/cve/CVE-2019-14194.html https://www.suse.com/security/cve/CVE-2019-14195.html https://www.suse.com/security/cve/CVE-2019-14196.html https://www.suse.com/security/cve/CVE-2019-14197.html https://www.suse.com/security/cve/CVE-2019-14198.html https://www.suse.com/security/cve/CVE-2019-14199.html https://www.suse.com/security/cve/CVE-2019-14200.html https://www.suse.com/security/cve/CVE-2019-14201.html https://www.suse.com/security/cve/CVE-2019-14202.html https://www.suse.com/security/cve/CVE-2019-14203.html https://www.suse.com/security/cve/CVE-2019-14204.html https://www.suse.com/security/cve/CVE-2020-10648.html https://www.suse.com/security/cve/CVE-2020-8432.html https://bugzilla.suse.com/1134157 https://bugzilla.suse.com/1134853 https://bugzilla.suse.com/1143463 https://bugzilla.suse.com/1143777 https://bugzilla.suse.com/1143817 https://bugzilla.suse.com/1143818 https://bugzilla.suse.com/1143819 https://bugzilla.suse.com/1143820 https://bugzilla.suse.com/1143821 https://bugzilla.suse.com/1143823 https://bugzilla.suse.com/1143824 https://bugzilla.suse.com/1143825 https://bugzilla.suse.com/1143827 https://bugzilla.suse.com/1143828 https://bugzilla.suse.com/1143830 https://bugzilla.suse.com/1143831 https://bugzilla.suse.com/1144656 https://bugzilla.suse.com/1144675 https://bugzilla.suse.com/1162198 https://bugzilla.suse.com/1167209 From sle-security-updates at lists.suse.com Mon Nov 9 07:18:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Nov 2020 15:18:05 +0100 (CET) Subject: SUSE-SU-2020:3257-1: moderate: Security update for ceph, deepsea Message-ID: <20201109141805.D6C83FFAB@maintenance.suse.de> SUSE Security Update: Security update for ceph, deepsea ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3257-1 Rating: moderate References: #1151612 #1152100 #1155045 #1155262 #1156087 #1156409 #1158257 #1159689 #1160626 #1161718 #1162553 #1163119 #1164571 #1165713 #1165835 #1165840 #1166297 #1166393 #1166624 #1166670 #1166932 #1167477 #1168403 #1169134 #1169356 #1170487 #1170938 #1171367 #1171921 #1171956 #1172142 #1173339 #1174591 #1175061 #1175240 #1175781 Cross-References: CVE-2020-10753 Affected Products: SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that solves one vulnerability and has 35 fixes is now available. Description: This update for ceph, deepsea fixes the following issues: - Update to 14.2.13-398-gb6c514eec7: + Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/ * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor - Update to 14.2.12-436-g6feab505b7: + Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/ * (bsc#1169134) mgr/dashboard: document Prometheus' security model * (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in * (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible + (bsc#1175781) ceph-volume: lvmcache: print help correctly + spec: move python-enum34 into rhel 7 conditional - Update to 14.2.11-394-g9cbbc473c0: + Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/ * mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956) * mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339) - Update to 14.2.10-392-gb3a13b81cb: + Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/ * mgr: Improve internal python to c++ interface (bsc#1167477) - Update to 14.2.9-970-ged84cae0c9: + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753) - Update to 14.2.9-969-g9917342dc8d: * rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d * cmake: Improve test for 16-byte atomic support on IBM Z * (jsc#SES-680) monitoring: add details to Prometheus alerts * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking * (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down * (bsc#1159689) os/bluestore: more flexible DB volume space usage * (bsc#1156087) ceph-volume: make get_devices fs location independent * (bsc#1156409) monitoring: wait before firing osd full alert * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls * (bsc#1165713) mgr/dashboard: Repair broken grafana panels * (bsc#1165835) rgw: get barbican secret key request maybe return error code * (bsc#1165840) rgw: making implicit_tenants backwards compatible * (bsc#1166297) mgr/dashboard: Repair broken grafana panels * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation * (bsc#1166670) monitoring: root volume full alert fires false positives * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default - Update to 14.2.13-398-gb6c514eec7: + Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/ * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor - Update to 14.2.12-436-g6feab505b7: + Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/ * (bsc#1169134) mgr/dashboard: document Prometheus' security model * (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in * (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible + (bsc#1175781) ceph-volume: lvmcache: print help correctly + spec: move python-enum34 into rhel 7 conditional - Update to 14.2.11-394-g9cbbc473c0: + Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/ * mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956) * mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339) - Update to 14.2.10-392-gb3a13b81cb: + Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/ * mgr: Improve internal python to c++ interface (bsc#1167477) - Update to 14.2.9-970-ged84cae0c9: + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753) - Update to 14.2.9-969-g9917342dc8d: * rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d * cmake: Improve test for 16-byte atomic support on IBM Z * (jsc#SES-680) monitoring: add details to Prometheus alerts * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking * (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down * (bsc#1159689) os/bluestore: more flexible DB volume space usage * (bsc#1156087) ceph-volume: make get_devices fs location independent * (bsc#1156409) monitoring: wait before firing osd full alert * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls * (bsc#1165713) mgr/dashboard: Repair broken grafana panels * (bsc#1165835) rgw: get barbican secret key request maybe return error code * (bsc#1165840) rgw: making implicit_tenants backwards compatible * (bsc#1166297) mgr/dashboard: Repair broken grafana panels * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation * (bsc#1166670) monitoring: root volume full alert fires false positives * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default - Version: 0.9.33 - drop workarounds for old ceph-volume lvm batch command - runners/upgrade: Add SES6->7 pre-upgrade checks Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-3257=1 Package List: - SUSE Enterprise Storage 6 (noarch): deepsea-0.9.33+git.0.ed16d26e-3.27.1 deepsea-cli-0.9.33+git.0.ed16d26e-3.27.1 References: https://www.suse.com/security/cve/CVE-2020-10753.html https://bugzilla.suse.com/1151612 https://bugzilla.suse.com/1152100 https://bugzilla.suse.com/1155045 https://bugzilla.suse.com/1155262 https://bugzilla.suse.com/1156087 https://bugzilla.suse.com/1156409 https://bugzilla.suse.com/1158257 https://bugzilla.suse.com/1159689 https://bugzilla.suse.com/1160626 https://bugzilla.suse.com/1161718 https://bugzilla.suse.com/1162553 https://bugzilla.suse.com/1163119 https://bugzilla.suse.com/1164571 https://bugzilla.suse.com/1165713 https://bugzilla.suse.com/1165835 https://bugzilla.suse.com/1165840 https://bugzilla.suse.com/1166297 https://bugzilla.suse.com/1166393 https://bugzilla.suse.com/1166624 https://bugzilla.suse.com/1166670 https://bugzilla.suse.com/1166932 https://bugzilla.suse.com/1167477 https://bugzilla.suse.com/1168403 https://bugzilla.suse.com/1169134 https://bugzilla.suse.com/1169356 https://bugzilla.suse.com/1170487 https://bugzilla.suse.com/1170938 https://bugzilla.suse.com/1171367 https://bugzilla.suse.com/1171921 https://bugzilla.suse.com/1171956 https://bugzilla.suse.com/1172142 https://bugzilla.suse.com/1173339 https://bugzilla.suse.com/1174591 https://bugzilla.suse.com/1175061 https://bugzilla.suse.com/1175240 https://bugzilla.suse.com/1175781 From sle-security-updates at lists.suse.com Mon Nov 9 07:23:32 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Nov 2020 15:23:32 +0100 (CET) Subject: SUSE-SU-2020:3255-1: important: Security update for u-boot Message-ID: <20201109142332.73EF3FFAB@maintenance.suse.de> SUSE Security Update: Security update for u-boot ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3255-1 Rating: important References: #1134157 #1134853 #1143463 #1143777 #1143817 #1143818 #1143819 #1143820 #1143821 #1143823 #1143824 #1143825 #1143827 #1143828 #1143830 #1143831 #1160566 #1162198 #1167209 Cross-References: CVE-2019-11059 CVE-2019-11690 CVE-2019-13103 CVE-2019-14192 CVE-2019-14193 CVE-2019-14194 CVE-2019-14195 CVE-2019-14196 CVE-2019-14197 CVE-2019-14198 CVE-2019-14199 CVE-2019-14200 CVE-2019-14201 CVE-2019-14202 CVE-2019-14203 CVE-2019-14204 CVE-2020-10648 CVE-2020-8432 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 18 vulnerabilities and has one errata is now available. Description: This update for u-boot fixes the following issues: CVE-2019-14192 (bsc#1143777), CVE-2019-14193 (bsc#1143817), CVE-2019-14199 (bsc#1143824), CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827), CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831), CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819), CVE-2019-14196 (bsc#1143820), CVE-2019-13103 (bsc#1143463), CVE-2020-8432 (bsc#1162198), CVE-2019-11059 (bsc#1134853), CVE-2019-11690 (bsc#1134157) and CVE-2020-10648 (bsc#1167209). Fix USB keyboard problems (bsc#1160566). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3255=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64): u-boot-rpi3-2019.01-5.3.1 u-boot-tools-2019.01-5.3.1 u-boot-tools-debuginfo-2019.01-5.3.1 References: https://www.suse.com/security/cve/CVE-2019-11059.html https://www.suse.com/security/cve/CVE-2019-11690.html https://www.suse.com/security/cve/CVE-2019-13103.html https://www.suse.com/security/cve/CVE-2019-14192.html https://www.suse.com/security/cve/CVE-2019-14193.html https://www.suse.com/security/cve/CVE-2019-14194.html https://www.suse.com/security/cve/CVE-2019-14195.html https://www.suse.com/security/cve/CVE-2019-14196.html https://www.suse.com/security/cve/CVE-2019-14197.html https://www.suse.com/security/cve/CVE-2019-14198.html https://www.suse.com/security/cve/CVE-2019-14199.html https://www.suse.com/security/cve/CVE-2019-14200.html https://www.suse.com/security/cve/CVE-2019-14201.html https://www.suse.com/security/cve/CVE-2019-14202.html https://www.suse.com/security/cve/CVE-2019-14203.html https://www.suse.com/security/cve/CVE-2019-14204.html https://www.suse.com/security/cve/CVE-2020-10648.html https://www.suse.com/security/cve/CVE-2020-8432.html https://bugzilla.suse.com/1134157 https://bugzilla.suse.com/1134853 https://bugzilla.suse.com/1143463 https://bugzilla.suse.com/1143777 https://bugzilla.suse.com/1143817 https://bugzilla.suse.com/1143818 https://bugzilla.suse.com/1143819 https://bugzilla.suse.com/1143820 https://bugzilla.suse.com/1143821 https://bugzilla.suse.com/1143823 https://bugzilla.suse.com/1143824 https://bugzilla.suse.com/1143825 https://bugzilla.suse.com/1143827 https://bugzilla.suse.com/1143828 https://bugzilla.suse.com/1143830 https://bugzilla.suse.com/1143831 https://bugzilla.suse.com/1160566 https://bugzilla.suse.com/1162198 https://bugzilla.suse.com/1167209 From sle-security-updates at lists.suse.com Tue Nov 10 00:09:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2020 08:09:40 +0100 (CET) Subject: SUSE-CU-2020:662-1: Security update of ses/6/cephcsi/cephcsi Message-ID: <20201110070940.67EEDFFAC@maintenance.suse.de> SUSE Container Update Advisory: ses/6/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:662-1 Container Tags : ses/6/cephcsi/cephcsi:1.2.0.0 , ses/6/cephcsi/cephcsi:1.2.0.0.1.5.299 , ses/6/cephcsi/cephcsi:latest Container Release : 1.5.299 Severity : important Type : security References : 1002895 1010996 1011548 1071152 1071390 1082318 1087982 1088358 1100369 1104902 1107105 1109160 1118367 1118368 1126826 1126829 1126831 1128220 1130873 1130873 1132798 1133297 1138666 1138793 1140126 1142152 1142649 1142733 1143609 1145231 1146991 1149911 1149955 1149995 1150021 1151612 1151708 1152100 1152590 1152692 1153768 1153770 1153943 1153946 1154661 1154803 1154803 1154871 1154935 1155045 1155262 1155271 1155327 1156087 1156159 1156205 1156300 1156409 1156913 1157051 1157315 1157755 1158257 1158336 1158358 1158817 1158830 1159314 1159689 1159819 1159928 1160254 1160590 1160626 1160933 1160979 1161168 1161239 1161335 1161517 1161521 1161718 1162553 1162698 1162930 1163119 1163333 1163526 1163744 1164126 1164260 1164538 1164543 1164543 1164571 1164718 1165011 1165424 1165439 1165476 1165476 1165502 1165539 1165573 1165573 1165580 1165713 1165835 1165840 1165894 1166139 1166260 1166297 1166393 1166531 1166610 1166610 1166624 1166670 1166678 1166881 1166932 1167122 1167122 1167471 1167477 1167732 1167898 1168076 1168235 1168345 1168364 1168389 1168403 1168669 1168669 1168699 1168756 1168835 1168990 1168990 1169134 1169356 1169357 1169488 1169512 1169569 1169582 1169604 1169746 1169872 1169944 1169947 1169947 1169992 1170175 1170247 1170487 1170527 1170571 1170572 1170667 1170713 1170771 1170801 1170801 1170908 1170938 1170964 1171145 1171173 1171224 1171224 1171313 1171367 1171422 1171510 1171561 1171656 1171740 1171762 1171863 1171864 1171866 1171872 1171878 1171883 1171921 1171956 1171978 1172021 1172055 1172072 1172085 1172135 1172135 1172142 1172195 1172295 1172348 1172461 1172506 1172597 1172698 1172704 1172798 1172824 1172846 1172925 1172925 1172958 1173027 1173032 1173104 1173106 1173227 1173229 1173273 1173274 1173307 1173311 1173339 1173422 1173422 1173529 1173539 1173972 1173983 1174011 1174079 1174091 1174154 1174230 1174240 1174260 1174551 1174561 1174591 1174673 1174697 1174736 1174753 1174817 1174918 1175061 1175109 1175168 1175240 1175342 1175443 1175568 1175592 1175781 1175811 1175830 1175831 1176086 1176092 1176123 1176173 1176173 1176179 1176181 1176263 1176384 1176410 1176513 1176625 1176671 1176674 1176756 1176800 1176899 1177143 1177460 1177460 1177864 1177977 1178346 1178350 1178353 906079 937216 973042 CVE-2017-3136 CVE-2018-5741 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-16056 CVE-2019-17006 CVE-2019-17450 CVE-2019-17451 CVE-2019-18218 CVE-2019-19956 CVE-2019-19956 CVE-2019-20388 CVE-2019-20907 CVE-2019-6477 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 CVE-2020-10543 CVE-2020-10753 CVE-2020-10878 CVE-2020-11501 CVE-2020-12243 CVE-2020-12399 CVE-2020-12402 CVE-2020-12723 CVE-2020-13777 CVE-2020-13844 CVE-2020-14422 CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 CVE-2020-15683 CVE-2020-15719 CVE-2020-15969 CVE-2020-1730 CVE-2020-1747 CVE-2020-24659 CVE-2020-24977 CVE-2020-25219 CVE-2020-26154 CVE-2020-7595 CVE-2020-8023 CVE-2020-8027 CVE-2020-8177 CVE-2020-8231 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 ----------------------------------------------------------------- The container ses/6/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:949-1 Released: Wed Apr 8 07:45:48 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1168669 This update for mozilla-nss fixes the following issues: - Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR is unavailable, resulting in an abort (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:959-1 Released: Wed Apr 8 12:59:50 2020 Summary: Security update for python-PyYAML Type: security Severity: important References: 1165439,CVE-2020-1747 This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:979-1 Released: Mon Apr 13 15:42:59 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1168756 This update for parted fixes the following issue: - fix null pointer dereference. (bsc#1168756) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1061-1 Released: Wed Apr 22 10:45:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1169872 This update for mozilla-nss fixes the following issues: - This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872). - Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1069-1 Released: Wed Apr 22 16:48:00 2020 Summary: Recommended update for python-six Type: recommended Severity: moderate References: 1166139 This update for python-six fixes the following issues: - Use setuptools for building to support pip 10.x and avoid packages to be unistalled. (bsc#1166139) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1094-1 Released: Thu Apr 23 16:34:21 2020 Summary: Recommended update for python-google-api-python-client Type: recommended Severity: moderate References: 1088358,1160933 This update for python-google-api-python-client fixes the following issues: - Fix dependencies to use google-auth instead of deprecated oauth2client (bsc#1160933, jsc#ECO-1148) python-cachetools 2.0.1 is shipped to the Public Cloud Module. python-google-auth 1.5.1 is shipped to the Public Cloud Module. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1131-1 Released: Tue Apr 28 11:59:17 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170571,1170572 This update for mozilla-nss fixes the following issues: - FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571) - FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 checks. - FIPS: Replace bad attempt at unconditional nssdbm checksumming with a dlopen(), so it can be located consistently and perform its own self-tests. - FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for a SECStatus, which caused key derivation to fail when the caller provided a valid subprime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1308-1 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1170247 This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1348-1 Released: Wed May 20 11:37:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170908 This update for mozilla-nss fixes the following issues: The following issues are fixed: - Add AES Keywrap POST. - Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1411-1 Released: Mon May 25 19:09:51 2020 Summary: Recommended update for python-cheroot Type: recommended Severity: moderate References: 1169604 This update for python-cheroot fixes the following issues: - Fix to avoid possible race condition on persistent HTTP connections via SSH tunnel over proxy. (bsc#1169604) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1496-1 Released: Wed May 27 20:30:31 2020 Summary: Recommended update for python-requests Type: recommended Severity: low References: 1170175 This update for python-requests fixes the following issues: - Fix for warnings 'test fails to build' for python http. (bsc#1170175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1562-1 Released: Mon Jun 8 12:39:15 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1145231,1150021,1158358,1163526,1164126,1164718 This update for lvm2 fixes the following issues: - Fix heap memory leak in lvmetad. (bsc#1164126) - lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526) This config item global_filter_compat is a SUSE special. The default value is 1, which means the devices/global_filter behaviour is same as before. When the value is 0, user should use global_filter to control system-wide software, e.g. udev and lvmetad global_filter_compat are not opened by LVM. - Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408) - Fix for LVM metadata when an error occurs writing device. (bsc#1150021) - Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358) - Fix for LVM metadata to avoid faulty LVM detection. (bsc#1145231) - Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1579-1 Released: Tue Jun 9 17:05:23 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1584-1 Released: Tue Jun 9 18:39:15 2020 Summary: Security update for gnutls Type: security Severity: important References: 1172461,1172506,CVE-2020-13777 This update for gnutls fixes the following issues: - CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506). - Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1611-1 Released: Fri Jun 12 09:38:03 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.13 to fix: - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.4 to fix: - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - update translations - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) zypper was updated to version 1.14.36: - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1637-1 Released: Wed Jun 17 15:07:58 2020 Summary: Recommended update for zypper Type: recommended Severity: important References: 1169947,1172925 This update for zypper fixes the following issues: - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1677-1 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1745-1 Released: Thu Jun 25 10:02:41 2020 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1132798,1142152,1158817,1166531,937216 This update for suse-module-tools fixes the following issues: - Fixes a dependency issue on ppc64le with papr_scm (bsc#1142152, fate#327775) - Fixes an issue where KVM virtualized machines with libvirt don't come up with an active ethernet connection when the host's bridge device is being used (openSUSE Leap only) (bsc#1158817) - Added new configuration file for s390x: modprobe.conf.s390x (bsc#1132798) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1759-1 Released: Thu Jun 25 18:44:37 2020 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1169357 This update for krb5 fixes the following issue: - Call systemd to reload the services instead of init-scripts. (bsc#1169357) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1760-1 Released: Thu Jun 25 18:46:13 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1157315,1162698,1164538,1169488,1171145,1172072 This update for systemd fixes the following issues: - Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1773-1 Released: Fri Jun 26 08:05:59 2020 Summary: Security update for curl Type: security Severity: important References: 1173027,CVE-2020-8177 This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:1787-1 Released: Fri Jun 26 09:28:58 2020 Summary: Recommended update for python-scipy Type: optional Severity: low References: 1171510 This update for python-scipy doesn't fix any user visible issues, but improves the package building process. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1822-1 Released: Thu Jul 2 11:30:42 2020 Summary: Security update for python3 Type: security Severity: important References: 1173274,CVE-2020-14422 This update for python3 fixes the following issues: - CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface could have led to denial of service (bsc#1173274). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Fri Jul 3 12:33:05 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1850-1 Released: Mon Jul 6 14:44:39 2020 Summary: Security update for mozilla-nss Type: security Severity: moderate References: 1168669,1173032,CVE-2020-12402 This update for mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53.1 - CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032) - Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1856-1 Released: Mon Jul 6 17:05:51 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1172698,1172704,CVE-2020-8023 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1860-1 Released: Mon Jul 6 17:09:44 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1171883 This update for permissions fixes the following issues: - Removed conflicting entries which might expose pcp to security issues (bsc#1171883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1869-1 Released: Tue Jul 7 15:08:12 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.14: - Enable zstd compression support - Support blacklisted packages in solver_findproblemrule() (bnc#1172135) - Support rules with multiple negative literals in choice rule generation - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.7: - Enable zchunk metadata download if libsolv supports it. - Older kernel-devel packages are not properly purged (bsc#1171224) - doc: enhance service plugin example. - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Fix core dump with corrupted history file (bsc#1170801) zypper was updated to 1.14.37: - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1929-1 Released: Wed Jul 15 14:59:50 2020 Summary: Recommended update for python-numpy Type: recommended Severity: low References: 1166678 This update for python-numpy fixes the following issues: - Fixes a file conflict with /usr/bin/f2py (bsc#1166678) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1953-1 Released: Sat Jul 18 03:06:11 2020 Summary: Recommended update for parted Type: recommended Severity: important References: 1164260 This update for parted fixes the following issue: - fix support of NVDIMM (pmemXs) devices (bsc#1164260) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2040-1 Released: Fri Jul 24 13:58:53 2020 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1170801,1171224,1172135,1173106,1174011 This update for libsolv, libzypp fixes the following issues: libsolv was updated to version 0.7.14: - Enable zstd compression support for sle15 - Support blacklisted packages in solver_findproblemrule() (bsc#1172135) - Support rules with multiple negative literals in choice rule generation libzypp was updated to version 17.24.0: - Enable zchunk metadata download if libsolv supports it. - Older kernel-devel packages are not properly purged (bsc#1171224) - doc: enhance service plugin example. - Fix core dump with corrupted history file (bsc#1170801) - Better handling of the purge-kernels algorithm. (bsc#1173106) - Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011) - ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate References: 1156913 This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2099-1 Released: Fri Jul 31 08:06:40 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1173227,1173229,1173422 This update for systemd fixes the following issues: - migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229) The marker is used to make sure the script is run only once. Instead of storing it in /usr, use /var which is more appropriate for such file. Also make it owned by systemd package. - Fix inconsistent file modes for some ghost files (bsc#1173227) Ghost files are assumed by rpm to have mode 000 by default which is not consistent with file permissions set at runtime. Also /var/lib/systemd/random-seed was tracked wrongly as a directory. Also don't track (ghost) /etc/systemd/system/runlevel*.target aliases since we're not supposed to track units or aliases user might define/override. - Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2124-1 Released: Wed Aug 5 09:24:47 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1172597 This update for lvm2 fixes the following issues: - Fixed an issue where the system hangs for 90 seconds before it actually shuts down (bsc#1172597) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2224-1 Released: Thu Aug 13 09:15:47 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1171878,1172085 This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178) - Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2277-1 Released: Wed Aug 19 13:24:03 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1174091,CVE-2019-20907 This update for python3 fixes the following issues: - bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2278-1 Released: Wed Aug 19 21:26:08 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1149911,1151708,1168235,1168389 This update for util-linux fixes the following issues: - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2284-1 Released: Thu Aug 20 16:04:17 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1010996,1071152,1071390,1154871,1174673,973042 This update for ca-certificates-mozilla fixes the following issues: update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 - reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2384-1 Released: Sat Aug 29 00:57:13 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1170964 This update for e2fsprogs fixes the following issues: - Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2411-1 Released: Tue Sep 1 13:28:47 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1142733,1146991,1158336,1172195,1172824,1173539 This update for systemd fixes the following issues: - Improve logging when PID1 fails at setting a namespace up when spawning a command specified by 'Exec*='. (bsc#1172824, bsc#1142733) pid1: improve message when setting up namespace fails. execute: let's close glibc syslog channels too. execute: normalize logging in *execute.c*. execute: fix typo in error message. execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary. execute: make use of the new logging mode in *execute.c* log: add a mode where we open the log fds for every single log message. log: let's make use of the fact that our functions return the negative error code for *log_oom()* too. execute: downgrade a log message ERR ??? WARNING, since we proceed ignoring its result. execute: rework logging in *setup_keyring()* to include unit info. execute: improve and augment execution log messages. - vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539) - fix infinite timeout. (bsc#1158336) - bpf: mount bpffs by default on boot. (bsc#1146991) - man: explain precedence for options which take a list. - man: unify titling, fix description of precedence in sysusers.d(5) - udev-event: fix timeout log messages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2420-1 Released: Tue Sep 1 13:48:35 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1174551,1174736 This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2425-1 Released: Tue Sep 1 13:54:05 2020 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1174260 This update for nfs-utils fixes the following issues: - Fix a bug when concurrent 'gssd' requests arrive from kernel, causing hanging NFS mounts. (bsc#1174260) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2446-1 Released: Wed Sep 2 09:33:22 2020 Summary: Security update for curl Type: security Severity: moderate References: 1175109,CVE-2020-8231 This update for curl fixes the following issues: - An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2581-1 Released: Wed Sep 9 13:07:07 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1174154,CVE-2020-15719 This update for openldap2 fixes the following issues: - bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2612-1 Released: Fri Sep 11 11:18:01 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1176179,CVE-2020-24977 This update for libxml2 fixes the following issues: - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2638-1 Released: Tue Sep 15 15:41:32 2020 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1165580 This update for cryptsetup fixes the following issues: Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580) - Fix support of larger metadata areas in *LUKS2* header. This release properly supports all specified metadata areas, as documented in *LUKS2* format description. Currently, only default metadata area size is used (in format or convert). Later cryptsetup versions will allow increasing this metadata area size. - If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check if the requested *AEAD* algorithm with specified key size is available in kernel crypto API. This change avoids formatting a device that cannot be later activated. For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) are already mandatory for LUKS2. - Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option. - Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt. - Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested sector size. Previously it was possible, and the device was rejected to activate by kernel later. - Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash algorithm with invalid keyslot preventing the device from activation. - Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used both for data encryption and keyslot encryption in *LUKS1/2* devices. For benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2651-1 Released: Wed Sep 16 14:42:55 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1175811,1175830,1175831 This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2704-1 Released: Tue Sep 22 15:06:36 2020 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1174079 This update for krb5 fixes the following issue: - Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2712-1 Released: Tue Sep 22 17:08:03 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1175568,CVE-2020-8027 This update for openldap2 fixes the following issues: - CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2757-1 Released: Fri Sep 25 19:45:40 2020 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1173104 This update for nfs-utils fixes the following issue: - Some scripts are requiring Python2 while it is not installed by default and they can work with Python3. (bsc#1173104) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2818-1 Released: Thu Oct 1 10:38:55 2020 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592 This update for libzypp, zypper provides the following fixes: Changes in libzypp: - VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918) - Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342) - Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529) - Make sure reading from lsof does not block forever. (bsc#1174240) - Just collect details for the signatures found. Changes in zypper: - man: Enhance description of the global package cache. (bsc#1175592) - man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273) - Directly list subcommands in 'zypper help'. (bsc#1165424) - Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux. - Point out that plaindir repos do not follow symlinks. (bsc#1174561) - Fix help command for list-patches. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2830-1 Released: Fri Oct 2 10:34:26 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1161335,1176625 This update for permissions fixes the following issues: - whitelist WMP (bsc#1161335, bsc#1176625) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2855-1 Released: Mon Oct 5 08:26:53 2020 Summary: Recommended update for nfs-ganesha Type: recommended Severity: moderate References: 1176263 This update for nfs-ganesha fixes the following issues: - Version upgrade to version 2.8.4+git0.28562219d includes a lot of bug fixes. Please refer to this package's changelog to get a full list of all bug fixes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2869-1 Released: Tue Oct 6 16:13:20 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1011548,1153943,1153946,1161239,1171762 This update for aaa_base fixes the following issues: - DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS - check for Packages.db and use this instead of Packages. (bsc#1171762) - Rename path() to _path() to avoid using a general name. - refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548) - etc/profile add some missing ;; in case esac statements - profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946) - backup-rpmdb: exit if zypper is running (bsc#1161239) - Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2901-1 Released: Tue Oct 13 14:22:43 2020 Summary: Security update for libproxy Type: security Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2914-1 Released: Tue Oct 13 17:25:20 2020 Summary: Security update for bind Type: security Severity: moderate References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2947-1 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2979-1 Released: Wed Oct 21 11:37:14 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1176173 This update for mozilla-nss fixes the following issue: - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2983-1 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Type: recommended Severity: moderate References: 1176123 This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2988-1 Released: Wed Oct 21 17:35:34 2020 Summary: Security update for gnutls Type: security Severity: moderate References: 1176086,1176181,1176671,CVE-2020-24659 This update for gnutls fixes the following issues: - Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181) - FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - FIPS: Add TLS KDF selftest (bsc#1176671) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3060-1 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Type: security Severity: moderate References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077 This update for binutils fixes the following issues: binutils was updated to version 2.35. (jsc#ECO-2373) Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a 'lint' mode to enable extra checks of the files it is processing. * Readelf will now display '[...]' when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to 'no'. * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3091-1 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Type: security Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3234-1 Released: Fri Nov 6 16:01:36 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3253-1 Released: Mon Nov 9 07:45:04 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1174697,1176173 This update for mozilla-nss fixes the following issues: - Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697) - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3257-1 Released: Mon Nov 9 11:12:55 2020 Summary: Security update for ceph, deepsea Type: security Severity: moderate References: 1151612,1152100,1155045,1155262,1156087,1156409,1158257,1159689,1160626,1161718,1162553,1163119,1164571,1165713,1165835,1165840,1166297,1166393,1166624,1166670,1166932,1167477,1168403,1169134,1169356,1170487,1170938,1171367,1171921,1171956,1172142,1173339,1174591,1175061,1175240,1175781,CVE-2020-10753 This update for ceph, deepsea fixes the following issues: - Update to 14.2.13-398-gb6c514eec7: + Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/ * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor - Update to 14.2.12-436-g6feab505b7: + Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/ * (bsc#1169134) mgr/dashboard: document Prometheus' security model * (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in * (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible + (bsc#1175781) ceph-volume: lvmcache: print help correctly + spec: move python-enum34 into rhel 7 conditional - Update to 14.2.11-394-g9cbbc473c0: + Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/ * mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956) * mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339) - Update to 14.2.10-392-gb3a13b81cb: + Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/ * mgr: Improve internal python to c++ interface (bsc#1167477) - Update to 14.2.9-970-ged84cae0c9: + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753) - Update to 14.2.9-969-g9917342dc8d: * rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d * cmake: Improve test for 16-byte atomic support on IBM Z * (jsc#SES-680) monitoring: add details to Prometheus alerts * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking * (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down * (bsc#1159689) os/bluestore: more flexible DB volume space usage * (bsc#1156087) ceph-volume: make get_devices fs location independent * (bsc#1156409) monitoring: wait before firing osd full alert * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls * (bsc#1165713) mgr/dashboard: Repair broken grafana panels * (bsc#1165835) rgw: get barbican secret key request maybe return error code * (bsc#1165840) rgw: making implicit_tenants backwards compatible * (bsc#1166297) mgr/dashboard: Repair broken grafana panels * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation * (bsc#1166670) monitoring: root volume full alert fires false positives * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default - Update to 14.2.13-398-gb6c514eec7: + Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/ * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor - Update to 14.2.12-436-g6feab505b7: + Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/ * (bsc#1169134) mgr/dashboard: document Prometheus' security model * (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in * (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible + (bsc#1175781) ceph-volume: lvmcache: print help correctly + spec: move python-enum34 into rhel 7 conditional - Update to 14.2.11-394-g9cbbc473c0: + Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/ * mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956) * mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339) - Update to 14.2.10-392-gb3a13b81cb: + Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/ * mgr: Improve internal python to c++ interface (bsc#1167477) - Update to 14.2.9-970-ged84cae0c9: + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753) - Update to 14.2.9-969-g9917342dc8d: * rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d * cmake: Improve test for 16-byte atomic support on IBM Z * (jsc#SES-680) monitoring: add details to Prometheus alerts * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking * (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down * (bsc#1159689) os/bluestore: more flexible DB volume space usage * (bsc#1156087) ceph-volume: make get_devices fs location independent * (bsc#1156409) monitoring: wait before firing osd full alert * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls * (bsc#1165713) mgr/dashboard: Repair broken grafana panels * (bsc#1165835) rgw: get barbican secret key request maybe return error code * (bsc#1165840) rgw: making implicit_tenants backwards compatible * (bsc#1166297) mgr/dashboard: Repair broken grafana panels * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation * (bsc#1166670) monitoring: root volume full alert fires false positives * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default - Version: 0.9.33 - drop workarounds for old ceph-volume lvm batch command - runners/upgrade: Add SES6->7 pre-upgrade checks From sle-security-updates at lists.suse.com Tue Nov 10 00:12:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2020 08:12:16 +0100 (CET) Subject: SUSE-CU-2020:663-1: Security update of ses/6/ceph/ceph Message-ID: <20201110071216.860B3FFAC@maintenance.suse.de> SUSE Container Update Advisory: ses/6/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:663-1 Container Tags : ses/6/ceph/ceph:14.2.13.398 , ses/6/ceph/ceph:14.2.13.398.1.5.297 , ses/6/ceph/ceph:latest Container Release : 1.5.297 Severity : important Type : security References : 1002895 1010996 1011548 1071152 1071390 1082318 1087982 1088358 1100369 1104902 1107105 1109160 1118367 1118368 1126826 1126829 1126831 1128220 1130873 1130873 1132798 1133297 1138666 1138793 1140126 1142152 1142649 1142733 1143609 1145231 1146991 1149911 1149955 1149995 1150021 1151612 1151708 1152100 1152590 1152692 1153768 1153770 1153943 1153946 1154661 1154803 1154803 1154871 1154935 1155045 1155262 1155271 1155327 1156087 1156159 1156205 1156300 1156409 1156913 1157051 1157315 1157755 1158257 1158336 1158358 1158817 1158830 1159314 1159689 1159819 1159928 1160254 1160590 1160626 1160933 1160979 1161168 1161239 1161335 1161517 1161521 1161718 1162553 1162698 1162930 1163119 1163333 1163526 1163744 1164126 1164260 1164538 1164543 1164543 1164571 1164718 1165011 1165424 1165439 1165476 1165476 1165502 1165539 1165573 1165573 1165580 1165713 1165835 1165840 1165894 1166139 1166260 1166297 1166393 1166531 1166610 1166610 1166624 1166670 1166678 1166881 1166932 1167122 1167122 1167471 1167477 1167732 1167898 1168076 1168235 1168345 1168364 1168389 1168403 1168669 1168669 1168699 1168756 1168835 1168990 1168990 1169134 1169356 1169357 1169488 1169512 1169569 1169582 1169604 1169746 1169872 1169944 1169947 1169947 1169992 1170175 1170247 1170487 1170527 1170571 1170572 1170667 1170713 1170771 1170801 1170801 1170908 1170938 1170964 1171145 1171173 1171224 1171224 1171313 1171367 1171422 1171510 1171561 1171656 1171740 1171762 1171863 1171864 1171866 1171872 1171878 1171883 1171921 1171956 1171978 1172021 1172055 1172072 1172085 1172135 1172135 1172142 1172195 1172295 1172348 1172461 1172506 1172597 1172698 1172704 1172798 1172824 1172846 1172925 1172925 1172958 1173027 1173032 1173104 1173106 1173227 1173229 1173273 1173274 1173307 1173311 1173339 1173422 1173422 1173529 1173539 1173972 1173983 1174011 1174079 1174091 1174154 1174230 1174240 1174260 1174551 1174561 1174591 1174673 1174697 1174736 1174753 1174817 1174918 1175061 1175109 1175168 1175240 1175342 1175443 1175568 1175592 1175781 1175811 1175830 1175831 1176086 1176092 1176123 1176173 1176173 1176179 1176181 1176263 1176384 1176410 1176513 1176625 1176671 1176674 1176756 1176800 1176899 1177143 1177460 1177460 1177864 1177977 1178346 1178350 1178353 906079 937216 973042 CVE-2017-3136 CVE-2018-5741 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-16056 CVE-2019-17006 CVE-2019-17450 CVE-2019-17451 CVE-2019-18218 CVE-2019-19956 CVE-2019-19956 CVE-2019-20388 CVE-2019-20907 CVE-2019-6477 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 CVE-2020-10543 CVE-2020-10753 CVE-2020-10878 CVE-2020-11501 CVE-2020-12243 CVE-2020-12399 CVE-2020-12402 CVE-2020-12723 CVE-2020-13777 CVE-2020-13844 CVE-2020-14422 CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 CVE-2020-15683 CVE-2020-15719 CVE-2020-15969 CVE-2020-1730 CVE-2020-1747 CVE-2020-24659 CVE-2020-24977 CVE-2020-25219 CVE-2020-26154 CVE-2020-7595 CVE-2020-8023 CVE-2020-8027 CVE-2020-8177 CVE-2020-8231 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 ----------------------------------------------------------------- The container ses/6/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:949-1 Released: Wed Apr 8 07:45:48 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1168669 This update for mozilla-nss fixes the following issues: - Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR is unavailable, resulting in an abort (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:959-1 Released: Wed Apr 8 12:59:50 2020 Summary: Security update for python-PyYAML Type: security Severity: important References: 1165439,CVE-2020-1747 This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:979-1 Released: Mon Apr 13 15:42:59 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1168756 This update for parted fixes the following issue: - fix null pointer dereference. (bsc#1168756) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1061-1 Released: Wed Apr 22 10:45:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1169872 This update for mozilla-nss fixes the following issues: - This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872). - Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1069-1 Released: Wed Apr 22 16:48:00 2020 Summary: Recommended update for python-six Type: recommended Severity: moderate References: 1166139 This update for python-six fixes the following issues: - Use setuptools for building to support pip 10.x and avoid packages to be unistalled. (bsc#1166139) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1094-1 Released: Thu Apr 23 16:34:21 2020 Summary: Recommended update for python-google-api-python-client Type: recommended Severity: moderate References: 1088358,1160933 This update for python-google-api-python-client fixes the following issues: - Fix dependencies to use google-auth instead of deprecated oauth2client (bsc#1160933, jsc#ECO-1148) python-cachetools 2.0.1 is shipped to the Public Cloud Module. python-google-auth 1.5.1 is shipped to the Public Cloud Module. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1131-1 Released: Tue Apr 28 11:59:17 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170571,1170572 This update for mozilla-nss fixes the following issues: - FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571) - FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 checks. - FIPS: Replace bad attempt at unconditional nssdbm checksumming with a dlopen(), so it can be located consistently and perform its own self-tests. - FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for a SECStatus, which caused key derivation to fail when the caller provided a valid subprime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1308-1 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1170247 This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1348-1 Released: Wed May 20 11:37:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170908 This update for mozilla-nss fixes the following issues: The following issues are fixed: - Add AES Keywrap POST. - Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1411-1 Released: Mon May 25 19:09:51 2020 Summary: Recommended update for python-cheroot Type: recommended Severity: moderate References: 1169604 This update for python-cheroot fixes the following issues: - Fix to avoid possible race condition on persistent HTTP connections via SSH tunnel over proxy. (bsc#1169604) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1496-1 Released: Wed May 27 20:30:31 2020 Summary: Recommended update for python-requests Type: recommended Severity: low References: 1170175 This update for python-requests fixes the following issues: - Fix for warnings 'test fails to build' for python http. (bsc#1170175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1562-1 Released: Mon Jun 8 12:39:15 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1145231,1150021,1158358,1163526,1164126,1164718 This update for lvm2 fixes the following issues: - Fix heap memory leak in lvmetad. (bsc#1164126) - lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526) This config item global_filter_compat is a SUSE special. The default value is 1, which means the devices/global_filter behaviour is same as before. When the value is 0, user should use global_filter to control system-wide software, e.g. udev and lvmetad global_filter_compat are not opened by LVM. - Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408) - Fix for LVM metadata when an error occurs writing device. (bsc#1150021) - Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358) - Fix for LVM metadata to avoid faulty LVM detection. (bsc#1145231) - Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1579-1 Released: Tue Jun 9 17:05:23 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1584-1 Released: Tue Jun 9 18:39:15 2020 Summary: Security update for gnutls Type: security Severity: important References: 1172461,1172506,CVE-2020-13777 This update for gnutls fixes the following issues: - CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506). - Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1611-1 Released: Fri Jun 12 09:38:03 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.13 to fix: - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.4 to fix: - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - update translations - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) zypper was updated to version 1.14.36: - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1637-1 Released: Wed Jun 17 15:07:58 2020 Summary: Recommended update for zypper Type: recommended Severity: important References: 1169947,1172925 This update for zypper fixes the following issues: - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1677-1 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1745-1 Released: Thu Jun 25 10:02:41 2020 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1132798,1142152,1158817,1166531,937216 This update for suse-module-tools fixes the following issues: - Fixes a dependency issue on ppc64le with papr_scm (bsc#1142152, fate#327775) - Fixes an issue where KVM virtualized machines with libvirt don't come up with an active ethernet connection when the host's bridge device is being used (openSUSE Leap only) (bsc#1158817) - Added new configuration file for s390x: modprobe.conf.s390x (bsc#1132798) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1759-1 Released: Thu Jun 25 18:44:37 2020 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1169357 This update for krb5 fixes the following issue: - Call systemd to reload the services instead of init-scripts. (bsc#1169357) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1760-1 Released: Thu Jun 25 18:46:13 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1157315,1162698,1164538,1169488,1171145,1172072 This update for systemd fixes the following issues: - Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1773-1 Released: Fri Jun 26 08:05:59 2020 Summary: Security update for curl Type: security Severity: important References: 1173027,CVE-2020-8177 This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:1787-1 Released: Fri Jun 26 09:28:58 2020 Summary: Recommended update for python-scipy Type: optional Severity: low References: 1171510 This update for python-scipy doesn't fix any user visible issues, but improves the package building process. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1822-1 Released: Thu Jul 2 11:30:42 2020 Summary: Security update for python3 Type: security Severity: important References: 1173274,CVE-2020-14422 This update for python3 fixes the following issues: - CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface could have led to denial of service (bsc#1173274). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Fri Jul 3 12:33:05 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1850-1 Released: Mon Jul 6 14:44:39 2020 Summary: Security update for mozilla-nss Type: security Severity: moderate References: 1168669,1173032,CVE-2020-12402 This update for mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53.1 - CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032) - Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1856-1 Released: Mon Jul 6 17:05:51 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1172698,1172704,CVE-2020-8023 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1860-1 Released: Mon Jul 6 17:09:44 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1171883 This update for permissions fixes the following issues: - Removed conflicting entries which might expose pcp to security issues (bsc#1171883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1869-1 Released: Tue Jul 7 15:08:12 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.14: - Enable zstd compression support - Support blacklisted packages in solver_findproblemrule() (bnc#1172135) - Support rules with multiple negative literals in choice rule generation - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.7: - Enable zchunk metadata download if libsolv supports it. - Older kernel-devel packages are not properly purged (bsc#1171224) - doc: enhance service plugin example. - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Fix core dump with corrupted history file (bsc#1170801) zypper was updated to 1.14.37: - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1929-1 Released: Wed Jul 15 14:59:50 2020 Summary: Recommended update for python-numpy Type: recommended Severity: low References: 1166678 This update for python-numpy fixes the following issues: - Fixes a file conflict with /usr/bin/f2py (bsc#1166678) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1953-1 Released: Sat Jul 18 03:06:11 2020 Summary: Recommended update for parted Type: recommended Severity: important References: 1164260 This update for parted fixes the following issue: - fix support of NVDIMM (pmemXs) devices (bsc#1164260) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2040-1 Released: Fri Jul 24 13:58:53 2020 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1170801,1171224,1172135,1173106,1174011 This update for libsolv, libzypp fixes the following issues: libsolv was updated to version 0.7.14: - Enable zstd compression support for sle15 - Support blacklisted packages in solver_findproblemrule() (bsc#1172135) - Support rules with multiple negative literals in choice rule generation libzypp was updated to version 17.24.0: - Enable zchunk metadata download if libsolv supports it. - Older kernel-devel packages are not properly purged (bsc#1171224) - doc: enhance service plugin example. - Fix core dump with corrupted history file (bsc#1170801) - Better handling of the purge-kernels algorithm. (bsc#1173106) - Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011) - ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate References: 1156913 This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2099-1 Released: Fri Jul 31 08:06:40 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1173227,1173229,1173422 This update for systemd fixes the following issues: - migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229) The marker is used to make sure the script is run only once. Instead of storing it in /usr, use /var which is more appropriate for such file. Also make it owned by systemd package. - Fix inconsistent file modes for some ghost files (bsc#1173227) Ghost files are assumed by rpm to have mode 000 by default which is not consistent with file permissions set at runtime. Also /var/lib/systemd/random-seed was tracked wrongly as a directory. Also don't track (ghost) /etc/systemd/system/runlevel*.target aliases since we're not supposed to track units or aliases user might define/override. - Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2124-1 Released: Wed Aug 5 09:24:47 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1172597 This update for lvm2 fixes the following issues: - Fixed an issue where the system hangs for 90 seconds before it actually shuts down (bsc#1172597) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2224-1 Released: Thu Aug 13 09:15:47 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1171878,1172085 This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178) - Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2277-1 Released: Wed Aug 19 13:24:03 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1174091,CVE-2019-20907 This update for python3 fixes the following issues: - bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2278-1 Released: Wed Aug 19 21:26:08 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1149911,1151708,1168235,1168389 This update for util-linux fixes the following issues: - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2284-1 Released: Thu Aug 20 16:04:17 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1010996,1071152,1071390,1154871,1174673,973042 This update for ca-certificates-mozilla fixes the following issues: update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 - reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2384-1 Released: Sat Aug 29 00:57:13 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1170964 This update for e2fsprogs fixes the following issues: - Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2411-1 Released: Tue Sep 1 13:28:47 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1142733,1146991,1158336,1172195,1172824,1173539 This update for systemd fixes the following issues: - Improve logging when PID1 fails at setting a namespace up when spawning a command specified by 'Exec*='. (bsc#1172824, bsc#1142733) pid1: improve message when setting up namespace fails. execute: let's close glibc syslog channels too. execute: normalize logging in *execute.c*. execute: fix typo in error message. execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary. execute: make use of the new logging mode in *execute.c* log: add a mode where we open the log fds for every single log message. log: let's make use of the fact that our functions return the negative error code for *log_oom()* too. execute: downgrade a log message ERR ??? WARNING, since we proceed ignoring its result. execute: rework logging in *setup_keyring()* to include unit info. execute: improve and augment execution log messages. - vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539) - fix infinite timeout. (bsc#1158336) - bpf: mount bpffs by default on boot. (bsc#1146991) - man: explain precedence for options which take a list. - man: unify titling, fix description of precedence in sysusers.d(5) - udev-event: fix timeout log messages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2420-1 Released: Tue Sep 1 13:48:35 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1174551,1174736 This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2425-1 Released: Tue Sep 1 13:54:05 2020 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1174260 This update for nfs-utils fixes the following issues: - Fix a bug when concurrent 'gssd' requests arrive from kernel, causing hanging NFS mounts. (bsc#1174260) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2446-1 Released: Wed Sep 2 09:33:22 2020 Summary: Security update for curl Type: security Severity: moderate References: 1175109,CVE-2020-8231 This update for curl fixes the following issues: - An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2581-1 Released: Wed Sep 9 13:07:07 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1174154,CVE-2020-15719 This update for openldap2 fixes the following issues: - bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2612-1 Released: Fri Sep 11 11:18:01 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1176179,CVE-2020-24977 This update for libxml2 fixes the following issues: - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2638-1 Released: Tue Sep 15 15:41:32 2020 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1165580 This update for cryptsetup fixes the following issues: Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580) - Fix support of larger metadata areas in *LUKS2* header. This release properly supports all specified metadata areas, as documented in *LUKS2* format description. Currently, only default metadata area size is used (in format or convert). Later cryptsetup versions will allow increasing this metadata area size. - If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check if the requested *AEAD* algorithm with specified key size is available in kernel crypto API. This change avoids formatting a device that cannot be later activated. For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) are already mandatory for LUKS2. - Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option. - Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt. - Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested sector size. Previously it was possible, and the device was rejected to activate by kernel later. - Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash algorithm with invalid keyslot preventing the device from activation. - Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used both for data encryption and keyslot encryption in *LUKS1/2* devices. For benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2651-1 Released: Wed Sep 16 14:42:55 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1175811,1175830,1175831 This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2704-1 Released: Tue Sep 22 15:06:36 2020 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1174079 This update for krb5 fixes the following issue: - Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2712-1 Released: Tue Sep 22 17:08:03 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1175568,CVE-2020-8027 This update for openldap2 fixes the following issues: - CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2757-1 Released: Fri Sep 25 19:45:40 2020 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1173104 This update for nfs-utils fixes the following issue: - Some scripts are requiring Python2 while it is not installed by default and they can work with Python3. (bsc#1173104) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2818-1 Released: Thu Oct 1 10:38:55 2020 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592 This update for libzypp, zypper provides the following fixes: Changes in libzypp: - VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918) - Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342) - Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529) - Make sure reading from lsof does not block forever. (bsc#1174240) - Just collect details for the signatures found. Changes in zypper: - man: Enhance description of the global package cache. (bsc#1175592) - man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273) - Directly list subcommands in 'zypper help'. (bsc#1165424) - Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux. - Point out that plaindir repos do not follow symlinks. (bsc#1174561) - Fix help command for list-patches. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2830-1 Released: Fri Oct 2 10:34:26 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1161335,1176625 This update for permissions fixes the following issues: - whitelist WMP (bsc#1161335, bsc#1176625) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2855-1 Released: Mon Oct 5 08:26:53 2020 Summary: Recommended update for nfs-ganesha Type: recommended Severity: moderate References: 1176263 This update for nfs-ganesha fixes the following issues: - Version upgrade to version 2.8.4+git0.28562219d includes a lot of bug fixes. Please refer to this package's changelog to get a full list of all bug fixes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2869-1 Released: Tue Oct 6 16:13:20 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1011548,1153943,1153946,1161239,1171762 This update for aaa_base fixes the following issues: - DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS - check for Packages.db and use this instead of Packages. (bsc#1171762) - Rename path() to _path() to avoid using a general name. - refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548) - etc/profile add some missing ;; in case esac statements - profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946) - backup-rpmdb: exit if zypper is running (bsc#1161239) - Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2901-1 Released: Tue Oct 13 14:22:43 2020 Summary: Security update for libproxy Type: security Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2914-1 Released: Tue Oct 13 17:25:20 2020 Summary: Security update for bind Type: security Severity: moderate References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2947-1 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2979-1 Released: Wed Oct 21 11:37:14 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1176173 This update for mozilla-nss fixes the following issue: - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2983-1 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Type: recommended Severity: moderate References: 1176123 This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2988-1 Released: Wed Oct 21 17:35:34 2020 Summary: Security update for gnutls Type: security Severity: moderate References: 1176086,1176181,1176671,CVE-2020-24659 This update for gnutls fixes the following issues: - Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181) - FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - FIPS: Add TLS KDF selftest (bsc#1176671) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3060-1 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Type: security Severity: moderate References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077 This update for binutils fixes the following issues: binutils was updated to version 2.35. (jsc#ECO-2373) Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a 'lint' mode to enable extra checks of the files it is processing. * Readelf will now display '[...]' when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to 'no'. * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3091-1 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Type: security Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3234-1 Released: Fri Nov 6 16:01:36 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3253-1 Released: Mon Nov 9 07:45:04 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1174697,1176173 This update for mozilla-nss fixes the following issues: - Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697) - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3257-1 Released: Mon Nov 9 11:12:55 2020 Summary: Security update for ceph, deepsea Type: security Severity: moderate References: 1151612,1152100,1155045,1155262,1156087,1156409,1158257,1159689,1160626,1161718,1162553,1163119,1164571,1165713,1165835,1165840,1166297,1166393,1166624,1166670,1166932,1167477,1168403,1169134,1169356,1170487,1170938,1171367,1171921,1171956,1172142,1173339,1174591,1175061,1175240,1175781,CVE-2020-10753 This update for ceph, deepsea fixes the following issues: - Update to 14.2.13-398-gb6c514eec7: + Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/ * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor - Update to 14.2.12-436-g6feab505b7: + Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/ * (bsc#1169134) mgr/dashboard: document Prometheus' security model * (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in * (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible + (bsc#1175781) ceph-volume: lvmcache: print help correctly + spec: move python-enum34 into rhel 7 conditional - Update to 14.2.11-394-g9cbbc473c0: + Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/ * mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956) * mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339) - Update to 14.2.10-392-gb3a13b81cb: + Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/ * mgr: Improve internal python to c++ interface (bsc#1167477) - Update to 14.2.9-970-ged84cae0c9: + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753) - Update to 14.2.9-969-g9917342dc8d: * rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d * cmake: Improve test for 16-byte atomic support on IBM Z * (jsc#SES-680) monitoring: add details to Prometheus alerts * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking * (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down * (bsc#1159689) os/bluestore: more flexible DB volume space usage * (bsc#1156087) ceph-volume: make get_devices fs location independent * (bsc#1156409) monitoring: wait before firing osd full alert * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls * (bsc#1165713) mgr/dashboard: Repair broken grafana panels * (bsc#1165835) rgw: get barbican secret key request maybe return error code * (bsc#1165840) rgw: making implicit_tenants backwards compatible * (bsc#1166297) mgr/dashboard: Repair broken grafana panels * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation * (bsc#1166670) monitoring: root volume full alert fires false positives * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default - Update to 14.2.13-398-gb6c514eec7: + Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/ * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor - Update to 14.2.12-436-g6feab505b7: + Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/ * (bsc#1169134) mgr/dashboard: document Prometheus' security model * (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in * (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible + (bsc#1175781) ceph-volume: lvmcache: print help correctly + spec: move python-enum34 into rhel 7 conditional - Update to 14.2.11-394-g9cbbc473c0: + Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/ * mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956) * mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339) - Update to 14.2.10-392-gb3a13b81cb: + Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/ * mgr: Improve internal python to c++ interface (bsc#1167477) - Update to 14.2.9-970-ged84cae0c9: + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753) - Update to 14.2.9-969-g9917342dc8d: * rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d * cmake: Improve test for 16-byte atomic support on IBM Z * (jsc#SES-680) monitoring: add details to Prometheus alerts * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking * (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down * (bsc#1159689) os/bluestore: more flexible DB volume space usage * (bsc#1156087) ceph-volume: make get_devices fs location independent * (bsc#1156409) monitoring: wait before firing osd full alert * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls * (bsc#1165713) mgr/dashboard: Repair broken grafana panels * (bsc#1165835) rgw: get barbican secret key request maybe return error code * (bsc#1165840) rgw: making implicit_tenants backwards compatible * (bsc#1166297) mgr/dashboard: Repair broken grafana panels * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation * (bsc#1166670) monitoring: root volume full alert fires false positives * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default - Version: 0.9.33 - drop workarounds for old ceph-volume lvm batch command - runners/upgrade: Add SES6->7 pre-upgrade checks From sle-security-updates at lists.suse.com Tue Nov 10 00:17:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2020 08:17:43 +0100 (CET) Subject: SUSE-CU-2020:665-1: Security update of ses/6/rook/ceph Message-ID: <20201110071743.F14ACFFAC@maintenance.suse.de> SUSE Container Update Advisory: ses/6/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:665-1 Container Tags : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.295 , ses/6/rook/ceph:latest Container Release : 1.5.295 Severity : important Type : security References : 1002895 1010996 1011548 1071152 1071390 1082318 1087982 1088358 1100369 1104902 1107105 1109160 1118367 1118368 1126826 1126829 1126831 1128220 1130873 1130873 1132798 1133297 1138666 1138793 1140126 1142152 1142649 1142733 1143609 1145231 1146991 1149911 1149955 1149995 1150021 1151612 1151708 1152100 1152590 1152692 1153768 1153770 1153943 1153946 1154661 1154803 1154803 1154871 1154935 1155045 1155262 1155271 1155327 1156087 1156159 1156205 1156300 1156409 1156913 1157051 1157315 1157755 1158257 1158336 1158358 1158817 1158830 1159314 1159689 1159819 1159928 1160254 1160590 1160626 1160933 1160979 1161168 1161239 1161335 1161517 1161521 1161718 1162553 1162698 1162930 1163119 1163333 1163526 1163744 1164126 1164260 1164538 1164543 1164543 1164571 1164718 1165011 1165424 1165439 1165476 1165476 1165502 1165539 1165573 1165573 1165580 1165713 1165835 1165840 1165894 1166139 1166260 1166297 1166393 1166531 1166610 1166610 1166624 1166670 1166678 1166881 1166932 1167122 1167122 1167471 1167477 1167732 1167898 1168076 1168235 1168345 1168364 1168389 1168403 1168669 1168669 1168699 1168756 1168835 1168990 1168990 1169134 1169356 1169357 1169488 1169512 1169569 1169582 1169604 1169746 1169872 1169944 1169947 1169947 1169992 1170175 1170247 1170487 1170527 1170571 1170572 1170667 1170713 1170771 1170801 1170801 1170908 1170938 1170964 1171145 1171173 1171224 1171224 1171313 1171367 1171422 1171510 1171561 1171656 1171740 1171762 1171863 1171864 1171866 1171872 1171878 1171883 1171921 1171956 1171978 1172021 1172055 1172072 1172085 1172135 1172135 1172142 1172195 1172295 1172348 1172461 1172506 1172597 1172698 1172704 1172798 1172824 1172846 1172925 1172925 1172958 1173027 1173032 1173104 1173106 1173227 1173229 1173273 1173274 1173307 1173311 1173339 1173422 1173422 1173529 1173539 1173972 1173983 1174011 1174079 1174091 1174154 1174230 1174240 1174260 1174551 1174561 1174591 1174673 1174697 1174736 1174753 1174817 1174918 1175061 1175109 1175168 1175240 1175342 1175443 1175568 1175592 1175781 1175811 1175830 1175831 1176086 1176092 1176123 1176173 1176173 1176179 1176181 1176263 1176384 1176410 1176513 1176625 1176671 1176674 1176756 1176800 1176899 1177143 1177460 1177460 1177864 1177977 1178346 1178350 1178353 906079 937216 973042 CVE-2017-3136 CVE-2018-5741 CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-16056 CVE-2019-17006 CVE-2019-17450 CVE-2019-17451 CVE-2019-18218 CVE-2019-19956 CVE-2019-19956 CVE-2019-20388 CVE-2019-20907 CVE-2019-6477 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 CVE-2020-10543 CVE-2020-10753 CVE-2020-10878 CVE-2020-11501 CVE-2020-12243 CVE-2020-12399 CVE-2020-12402 CVE-2020-12723 CVE-2020-13777 CVE-2020-13844 CVE-2020-14422 CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 CVE-2020-15683 CVE-2020-15719 CVE-2020-15969 CVE-2020-1730 CVE-2020-1747 CVE-2020-24659 CVE-2020-24977 CVE-2020-25219 CVE-2020-26154 CVE-2020-7595 CVE-2020-8023 CVE-2020-8027 CVE-2020-8177 CVE-2020-8231 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 ----------------------------------------------------------------- The container ses/6/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:949-1 Released: Wed Apr 8 07:45:48 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1168669 This update for mozilla-nss fixes the following issues: - Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR is unavailable, resulting in an abort (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:959-1 Released: Wed Apr 8 12:59:50 2020 Summary: Security update for python-PyYAML Type: security Severity: important References: 1165439,CVE-2020-1747 This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:979-1 Released: Mon Apr 13 15:42:59 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1168756 This update for parted fixes the following issue: - fix null pointer dereference. (bsc#1168756) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1061-1 Released: Wed Apr 22 10:45:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1169872 This update for mozilla-nss fixes the following issues: - This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872). - Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1069-1 Released: Wed Apr 22 16:48:00 2020 Summary: Recommended update for python-six Type: recommended Severity: moderate References: 1166139 This update for python-six fixes the following issues: - Use setuptools for building to support pip 10.x and avoid packages to be unistalled. (bsc#1166139) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1094-1 Released: Thu Apr 23 16:34:21 2020 Summary: Recommended update for python-google-api-python-client Type: recommended Severity: moderate References: 1088358,1160933 This update for python-google-api-python-client fixes the following issues: - Fix dependencies to use google-auth instead of deprecated oauth2client (bsc#1160933, jsc#ECO-1148) python-cachetools 2.0.1 is shipped to the Public Cloud Module. python-google-auth 1.5.1 is shipped to the Public Cloud Module. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1131-1 Released: Tue Apr 28 11:59:17 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170571,1170572 This update for mozilla-nss fixes the following issues: - FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571) - FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 checks. - FIPS: Replace bad attempt at unconditional nssdbm checksumming with a dlopen(), so it can be located consistently and perform its own self-tests. - FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for a SECStatus, which caused key derivation to fail when the caller provided a valid subprime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1308-1 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1170247 This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1348-1 Released: Wed May 20 11:37:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170908 This update for mozilla-nss fixes the following issues: The following issues are fixed: - Add AES Keywrap POST. - Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1411-1 Released: Mon May 25 19:09:51 2020 Summary: Recommended update for python-cheroot Type: recommended Severity: moderate References: 1169604 This update for python-cheroot fixes the following issues: - Fix to avoid possible race condition on persistent HTTP connections via SSH tunnel over proxy. (bsc#1169604) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1496-1 Released: Wed May 27 20:30:31 2020 Summary: Recommended update for python-requests Type: recommended Severity: low References: 1170175 This update for python-requests fixes the following issues: - Fix for warnings 'test fails to build' for python http. (bsc#1170175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1562-1 Released: Mon Jun 8 12:39:15 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1145231,1150021,1158358,1163526,1164126,1164718 This update for lvm2 fixes the following issues: - Fix heap memory leak in lvmetad. (bsc#1164126) - lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526) This config item global_filter_compat is a SUSE special. The default value is 1, which means the devices/global_filter behaviour is same as before. When the value is 0, user should use global_filter to control system-wide software, e.g. udev and lvmetad global_filter_compat are not opened by LVM. - Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408) - Fix for LVM metadata when an error occurs writing device. (bsc#1150021) - Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358) - Fix for LVM metadata to avoid faulty LVM detection. (bsc#1145231) - Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1579-1 Released: Tue Jun 9 17:05:23 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1584-1 Released: Tue Jun 9 18:39:15 2020 Summary: Security update for gnutls Type: security Severity: important References: 1172461,1172506,CVE-2020-13777 This update for gnutls fixes the following issues: - CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506). - Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1611-1 Released: Fri Jun 12 09:38:03 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.13 to fix: - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.4 to fix: - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - update translations - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) zypper was updated to version 1.14.36: - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1637-1 Released: Wed Jun 17 15:07:58 2020 Summary: Recommended update for zypper Type: recommended Severity: important References: 1169947,1172925 This update for zypper fixes the following issues: - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1677-1 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1745-1 Released: Thu Jun 25 10:02:41 2020 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1132798,1142152,1158817,1166531,937216 This update for suse-module-tools fixes the following issues: - Fixes a dependency issue on ppc64le with papr_scm (bsc#1142152, fate#327775) - Fixes an issue where KVM virtualized machines with libvirt don't come up with an active ethernet connection when the host's bridge device is being used (openSUSE Leap only) (bsc#1158817) - Added new configuration file for s390x: modprobe.conf.s390x (bsc#1132798) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1759-1 Released: Thu Jun 25 18:44:37 2020 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1169357 This update for krb5 fixes the following issue: - Call systemd to reload the services instead of init-scripts. (bsc#1169357) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1760-1 Released: Thu Jun 25 18:46:13 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1157315,1162698,1164538,1169488,1171145,1172072 This update for systemd fixes the following issues: - Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1773-1 Released: Fri Jun 26 08:05:59 2020 Summary: Security update for curl Type: security Severity: important References: 1173027,CVE-2020-8177 This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:1787-1 Released: Fri Jun 26 09:28:58 2020 Summary: Recommended update for python-scipy Type: optional Severity: low References: 1171510 This update for python-scipy doesn't fix any user visible issues, but improves the package building process. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1822-1 Released: Thu Jul 2 11:30:42 2020 Summary: Security update for python3 Type: security Severity: important References: 1173274,CVE-2020-14422 This update for python3 fixes the following issues: - CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface could have led to denial of service (bsc#1173274). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Fri Jul 3 12:33:05 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1850-1 Released: Mon Jul 6 14:44:39 2020 Summary: Security update for mozilla-nss Type: security Severity: moderate References: 1168669,1173032,CVE-2020-12402 This update for mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53.1 - CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032) - Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1856-1 Released: Mon Jul 6 17:05:51 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1172698,1172704,CVE-2020-8023 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1860-1 Released: Mon Jul 6 17:09:44 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1171883 This update for permissions fixes the following issues: - Removed conflicting entries which might expose pcp to security issues (bsc#1171883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1869-1 Released: Tue Jul 7 15:08:12 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.14: - Enable zstd compression support - Support blacklisted packages in solver_findproblemrule() (bnc#1172135) - Support rules with multiple negative literals in choice rule generation - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.7: - Enable zchunk metadata download if libsolv supports it. - Older kernel-devel packages are not properly purged (bsc#1171224) - doc: enhance service plugin example. - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Fix core dump with corrupted history file (bsc#1170801) zypper was updated to 1.14.37: - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1929-1 Released: Wed Jul 15 14:59:50 2020 Summary: Recommended update for python-numpy Type: recommended Severity: low References: 1166678 This update for python-numpy fixes the following issues: - Fixes a file conflict with /usr/bin/f2py (bsc#1166678) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1953-1 Released: Sat Jul 18 03:06:11 2020 Summary: Recommended update for parted Type: recommended Severity: important References: 1164260 This update for parted fixes the following issue: - fix support of NVDIMM (pmemXs) devices (bsc#1164260) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2040-1 Released: Fri Jul 24 13:58:53 2020 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1170801,1171224,1172135,1173106,1174011 This update for libsolv, libzypp fixes the following issues: libsolv was updated to version 0.7.14: - Enable zstd compression support for sle15 - Support blacklisted packages in solver_findproblemrule() (bsc#1172135) - Support rules with multiple negative literals in choice rule generation libzypp was updated to version 17.24.0: - Enable zchunk metadata download if libsolv supports it. - Older kernel-devel packages are not properly purged (bsc#1171224) - doc: enhance service plugin example. - Fix core dump with corrupted history file (bsc#1170801) - Better handling of the purge-kernels algorithm. (bsc#1173106) - Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011) - ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate References: 1156913 This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2099-1 Released: Fri Jul 31 08:06:40 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1173227,1173229,1173422 This update for systemd fixes the following issues: - migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229) The marker is used to make sure the script is run only once. Instead of storing it in /usr, use /var which is more appropriate for such file. Also make it owned by systemd package. - Fix inconsistent file modes for some ghost files (bsc#1173227) Ghost files are assumed by rpm to have mode 000 by default which is not consistent with file permissions set at runtime. Also /var/lib/systemd/random-seed was tracked wrongly as a directory. Also don't track (ghost) /etc/systemd/system/runlevel*.target aliases since we're not supposed to track units or aliases user might define/override. - Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2124-1 Released: Wed Aug 5 09:24:47 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1172597 This update for lvm2 fixes the following issues: - Fixed an issue where the system hangs for 90 seconds before it actually shuts down (bsc#1172597) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2224-1 Released: Thu Aug 13 09:15:47 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1171878,1172085 This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178) - Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2277-1 Released: Wed Aug 19 13:24:03 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1174091,CVE-2019-20907 This update for python3 fixes the following issues: - bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2278-1 Released: Wed Aug 19 21:26:08 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1149911,1151708,1168235,1168389 This update for util-linux fixes the following issues: - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2284-1 Released: Thu Aug 20 16:04:17 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1010996,1071152,1071390,1154871,1174673,973042 This update for ca-certificates-mozilla fixes the following issues: update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 - reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2384-1 Released: Sat Aug 29 00:57:13 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1170964 This update for e2fsprogs fixes the following issues: - Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2411-1 Released: Tue Sep 1 13:28:47 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1142733,1146991,1158336,1172195,1172824,1173539 This update for systemd fixes the following issues: - Improve logging when PID1 fails at setting a namespace up when spawning a command specified by 'Exec*='. (bsc#1172824, bsc#1142733) pid1: improve message when setting up namespace fails. execute: let's close glibc syslog channels too. execute: normalize logging in *execute.c*. execute: fix typo in error message. execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary. execute: make use of the new logging mode in *execute.c* log: add a mode where we open the log fds for every single log message. log: let's make use of the fact that our functions return the negative error code for *log_oom()* too. execute: downgrade a log message ERR ??? WARNING, since we proceed ignoring its result. execute: rework logging in *setup_keyring()* to include unit info. execute: improve and augment execution log messages. - vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539) - fix infinite timeout. (bsc#1158336) - bpf: mount bpffs by default on boot. (bsc#1146991) - man: explain precedence for options which take a list. - man: unify titling, fix description of precedence in sysusers.d(5) - udev-event: fix timeout log messages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2420-1 Released: Tue Sep 1 13:48:35 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1174551,1174736 This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2425-1 Released: Tue Sep 1 13:54:05 2020 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1174260 This update for nfs-utils fixes the following issues: - Fix a bug when concurrent 'gssd' requests arrive from kernel, causing hanging NFS mounts. (bsc#1174260) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2446-1 Released: Wed Sep 2 09:33:22 2020 Summary: Security update for curl Type: security Severity: moderate References: 1175109,CVE-2020-8231 This update for curl fixes the following issues: - An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2581-1 Released: Wed Sep 9 13:07:07 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1174154,CVE-2020-15719 This update for openldap2 fixes the following issues: - bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2612-1 Released: Fri Sep 11 11:18:01 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1176179,CVE-2020-24977 This update for libxml2 fixes the following issues: - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2638-1 Released: Tue Sep 15 15:41:32 2020 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1165580 This update for cryptsetup fixes the following issues: Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580) - Fix support of larger metadata areas in *LUKS2* header. This release properly supports all specified metadata areas, as documented in *LUKS2* format description. Currently, only default metadata area size is used (in format or convert). Later cryptsetup versions will allow increasing this metadata area size. - If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check if the requested *AEAD* algorithm with specified key size is available in kernel crypto API. This change avoids formatting a device that cannot be later activated. For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) are already mandatory for LUKS2. - Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option. - Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt. - Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested sector size. Previously it was possible, and the device was rejected to activate by kernel later. - Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash algorithm with invalid keyslot preventing the device from activation. - Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used both for data encryption and keyslot encryption in *LUKS1/2* devices. For benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2651-1 Released: Wed Sep 16 14:42:55 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1175811,1175830,1175831 This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2704-1 Released: Tue Sep 22 15:06:36 2020 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1174079 This update for krb5 fixes the following issue: - Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2712-1 Released: Tue Sep 22 17:08:03 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1175568,CVE-2020-8027 This update for openldap2 fixes the following issues: - CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2757-1 Released: Fri Sep 25 19:45:40 2020 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1173104 This update for nfs-utils fixes the following issue: - Some scripts are requiring Python2 while it is not installed by default and they can work with Python3. (bsc#1173104) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2818-1 Released: Thu Oct 1 10:38:55 2020 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592 This update for libzypp, zypper provides the following fixes: Changes in libzypp: - VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918) - Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342) - Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529) - Make sure reading from lsof does not block forever. (bsc#1174240) - Just collect details for the signatures found. Changes in zypper: - man: Enhance description of the global package cache. (bsc#1175592) - man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273) - Directly list subcommands in 'zypper help'. (bsc#1165424) - Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux. - Point out that plaindir repos do not follow symlinks. (bsc#1174561) - Fix help command for list-patches. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2830-1 Released: Fri Oct 2 10:34:26 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1161335,1176625 This update for permissions fixes the following issues: - whitelist WMP (bsc#1161335, bsc#1176625) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2855-1 Released: Mon Oct 5 08:26:53 2020 Summary: Recommended update for nfs-ganesha Type: recommended Severity: moderate References: 1176263 This update for nfs-ganesha fixes the following issues: - Version upgrade to version 2.8.4+git0.28562219d includes a lot of bug fixes. Please refer to this package's changelog to get a full list of all bug fixes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2869-1 Released: Tue Oct 6 16:13:20 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1011548,1153943,1153946,1161239,1171762 This update for aaa_base fixes the following issues: - DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS - check for Packages.db and use this instead of Packages. (bsc#1171762) - Rename path() to _path() to avoid using a general name. - refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548) - etc/profile add some missing ;; in case esac statements - profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946) - backup-rpmdb: exit if zypper is running (bsc#1161239) - Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2901-1 Released: Tue Oct 13 14:22:43 2020 Summary: Security update for libproxy Type: security Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2914-1 Released: Tue Oct 13 17:25:20 2020 Summary: Security update for bind Type: security Severity: moderate References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2947-1 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2979-1 Released: Wed Oct 21 11:37:14 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1176173 This update for mozilla-nss fixes the following issue: - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2983-1 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Type: recommended Severity: moderate References: 1176123 This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2988-1 Released: Wed Oct 21 17:35:34 2020 Summary: Security update for gnutls Type: security Severity: moderate References: 1176086,1176181,1176671,CVE-2020-24659 This update for gnutls fixes the following issues: - Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181) - FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - FIPS: Add TLS KDF selftest (bsc#1176671) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3060-1 Released: Wed Oct 28 08:09:21 2020 Summary: Security update for binutils Type: security Severity: moderate References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077 This update for binutils fixes the following issues: binutils was updated to version 2.35. (jsc#ECO-2373) Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a 'lint' mode to enable extra checks of the files it is processing. * Readelf will now display '[...]' when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to 'no'. * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3091-1 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Type: security Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3234-1 Released: Fri Nov 6 16:01:36 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3253-1 Released: Mon Nov 9 07:45:04 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1174697,1176173 This update for mozilla-nss fixes the following issues: - Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697) - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3257-1 Released: Mon Nov 9 11:12:55 2020 Summary: Security update for ceph, deepsea Type: security Severity: moderate References: 1151612,1152100,1155045,1155262,1156087,1156409,1158257,1159689,1160626,1161718,1162553,1163119,1164571,1165713,1165835,1165840,1166297,1166393,1166624,1166670,1166932,1167477,1168403,1169134,1169356,1170487,1170938,1171367,1171921,1171956,1172142,1173339,1174591,1175061,1175240,1175781,CVE-2020-10753 This update for ceph, deepsea fixes the following issues: - Update to 14.2.13-398-gb6c514eec7: + Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/ * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor - Update to 14.2.12-436-g6feab505b7: + Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/ * (bsc#1169134) mgr/dashboard: document Prometheus' security model * (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in * (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible + (bsc#1175781) ceph-volume: lvmcache: print help correctly + spec: move python-enum34 into rhel 7 conditional - Update to 14.2.11-394-g9cbbc473c0: + Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/ * mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956) * mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339) - Update to 14.2.10-392-gb3a13b81cb: + Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/ * mgr: Improve internal python to c++ interface (bsc#1167477) - Update to 14.2.9-970-ged84cae0c9: + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753) - Update to 14.2.9-969-g9917342dc8d: * rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d * cmake: Improve test for 16-byte atomic support on IBM Z * (jsc#SES-680) monitoring: add details to Prometheus alerts * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking * (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down * (bsc#1159689) os/bluestore: more flexible DB volume space usage * (bsc#1156087) ceph-volume: make get_devices fs location independent * (bsc#1156409) monitoring: wait before firing osd full alert * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls * (bsc#1165713) mgr/dashboard: Repair broken grafana panels * (bsc#1165835) rgw: get barbican secret key request maybe return error code * (bsc#1165840) rgw: making implicit_tenants backwards compatible * (bsc#1166297) mgr/dashboard: Repair broken grafana panels * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation * (bsc#1166670) monitoring: root volume full alert fires false positives * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default - Update to 14.2.13-398-gb6c514eec7: + Upstream 14.2.13 release see https://ceph.io/releases/v14-2-13-nautilus-released/ * (bsc#1151612, bsc#1158257) ceph-volume: major batch refactor - Update to 14.2.12-436-g6feab505b7: + Upstream 14.2.12 release see https://ceph.io/releases/v14-2-12-nautilus-released/ * (bsc#1169134) mgr/dashboard: document Prometheus' security model * (bsc#1170487) monclient: schedule first tick using mon_client_hunt_interval * (bsc#1174591) mgr/dashboard: Unable to edit iSCSI logged-in client * (bsc#1174591) mgr/dashboard: Allow editing iSCSI targets with initiators logged-in * (bsc#1175061) os/bluestore: dump onode that has too many spanning blobs * (bsc#1175240) pybind/mgr/restful: use dict.items() for py3 compatible + (bsc#1175781) ceph-volume: lvmcache: print help correctly + spec: move python-enum34 into rhel 7 conditional - Update to 14.2.11-394-g9cbbc473c0: + Upstream 14.2.11 release see https://ceph.io/releases/v14-2-11-nautilus-released/ * mgr/progress: Skip pg_summary update if _events dict is empty (bsc#1167477) (bsc#1172142) (bsc#1171956) * mgr/dashboard: Allow to edit iSCSI target with active session (bsc#1173339) - Update to 14.2.10-392-gb3a13b81cb: + Upstream 14.2.10 release see https://ceph.io/releases/v14-2-10-nautilus-released/ * mgr: Improve internal python to c++ interface (bsc#1167477) - Update to 14.2.9-970-ged84cae0c9: + rgw: sanitize newlines in s3 CORSConfiguration's ExposeHeader (bsc#1171921, CVE-2020-10753) - Update to 14.2.9-969-g9917342dc8d: * rebase on top of upstream nautilus, SHA1 ccd9c04f88e53aef7e4f1068ce1221fa3b97450d * cmake: Improve test for 16-byte atomic support on IBM Z * (jsc#SES-680) monitoring: add details to Prometheus alerts * (bsc#1155045) mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking * (bsc#1152100) monitoring: alert for prediction of disk and pool fill up broken * (bsc#1155262) mgr/dashboard: iSCSI targets not available if any gateway is down * (bsc#1159689) os/bluestore: more flexible DB volume space usage * (bsc#1156087) ceph-volume: make get_devices fs location independent * (bsc#1156409) monitoring: wait before firing osd full alert * (bsc#1160626) mgr/dashboard: Unable to remove an iSCSI gateway that is already in use * (bsc#1161718) mount.ceph: remove arbitrary limit on size of name= option * (bsc#1162553) ceph-volume: strip _dmcrypt suffix in simple scan json output * (bsc#1163119) mgr/dashboard: Not able to restrict bucket creation for new user * (bsc#1164571) mgr/dashboard: Prevent iSCSI target recreation when editing controls * (bsc#1165713) mgr/dashboard: Repair broken grafana panels * (bsc#1165835) rgw: get barbican secret key request maybe return error code * (bsc#1165840) rgw: making implicit_tenants backwards compatible * (bsc#1166297) mgr/dashboard: Repair broken grafana panels * (bsc#1166393) mgr/dashboard: KeyError on dashboard reload * (bsc#1166624) mgr/dashboard: Fix iSCSI's username and password validation * (bsc#1166670) monitoring: root volume full alert fires false positives * (bsc#1166932) mgr: synchronize ClusterState's health and mon_status * (bsc#1168403) mgr/dashboard: Add more debug information to Dashboard RGW backend * (bsc#1169356) rgw: reshard: skip stale bucket id entries from reshard queue * (bsc#1170938) mon/OSDMonitor: allow trimming maps even if osds are down * (bsc#1171367) Set OSD's bluefs-buffered-io param to false by default - Version: 0.9.33 - drop workarounds for old ceph-volume lvm batch command - runners/upgrade: Add SES6->7 pre-upgrade checks From sle-security-updates at lists.suse.com Tue Nov 10 07:15:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2020 15:15:22 +0100 (CET) Subject: SUSE-SU-2020:3262-1: moderate: Security update for python3 Message-ID: <20201110141522.5B721FFAC@maintenance.suse.de> SUSE Security Update: Security update for python3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3262-1 Rating: moderate References: #1177211 Cross-References: CVE-2020-26116 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python3 fixes the following issues: - bsc#1177211 (CVE-2020-26116) no longer allowing special characters in the method parameter of HTTPConnection.putrequest in httplib, stopping injection of headers. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3262=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3262=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-3262=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.4.10-25.55.1 python3-base-debugsource-3.4.10-25.55.1 python3-dbm-3.4.10-25.55.1 python3-dbm-debuginfo-3.4.10-25.55.1 python3-debuginfo-3.4.10-25.55.1 python3-debugsource-3.4.10-25.55.1 python3-devel-3.4.10-25.55.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.10-25.55.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.55.1 libpython3_4m1_0-debuginfo-3.4.10-25.55.1 python3-3.4.10-25.55.1 python3-base-3.4.10-25.55.1 python3-base-debuginfo-3.4.10-25.55.1 python3-base-debugsource-3.4.10-25.55.1 python3-curses-3.4.10-25.55.1 python3-curses-debuginfo-3.4.10-25.55.1 python3-debuginfo-3.4.10-25.55.1 python3-debugsource-3.4.10-25.55.1 python3-devel-3.4.10-25.55.1 python3-tk-3.4.10-25.55.1 python3-tk-debuginfo-3.4.10-25.55.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.10-25.55.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython3_4m1_0-32bit-3.4.10-25.55.1 libpython3_4m1_0-debuginfo-32bit-3.4.10-25.55.1 python3-base-debuginfo-32bit-3.4.10-25.55.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.55.1 libpython3_4m1_0-debuginfo-3.4.10-25.55.1 python3-3.4.10-25.55.1 python3-base-3.4.10-25.55.1 python3-base-debuginfo-3.4.10-25.55.1 python3-base-debugsource-3.4.10-25.55.1 python3-curses-3.4.10-25.55.1 python3-debuginfo-3.4.10-25.55.1 python3-debugsource-3.4.10-25.55.1 References: https://www.suse.com/security/cve/CVE-2020-26116.html https://bugzilla.suse.com/1177211 From sle-security-updates at lists.suse.com Tue Nov 10 07:17:30 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2020 15:17:30 +0100 (CET) Subject: SUSE-SU-2020:3263-1: moderate: Security update for gcc10 Message-ID: <20201110141730.7DEA8FFAB@maintenance.suse.de> SUSE Security Update: Security update for gcc10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3263-1 Rating: moderate References: #1172798 #1172846 #1173972 #1174753 #1174817 #1175168 ECO-2373 SLE-12297 Cross-References: CVE-2020-13844 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Module for Toolchain 12 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability, contains two features and has 5 fixes is now available. Description: This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with "-10" suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3263=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3263=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3263=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3263=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3263=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3263=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3263=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3263=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3263=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3263=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3263=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3263=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3263=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3263=1 - SUSE Linux Enterprise Module for Toolchain 12: zypper in -t patch SUSE-SLE-Module-Toolchain-12-2020-3263=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3263=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3263=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE OpenStack Cloud Crowbar 8 (x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE OpenStack Cloud 9 (x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE OpenStack Cloud 8 (x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE OpenStack Cloud 7 (s390x x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE OpenStack Cloud 7 (x86_64): libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le x86_64): liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP5 (ppc64le x86_64): libquadmath0-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP5 (x86_64): libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP5 (s390x): libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le x86_64): liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP4-LTSS (ppc64le x86_64): libquadmath0-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le x86_64): liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): libquadmath0-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP3-BCL (i586 x86_64): libobjc4-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Module for Toolchain 12 (aarch64 ppc64le s390x x86_64): cpp10-10.2.1+git583-1.3.5 cpp10-debuginfo-10.2.1+git583-1.3.5 gcc10-10.2.1+git583-1.3.5 gcc10-c++-10.2.1+git583-1.3.5 gcc10-c++-debuginfo-10.2.1+git583-1.3.5 gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 gcc10-fortran-10.2.1+git583-1.3.5 gcc10-fortran-debuginfo-10.2.1+git583-1.3.5 gcc10-go-10.2.1+git583-1.3.5 gcc10-go-debuginfo-10.2.1+git583-1.3.5 gcc10-locale-10.2.1+git583-1.3.5 gcc10-obj-c++-10.2.1+git583-1.3.5 gcc10-obj-c++-debuginfo-10.2.1+git583-1.3.5 gcc10-objc-10.2.1+git583-1.3.5 gcc10-objc-debuginfo-10.2.1+git583-1.3.5 libstdc++6-devel-gcc10-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Module for Toolchain 12 (s390x x86_64): gcc10-32bit-10.2.1+git583-1.3.5 gcc10-c++-32bit-10.2.1+git583-1.3.5 gcc10-fortran-32bit-10.2.1+git583-1.3.5 gcc10-go-32bit-10.2.1+git583-1.3.5 gcc10-obj-c++-32bit-10.2.1+git583-1.3.5 gcc10-objc-32bit-10.2.1+git583-1.3.5 libstdc++6-devel-gcc10-32bit-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Module for Toolchain 12 (noarch): gcc10-info-10.2.1+git583-1.3.5 - SUSE Linux Enterprise Module for Toolchain 12 (x86_64): cross-nvptx-gcc10-10.2.1+git583-1.3.1 cross-nvptx-newlib10-devel-10.2.1+git583-1.3.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 - SUSE Enterprise Storage 5 (x86_64): libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 - HPE Helion Openstack 8 (x86_64): gcc10-debuginfo-10.2.1+git583-1.3.5 gcc10-debugsource-10.2.1+git583-1.3.5 libasan6-10.2.1+git583-1.3.5 libasan6-32bit-10.2.1+git583-1.3.5 libasan6-32bit-debuginfo-10.2.1+git583-1.3.5 libasan6-debuginfo-10.2.1+git583-1.3.5 libatomic1-10.2.1+git583-1.3.5 libatomic1-32bit-10.2.1+git583-1.3.5 libatomic1-32bit-debuginfo-10.2.1+git583-1.3.5 libatomic1-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-10.2.1+git583-1.3.5 libgcc_s1-32bit-10.2.1+git583-1.3.5 libgcc_s1-32bit-debuginfo-10.2.1+git583-1.3.5 libgcc_s1-debuginfo-10.2.1+git583-1.3.5 libgfortran5-10.2.1+git583-1.3.5 libgfortran5-32bit-10.2.1+git583-1.3.5 libgfortran5-32bit-debuginfo-10.2.1+git583-1.3.5 libgfortran5-debuginfo-10.2.1+git583-1.3.5 libgo16-10.2.1+git583-1.3.5 libgo16-32bit-10.2.1+git583-1.3.5 libgo16-32bit-debuginfo-10.2.1+git583-1.3.5 libgo16-debuginfo-10.2.1+git583-1.3.5 libgomp1-10.2.1+git583-1.3.5 libgomp1-32bit-10.2.1+git583-1.3.5 libgomp1-32bit-debuginfo-10.2.1+git583-1.3.5 libgomp1-debuginfo-10.2.1+git583-1.3.5 libitm1-10.2.1+git583-1.3.5 libitm1-32bit-10.2.1+git583-1.3.5 libitm1-32bit-debuginfo-10.2.1+git583-1.3.5 libitm1-debuginfo-10.2.1+git583-1.3.5 liblsan0-10.2.1+git583-1.3.5 liblsan0-debuginfo-10.2.1+git583-1.3.5 libobjc4-10.2.1+git583-1.3.5 libobjc4-32bit-10.2.1+git583-1.3.5 libobjc4-32bit-debuginfo-10.2.1+git583-1.3.5 libobjc4-debuginfo-10.2.1+git583-1.3.5 libquadmath0-10.2.1+git583-1.3.5 libquadmath0-32bit-10.2.1+git583-1.3.5 libquadmath0-32bit-debuginfo-10.2.1+git583-1.3.5 libquadmath0-debuginfo-10.2.1+git583-1.3.5 libstdc++6-10.2.1+git583-1.3.5 libstdc++6-32bit-10.2.1+git583-1.3.5 libstdc++6-32bit-debuginfo-10.2.1+git583-1.3.5 libstdc++6-debuginfo-10.2.1+git583-1.3.5 libstdc++6-locale-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-10.2.1+git583-1.3.5 libstdc++6-pp-gcc10-32bit-10.2.1+git583-1.3.5 libtsan0-10.2.1+git583-1.3.5 libtsan0-debuginfo-10.2.1+git583-1.3.5 libubsan1-10.2.1+git583-1.3.5 libubsan1-32bit-10.2.1+git583-1.3.5 libubsan1-32bit-debuginfo-10.2.1+git583-1.3.5 libubsan1-debuginfo-10.2.1+git583-1.3.5 References: https://www.suse.com/security/cve/CVE-2020-13844.html https://bugzilla.suse.com/1172798 https://bugzilla.suse.com/1172846 https://bugzilla.suse.com/1173972 https://bugzilla.suse.com/1174753 https://bugzilla.suse.com/1174817 https://bugzilla.suse.com/1175168 From sle-security-updates at lists.suse.com Tue Nov 10 07:19:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2020 15:19:10 +0100 (CET) Subject: SUSE-SU-2020:3261-1: moderate: Security update for SDL Message-ID: <20201110141910.AF7D7FFAB@maintenance.suse.de> SUSE Security Update: Security update for SDL ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3261-1 Rating: moderate References: #1141844 Cross-References: CVE-2019-13616 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for SDL fixes the following issues: Security issue fixed: - CVE-2019-13616: Fixed heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit (bsc#1141844). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3261=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-3261=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): SDL-debugsource-1.2.15-3.12.73 libSDL-1_2-0-1.2.15-3.12.73 libSDL-1_2-0-debuginfo-1.2.15-3.12.73 libSDL-devel-1.2.15-3.12.73 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): SDL-debugsource-1.2.15-3.12.73 libSDL-1_2-0-1.2.15-3.12.73 libSDL-1_2-0-debuginfo-1.2.15-3.12.73 libSDL-devel-1.2.15-3.12.73 References: https://www.suse.com/security/cve/CVE-2019-13616.html https://bugzilla.suse.com/1141844 From sle-security-updates at lists.suse.com Tue Nov 10 07:21:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2020 15:21:19 +0100 (CET) Subject: SUSE-SU-2020:3264-1: moderate: Security update for zeromq Message-ID: <20201110142119.D4F71FFAB@maintenance.suse.de> SUSE Security Update: Security update for zeromq ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3264-1 Rating: moderate References: #1176116 #1176256 #1176257 #1176258 #1176259 Cross-References: CVE-2020-15166 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update for zeromq fixes the following issues: - CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116). - Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256) - Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257) - Fixed memory leak when processing PUB messages with metadata (bsc#1176259) - Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3264=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3264=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-3264=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-3264=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3264=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3264=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3264=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3264=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libunwind-1.2.1-4.2.3 libunwind-debuginfo-1.2.1-4.2.3 libunwind-debugsource-1.2.1-4.2.3 libunwind-devel-1.2.1-4.2.3 libzmq5-4.2.3-3.15.4 libzmq5-debuginfo-4.2.3-3.15.4 zeromq-debugsource-4.2.3-3.15.4 zeromq-devel-4.2.3-3.15.4 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libunwind-32bit-1.2.1-4.2.3 libunwind-32bit-debuginfo-1.2.1-4.2.3 libzmq5-32bit-4.2.3-3.15.4 libzmq5-32bit-debuginfo-4.2.3-3.15.4 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libzmq5-4.2.3-3.15.4 libzmq5-debuginfo-4.2.3-3.15.4 zeromq-debugsource-4.2.3-3.15.4 zeromq-devel-4.2.3-3.15.4 - SUSE Linux Enterprise Server 15-LTSS (aarch64): libunwind-1.2.1-4.2.3 libunwind-debuginfo-1.2.1-4.2.3 libunwind-debugsource-1.2.1-4.2.3 libunwind-devel-1.2.1-4.2.3 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (x86_64): libunwind-32bit-1.2.1-4.2.3 libunwind-32bit-debuginfo-1.2.1-4.2.3 libunwind-debugsource-1.2.1-4.2.3 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (x86_64): libunwind-32bit-1.2.1-4.2.3 libunwind-32bit-debuginfo-1.2.1-4.2.3 libunwind-debugsource-1.2.1-4.2.3 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libzmq5-4.2.3-3.15.4 libzmq5-debuginfo-4.2.3-3.15.4 zeromq-debugsource-4.2.3-3.15.4 zeromq-devel-4.2.3-3.15.4 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le x86_64): libunwind-1.2.1-4.2.3 libunwind-debuginfo-1.2.1-4.2.3 libunwind-debugsource-1.2.1-4.2.3 libunwind-devel-1.2.1-4.2.3 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libunwind-32bit-1.2.1-4.2.3 libunwind-32bit-debuginfo-1.2.1-4.2.3 libzmq5-32bit-4.2.3-3.15.4 libzmq5-32bit-debuginfo-4.2.3-3.15.4 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libzmq5-4.2.3-3.15.4 libzmq5-debuginfo-4.2.3-3.15.4 zeromq-debugsource-4.2.3-3.15.4 zeromq-devel-4.2.3-3.15.4 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le x86_64): libunwind-1.2.1-4.2.3 libunwind-debuginfo-1.2.1-4.2.3 libunwind-debugsource-1.2.1-4.2.3 libunwind-devel-1.2.1-4.2.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libunwind-32bit-1.2.1-4.2.3 libunwind-32bit-debuginfo-1.2.1-4.2.3 libzmq5-32bit-4.2.3-3.15.4 libzmq5-32bit-debuginfo-4.2.3-3.15.4 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libunwind-1.2.1-4.2.3 libunwind-debuginfo-1.2.1-4.2.3 libunwind-debugsource-1.2.1-4.2.3 libunwind-devel-1.2.1-4.2.3 libzmq5-4.2.3-3.15.4 libzmq5-debuginfo-4.2.3-3.15.4 zeromq-debugsource-4.2.3-3.15.4 zeromq-devel-4.2.3-3.15.4 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libunwind-32bit-1.2.1-4.2.3 libunwind-32bit-debuginfo-1.2.1-4.2.3 libzmq5-32bit-4.2.3-3.15.4 libzmq5-32bit-debuginfo-4.2.3-3.15.4 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libunwind-1.2.1-4.2.3 libunwind-debuginfo-1.2.1-4.2.3 libunwind-debugsource-1.2.1-4.2.3 libunwind-devel-1.2.1-4.2.3 libzmq5-4.2.3-3.15.4 libzmq5-debuginfo-4.2.3-3.15.4 zeromq-debugsource-4.2.3-3.15.4 zeromq-devel-4.2.3-3.15.4 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libunwind-32bit-1.2.1-4.2.3 libunwind-32bit-debuginfo-1.2.1-4.2.3 libzmq5-32bit-4.2.3-3.15.4 libzmq5-32bit-debuginfo-4.2.3-3.15.4 References: https://www.suse.com/security/cve/CVE-2020-15166.html https://bugzilla.suse.com/1176116 https://bugzilla.suse.com/1176256 https://bugzilla.suse.com/1176257 https://bugzilla.suse.com/1176258 https://bugzilla.suse.com/1176259 From sle-security-updates at lists.suse.com Tue Nov 10 13:14:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2020 21:14:52 +0100 (CET) Subject: SUSE-SU-2020:3268-1: important: Security update for spice-vdagent Message-ID: <20201110201452.43EA4FFAB@maintenance.suse.de> SUSE Security Update: Security update for spice-vdagent ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3268-1 Rating: important References: #1173749 #1177780 #1177781 #1177782 #1177783 Cross-References: CVE-2020-25650 CVE-2020-25651 CVE-2020-25652 CVE-2020-25653 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for spice-vdagent fixes the following issues: Security issues fixed: - CVE-2020-25650: Fixed a memory DoS via arbitrary entries in `active_xfers` hash table (bsc#1177780). - CVE-2020-25651: Fixed a possible file transfer DoS and information leak via `active_xfers` hash map (bsc#1177781). - CVE-2020-25652: Fixed a possibility to exhaust file descriptors in `vdagentd` (bsc#1177782). - CVE-2020-25653: Fixed a race condition when the UNIX domain socket peer PID retrieved via `SO_PEERCRED` (bsc#1177783). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3268=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): spice-vdagent-0.19.0-3.3.1 spice-vdagent-debuginfo-0.19.0-3.3.1 spice-vdagent-debugsource-0.19.0-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-25650.html https://www.suse.com/security/cve/CVE-2020-25651.html https://www.suse.com/security/cve/CVE-2020-25652.html https://www.suse.com/security/cve/CVE-2020-25653.html https://bugzilla.suse.com/1173749 https://bugzilla.suse.com/1177780 https://bugzilla.suse.com/1177781 https://bugzilla.suse.com/1177782 https://bugzilla.suse.com/1177783 From sle-security-updates at lists.suse.com Tue Nov 10 13:17:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Nov 2020 21:17:52 +0100 (CET) Subject: SUSE-SU-2020:3269-1: moderate: Security update for python-waitress Message-ID: <20201110201752.661B7FFAB@maintenance.suse.de> SUSE Security Update: Security update for python-waitress ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3269-1 Rating: moderate References: #1160790 #1161088 #1161089 #1161670 Cross-References: CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for python-waitress to 1.4.3 fixes the following security issues: - CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3269=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3269=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-3269=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-3269=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3269=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3269=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3269=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3269=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): python3-waitress-1.4.3-3.3.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): python3-waitress-1.4.3-3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (noarch): python2-waitress-1.4.3-3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (noarch): python2-waitress-1.4.3-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): python3-waitress-1.4.3-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): python3-waitress-1.4.3-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): python3-waitress-1.4.3-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): python3-waitress-1.4.3-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-16785.html https://www.suse.com/security/cve/CVE-2019-16786.html https://www.suse.com/security/cve/CVE-2019-16789.html https://www.suse.com/security/cve/CVE-2019-16792.html https://bugzilla.suse.com/1160790 https://bugzilla.suse.com/1161088 https://bugzilla.suse.com/1161089 https://bugzilla.suse.com/1161670 From sle-security-updates at lists.suse.com Tue Nov 10 16:15:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 00:15:00 +0100 (CET) Subject: SUSE-SU-2020:3276-1: moderate: Security update for ucode-intel Message-ID: <20201110231500.B7BF1FFAB@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3276-1 Rating: moderate References: #1170446 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Intel CPU Microcode updated to 20201027 prerelease - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) # New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile # Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3276=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): ucode-intel-20201027-3.33.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Tue Nov 10 16:16:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 00:16:08 +0100 (CET) Subject: SUSE-SU-2020:3273-1: important: Security update for the Linux Kernel Message-ID: <20201110231608.EE0B9FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3273-1 Rating: important References: #1065600 #1066382 #1149032 #1163592 #1164648 #1170415 #1175749 #1176354 #1177281 #1177766 #1177799 #1177801 #1178166 #1178173 #1178175 #1178176 #1178177 #1178183 #1178184 #1178185 #1178186 #1178190 #1178191 #1178255 #1178307 #1178330 #1178395 Cross-References: CVE-2020-25656 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has 25 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). The following non-security bugs were fixed: - act_ife: load meta modules before tcf_idr_check_alloc() (networking-stable-20_09_24). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - block: Set same_page to false in __bio_try_merge_page if ret is false (git-fixes). - Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex (git-fixes). - bonding: show saner speed for broadcast mode (networking-stable-20_08_24). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: allocate scrub workqueues outside of locks (bsc#1178183). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: drop path before adding new uuid tree entry (bsc#1178176). - btrfs: fix filesystem corruption after a device replace (bsc#1178395). - btrfs: fix NULL pointer dereference after failure to create snapshot (bsc#1178190). - btrfs: fix overflow when copying corrupt csums for a message (bsc#1178191). - btrfs: fix space cache memory leak after transaction abort (bsc#1178173). - btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks (bsc#1178395). - btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing (bsc#1178395). - btrfs: set the correct lockdep class for new nodes (bsc#1178184). - btrfs: set the lockdep class for log tree extent buffers (bsc#1178186). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - ceph: promote to unsigned long long before shifting (bsc#1178175). - crypto: ccp - fix error handling (git-fixes). - cxgb4: fix memory leak during module unload (networking-stable-20_09_24). - cxgb4: Fix offset when clearing filter byte counters (networking-stable-20_09_24). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - Disable module compression on SLE15 SP2 (bsc#1178307) - dmaengine: dw: Activate FIFO-mode for memory peripherals only (git-fixes). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - futex: Adjust absolute futex timeouts with per time namespace offset (bsc#1164648). - futex: Consistently use fshared as boolean (bsc#1149032). - futex: Fix incorrect should_fail_futex() handling (bsc#1149032). - futex: Remove put_futex_key() (bsc#1149032). - futex: Remove unused or redundant includes (bsc#1149032). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: ite: Add USB id match for Acer One S1003 keyboard dock (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - icmp: randomize the global rate limiter (git-fixes). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipv4: Initialize flowi4_multipath_hash in data path (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - ipv4: Update exception handling for multipath routes via same device (networking-stable-20_09_24). - ipv6: avoid lockdep issue in fib6_del() (networking-stable-20_09_24). - ipv6: Fix sysctl max for fib_multipath_hash_policy (networking-stable-20_09_11). - ipvlan: fix device features (networking-stable-20_08_24). - kallsyms: Refactor kallsyms_show_value() to take cred (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178177). - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: i2c: ov5640: Enable data pins on poweron for DVP mode (git-fixes). - media: i2c: ov5640: Remain in power down for DVP mode unless streaming (git-fixes). - media: i2c: ov5640: Separate out mipi configuration from s_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: rcar_drif: Allocate v4l2_async_subdev dynamically (git-fixes). - media: rcar_drif: Fix fwnode reference leak when parsing DT (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: venus: core: Fix runtime PM imbalance in venus_probe (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mm: fix a race during THP splitting (bsc#1178255). - mm: madvise: fix vma user-after-free (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - module: Correctly truncate sysfs sections output (git-fixes). - module: Do not expose section addresses to non-CAP_SYSLOG (git-fixes). - module: Refactor section attr into bin attribute (git-fixes). - module: statically initialize init section freeing data (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - net/core: check length before updating Ethertype in skb_mpls_{push,pop} (git-fixes). - net/mlx5: Fix FTE cleanup (networking-stable-20_09_24). - net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported (networking-stable-20_09_24). - net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported (networking-stable-20_09_24). - net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow (networking-stable-20_08_24). - net/smc: Prevent kernel-infoleak in __smc_diag_dump() (networking-stable-20_08_24). - net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU (networking-stable-20_09_24). - net: DCB: Validate DCB_ATTR_DCB_BUFFER argument (networking-stable-20_09_24). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: dsa: b53: check for timeout (networking-stable-20_08_24). - net: dsa: rtl8366: Properly clear member config (networking-stable-20_09_24). - net: fec: correct the error path for regulator disable in probe (networking-stable-20_08_24). - net: Fix bridge enslavement failure (networking-stable-20_09_24). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - net: lantiq: Disable IRQs only if NAPI gets scheduled (networking-stable-20_09_24). - net: lantiq: Use napi_complete_done() (networking-stable-20_09_24). - net: lantiq: use netif_tx_napi_add() for TX NAPI (networking-stable-20_09_24). - net: lantiq: Wake TX queue again (networking-stable-20_09_24). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: phy: Do not warn in phy_stop() on PHY_DOWN (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant (networking-stable-20_09_24). - net: sctp: Fix negotiation of the number of data streams (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - nfp: use correct define to return NONE fec (networking-stable-20_09_24). - PM: hibernate: remove the bogus call to get_gendisk() in software_resume() (git-fixes). - r8169: fix issue with forced threading in combination with shared interrupts (git-fixes). - rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) The in-tree KMP that is built with SLE kernels have a different scriptlet that is embedded in kernel-binary.spec.in rather than *.sh files. - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rtl8xxxu: prevent potential memory leak (git-fixes). - rtw88: increse the size of rx buffer size (git-fixes). - s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177799 LTC#188733). - s390/dasd: Fix zero write for FBA devices (bsc#1177801 LTC#188735). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - selftests/timers: Turn off timeout setting (git-fixes). - spi: spi-s3c64xx: Check return values (git-fixes). - spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() (git-fixes). - taprio: Fix allowing too small intervals (networking-stable-20_09_24). - time: Prevent undefined behaviour in timespec64_to_ns() (bsc#1164648). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: Fix memory leak in tipc_group_create_member() (networking-stable-20_09_24). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: handle broken union descriptors (git-fixes). - usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc3: simple: add support for Hikey 970 (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - x86/alternative: Do not call text_poke() in lazy TLB mode (bsc#1175749). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xfs: fix high key handling in the rt allocator's query_range function (git-fixes). - xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files (git-fixes). - xfs: limit entries returned when counting fsmap records (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2020-3273=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.37.1 kernel-default-debugsource-5.3.18-24.37.1 kernel-default-livepatch-5.3.18-24.37.1 kernel-default-livepatch-devel-5.3.18-24.37.1 kernel-livepatch-5_3_18-24_37-default-1-5.3.1 kernel-livepatch-5_3_18-24_37-default-debuginfo-1-5.3.1 kernel-livepatch-SLE15-SP2_Update_7-debugsource-1-5.3.1 References: https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1149032 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1175749 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177799 https://bugzilla.suse.com/1177801 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178173 https://bugzilla.suse.com/1178175 https://bugzilla.suse.com/1178176 https://bugzilla.suse.com/1178177 https://bugzilla.suse.com/1178183 https://bugzilla.suse.com/1178184 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178186 https://bugzilla.suse.com/1178190 https://bugzilla.suse.com/1178191 https://bugzilla.suse.com/1178255 https://bugzilla.suse.com/1178307 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178395 From sle-security-updates at lists.suse.com Tue Nov 10 16:19:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 00:19:44 +0100 (CET) Subject: SUSE-SU-2020:3275-1: moderate: Security update for ucode-intel Message-ID: <20201110231944.D2D17FFA8@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3275-1 Rating: moderate References: #1170446 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Intel CPU Microcode updated to 20201027 prerelease - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) # New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile # Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3275=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3275=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3275=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): ucode-intel-20201027-3.51.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): ucode-intel-20201027-3.51.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): ucode-intel-20201027-3.51.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Tue Nov 10 16:21:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 00:21:02 +0100 (CET) Subject: SUSE-SU-2020:3273-1: important: Security update for the Linux Kernel Message-ID: <20201110232102.716BAFFAC@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3273-1 Rating: important References: #1065600 #1066382 #1149032 #1163592 #1164648 #1170415 #1175749 #1176354 #1177281 #1177766 #1177799 #1177801 #1178166 #1178173 #1178175 #1178176 #1178177 #1178183 #1178184 #1178185 #1178186 #1178190 #1178191 #1178255 #1178307 #1178330 #1178395 Cross-References: CVE-2020-25656 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has 25 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). The following non-security bugs were fixed: - act_ife: load meta modules before tcf_idr_check_alloc() (networking-stable-20_09_24). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - block: Set same_page to false in __bio_try_merge_page if ret is false (git-fixes). - Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex (git-fixes). - bonding: show saner speed for broadcast mode (networking-stable-20_08_24). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: allocate scrub workqueues outside of locks (bsc#1178183). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: drop path before adding new uuid tree entry (bsc#1178176). - btrfs: fix filesystem corruption after a device replace (bsc#1178395). - btrfs: fix NULL pointer dereference after failure to create snapshot (bsc#1178190). - btrfs: fix overflow when copying corrupt csums for a message (bsc#1178191). - btrfs: fix space cache memory leak after transaction abort (bsc#1178173). - btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks (bsc#1178395). - btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing (bsc#1178395). - btrfs: set the correct lockdep class for new nodes (bsc#1178184). - btrfs: set the lockdep class for log tree extent buffers (bsc#1178186). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - ceph: promote to unsigned long long before shifting (bsc#1178175). - crypto: ccp - fix error handling (git-fixes). - cxgb4: fix memory leak during module unload (networking-stable-20_09_24). - cxgb4: Fix offset when clearing filter byte counters (networking-stable-20_09_24). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - Disable module compression on SLE15 SP2 (bsc#1178307) - dmaengine: dw: Activate FIFO-mode for memory peripherals only (git-fixes). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - futex: Adjust absolute futex timeouts with per time namespace offset (bsc#1164648). - futex: Consistently use fshared as boolean (bsc#1149032). - futex: Fix incorrect should_fail_futex() handling (bsc#1149032). - futex: Remove put_futex_key() (bsc#1149032). - futex: Remove unused or redundant includes (bsc#1149032). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: ite: Add USB id match for Acer One S1003 keyboard dock (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - icmp: randomize the global rate limiter (git-fixes). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipv4: Initialize flowi4_multipath_hash in data path (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - ipv4: Update exception handling for multipath routes via same device (networking-stable-20_09_24). - ipv6: avoid lockdep issue in fib6_del() (networking-stable-20_09_24). - ipv6: Fix sysctl max for fib_multipath_hash_policy (networking-stable-20_09_11). - ipvlan: fix device features (networking-stable-20_08_24). - kallsyms: Refactor kallsyms_show_value() to take cred (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178177). - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: i2c: ov5640: Enable data pins on poweron for DVP mode (git-fixes). - media: i2c: ov5640: Remain in power down for DVP mode unless streaming (git-fixes). - media: i2c: ov5640: Separate out mipi configuration from s_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: rcar_drif: Allocate v4l2_async_subdev dynamically (git-fixes). - media: rcar_drif: Fix fwnode reference leak when parsing DT (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: venus: core: Fix runtime PM imbalance in venus_probe (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mm: fix a race during THP splitting (bsc#1178255). - mm: madvise: fix vma user-after-free (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - module: Correctly truncate sysfs sections output (git-fixes). - module: Do not expose section addresses to non-CAP_SYSLOG (git-fixes). - module: Refactor section attr into bin attribute (git-fixes). - module: statically initialize init section freeing data (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - net/core: check length before updating Ethertype in skb_mpls_{push,pop} (git-fixes). - net/mlx5: Fix FTE cleanup (networking-stable-20_09_24). - net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported (networking-stable-20_09_24). - net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported (networking-stable-20_09_24). - net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow (networking-stable-20_08_24). - net/smc: Prevent kernel-infoleak in __smc_diag_dump() (networking-stable-20_08_24). - net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU (networking-stable-20_09_24). - net: DCB: Validate DCB_ATTR_DCB_BUFFER argument (networking-stable-20_09_24). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: dsa: b53: check for timeout (networking-stable-20_08_24). - net: dsa: rtl8366: Properly clear member config (networking-stable-20_09_24). - net: fec: correct the error path for regulator disable in probe (networking-stable-20_08_24). - net: Fix bridge enslavement failure (networking-stable-20_09_24). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - net: lantiq: Disable IRQs only if NAPI gets scheduled (networking-stable-20_09_24). - net: lantiq: Use napi_complete_done() (networking-stable-20_09_24). - net: lantiq: use netif_tx_napi_add() for TX NAPI (networking-stable-20_09_24). - net: lantiq: Wake TX queue again (networking-stable-20_09_24). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: phy: Do not warn in phy_stop() on PHY_DOWN (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant (networking-stable-20_09_24). - net: sctp: Fix negotiation of the number of data streams (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - nfp: use correct define to return NONE fec (networking-stable-20_09_24). - PM: hibernate: remove the bogus call to get_gendisk() in software_resume() (git-fixes). - r8169: fix issue with forced threading in combination with shared interrupts (git-fixes). - rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) The in-tree KMP that is built with SLE kernels have a different scriptlet that is embedded in kernel-binary.spec.in rather than *.sh files. - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rtl8xxxu: prevent potential memory leak (git-fixes). - rtw88: increse the size of rx buffer size (git-fixes). - s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177799 LTC#188733). - s390/dasd: Fix zero write for FBA devices (bsc#1177801 LTC#188735). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - selftests/timers: Turn off timeout setting (git-fixes). - spi: spi-s3c64xx: Check return values (git-fixes). - spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() (git-fixes). - taprio: Fix allowing too small intervals (networking-stable-20_09_24). - time: Prevent undefined behaviour in timespec64_to_ns() (bsc#1164648). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: Fix memory leak in tipc_group_create_member() (networking-stable-20_09_24). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: handle broken union descriptors (git-fixes). - usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc3: simple: add support for Hikey 970 (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - x86/alternative: Do not call text_poke() in lazy TLB mode (bsc#1175749). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xfs: fix high key handling in the rt allocator's query_range function (git-fixes). - xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files (git-fixes). - xfs: limit entries returned when counting fsmap records (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3273=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2020-3273=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2020-3273=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-3273=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3273=1 - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2020-3273=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): kernel-default-debuginfo-5.3.18-24.37.1 kernel-default-debugsource-5.3.18-24.37.1 kernel-default-extra-5.3.18-24.37.1 kernel-default-extra-debuginfo-5.3.18-24.37.1 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.37.1 kernel-default-debugsource-5.3.18-24.37.1 kernel-default-livepatch-5.3.18-24.37.1 kernel-default-livepatch-devel-5.3.18-24.37.1 kernel-livepatch-5_3_18-24_37-default-1-5.3.1 kernel-livepatch-5_3_18-24_37-default-debuginfo-1-5.3.1 kernel-livepatch-SLE15-SP2_Update_7-debugsource-1-5.3.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.37.1 kernel-default-debugsource-5.3.18-24.37.1 reiserfs-kmp-default-5.3.18-24.37.1 reiserfs-kmp-default-debuginfo-5.3.18-24.37.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-24.37.1 kernel-obs-build-debugsource-5.3.18-24.37.1 kernel-syms-5.3.18-24.37.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-24.37.1 kernel-preempt-debugsource-5.3.18-24.37.1 kernel-preempt-devel-5.3.18-24.37.1 kernel-preempt-devel-debuginfo-5.3.18-24.37.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): kernel-docs-5.3.18-24.37.1 kernel-source-5.3.18-24.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-24.37.1 kernel-default-base-5.3.18-24.37.1.9.13.1 kernel-default-debuginfo-5.3.18-24.37.1 kernel-default-debugsource-5.3.18-24.37.1 kernel-default-devel-5.3.18-24.37.1 kernel-default-devel-debuginfo-5.3.18-24.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 x86_64): kernel-preempt-5.3.18-24.37.1 kernel-preempt-debuginfo-5.3.18-24.37.1 kernel-preempt-debugsource-5.3.18-24.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): kernel-devel-5.3.18-24.37.1 kernel-macros-5.3.18-24.37.1 - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-24.37.1 cluster-md-kmp-default-debuginfo-5.3.18-24.37.1 dlm-kmp-default-5.3.18-24.37.1 dlm-kmp-default-debuginfo-5.3.18-24.37.1 gfs2-kmp-default-5.3.18-24.37.1 gfs2-kmp-default-debuginfo-5.3.18-24.37.1 kernel-default-debuginfo-5.3.18-24.37.1 kernel-default-debugsource-5.3.18-24.37.1 ocfs2-kmp-default-5.3.18-24.37.1 ocfs2-kmp-default-debuginfo-5.3.18-24.37.1 References: https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1149032 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1175749 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177799 https://bugzilla.suse.com/1177801 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178173 https://bugzilla.suse.com/1178175 https://bugzilla.suse.com/1178176 https://bugzilla.suse.com/1178177 https://bugzilla.suse.com/1178183 https://bugzilla.suse.com/1178184 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178186 https://bugzilla.suse.com/1178190 https://bugzilla.suse.com/1178191 https://bugzilla.suse.com/1178255 https://bugzilla.suse.com/1178307 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178395 From sle-security-updates at lists.suse.com Tue Nov 10 16:24:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 00:24:40 +0100 (CET) Subject: SUSE-SU-2020:3272-1: important: Security update for the Linux Kernel Message-ID: <20201110232440.554ABFFAC@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3272-1 Rating: important References: #1055014 #1061843 #1065600 #1065729 #1066382 #1077428 #1112178 #1131277 #1134760 #1170415 #1171558 #1173432 #1174748 #1176354 #1176485 #1176560 #1176713 #1176723 #1177086 #1177101 #1177271 #1177281 #1177410 #1177411 #1177470 #1177687 #1177719 #1177740 #1177749 #1177750 #1177753 #1177754 #1177755 #1177766 #1177855 #1177856 #1177861 #1178003 #1178027 #1178166 #1178185 #1178187 #1178188 #1178202 #1178234 #1178330 Cross-References: CVE-2020-0430 CVE-2020-14351 CVE-2020-16120 CVE-2020-25285 CVE-2020-25656 CVE-2020-27673 CVE-2020-27675 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has 38 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11). - bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: fix incorrect updating of log root tree (bsc#1177687). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: remove root usage from can_overcommit (bsc#1131277). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234). - ceph: map snapid to anonymous bdev ID (bsc#1178234). - ceph: promote to unsigned long long before shifting (bsc#1178187). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - coredump: fix crash when umh is disabled (bsc#1177753). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - drm/amdgpu: prevent double kfree ttm->sg (git-fixes). - drm/gma500: fix error check (git-fixes). - drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes). - drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - Fix use after free in get_capset_info callback (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - include/linux/swapops.h: correct guards for non_swap_entry() (git-fixes (mm/swap)). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - leds: mt6323: move period calculation (git-fixes). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188). - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mlx5 PPC ringsize workaround (bsc#1173432). - mlx5: remove support for ib_get_vector_affinity (bsc#1174748). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (git-fixes (mm/numa)). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm/ksm.c: do not WARN if page is still mapped in remove_stable_node() (git-fixes (mm/hugetlb)). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/mempolicy.c: use match_string() helper to simplify the code (git-fixes (mm/mempolicy)). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm/page-writeback.c: use div64_ul() for u64-by-unsigned-long divide (git-fixes (mm/writeback)). - mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages (git-fixes (mm/debug)). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix race condition in zs_destroy_pool (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely (git-fixes (mm/zsmalloc)). - mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() (git-fixes (mm/hugetlb)). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - Move upstreamed patches into sorted section - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net/mlx5e: Take common TIR context settings into a function (bsc#1177740). - net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - nvme: do not update disk info for multipathed device (bsc#1171558). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - pty: do tty_flip_buffer_push without port->lock in pty_write (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rtl8xxxu: prevent potential memory leak (git-fixes). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: earlycon dependency (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: handle broken union descriptors (git-fixes). - usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - usb: serial: qcserial: fix altsetting probing (git-fixes). - vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202). - video: fbdev: sis: fix null ptr dereference (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101). - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - x86, fakenuma: Fix invalid starting node ID (git-fixes (mm/x86/fakenuma)). - x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). - xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027). - xfs: limit entries returned when counting fsmap records (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3272=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-3272=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-3272=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3272=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-3272=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.67.1 kernel-default-debugsource-4.12.14-197.67.1 kernel-default-extra-4.12.14-197.67.1 kernel-default-extra-debuginfo-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.67.1 kernel-default-debugsource-4.12.14-197.67.1 reiserfs-kmp-default-4.12.14-197.67.1 reiserfs-kmp-default-debuginfo-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.67.1 kernel-obs-build-debugsource-4.12.14-197.67.1 kernel-syms-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.67.1 kernel-source-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.67.1 kernel-default-base-4.12.14-197.67.1 kernel-default-base-debuginfo-4.12.14-197.67.1 kernel-default-debuginfo-4.12.14-197.67.1 kernel-default-debugsource-4.12.14-197.67.1 kernel-default-devel-4.12.14-197.67.1 kernel-default-devel-debuginfo-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.67.1 kernel-macros-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.67.1 kernel-zfcpdump-debuginfo-4.12.14-197.67.1 kernel-zfcpdump-debugsource-4.12.14-197.67.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.67.1 cluster-md-kmp-default-debuginfo-4.12.14-197.67.1 dlm-kmp-default-4.12.14-197.67.1 dlm-kmp-default-debuginfo-4.12.14-197.67.1 gfs2-kmp-default-4.12.14-197.67.1 gfs2-kmp-default-debuginfo-4.12.14-197.67.1 kernel-default-debuginfo-4.12.14-197.67.1 kernel-default-debugsource-4.12.14-197.67.1 ocfs2-kmp-default-4.12.14-197.67.1 ocfs2-kmp-default-debuginfo-4.12.14-197.67.1 References: https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27675.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1171558 https://bugzilla.suse.com/1173432 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176560 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177101 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177687 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177740 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177753 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178027 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178187 https://bugzilla.suse.com/1178188 https://bugzilla.suse.com/1178202 https://bugzilla.suse.com/1178234 https://bugzilla.suse.com/1178330 From sle-security-updates at lists.suse.com Tue Nov 10 16:30:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 00:30:35 +0100 (CET) Subject: SUSE-SU-2020:3274-1: moderate: Security update for ucode-intel Message-ID: <20201110233035.EED95FFA8@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3274-1 Rating: moderate References: #1170446 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Intel CPU Microcode updated to 20201027 prerelease - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) # New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile # Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3274=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): ucode-intel-20201027-3.20.1 ucode-intel-debuginfo-20201027-3.20.1 ucode-intel-debugsource-20201027-3.20.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Tue Nov 10 16:31:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 00:31:44 +0100 (CET) Subject: SUSE-SU-2020:3271-1: moderate: Security update for ucode-intel Message-ID: <20201110233144.0E03BFFA8@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3271-1 Rating: moderate References: #1170446 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Intel CPU Microcode updated to 20201027 pre-release - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) # New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile # Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3271=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): ucode-intel-20201027-2.7.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Tue Nov 10 16:32:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 00:32:50 +0100 (CET) Subject: SUSE-SU-2020:3272-1: important: Security update for the Linux Kernel Message-ID: <20201110233250.747DCFFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3272-1 Rating: important References: #1055014 #1061843 #1065600 #1065729 #1066382 #1077428 #1112178 #1131277 #1134760 #1170415 #1171558 #1173432 #1174748 #1176354 #1176485 #1176560 #1176713 #1176723 #1177086 #1177101 #1177271 #1177281 #1177410 #1177411 #1177470 #1177687 #1177719 #1177740 #1177749 #1177750 #1177753 #1177754 #1177755 #1177766 #1177855 #1177856 #1177861 #1178003 #1178027 #1178166 #1178185 #1178187 #1178188 #1178202 #1178234 #1178330 Cross-References: CVE-2020-0430 CVE-2020-14351 CVE-2020-16120 CVE-2020-25285 CVE-2020-25656 CVE-2020-27673 CVE-2020-27675 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has 38 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11). - bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: fix incorrect updating of log root tree (bsc#1177687). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: remove root usage from can_overcommit (bsc#1131277). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234). - ceph: map snapid to anonymous bdev ID (bsc#1178234). - ceph: promote to unsigned long long before shifting (bsc#1178187). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - coredump: fix crash when umh is disabled (bsc#1177753). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - drm/amdgpu: prevent double kfree ttm->sg (git-fixes). - drm/gma500: fix error check (git-fixes). - drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes). - drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - Fix use after free in get_capset_info callback (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - include/linux/swapops.h: correct guards for non_swap_entry() (git-fixes (mm/swap)). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - leds: mt6323: move period calculation (git-fixes). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188). - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mlx5 PPC ringsize workaround (bsc#1173432). - mlx5: remove support for ib_get_vector_affinity (bsc#1174748). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (git-fixes (mm/numa)). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm/ksm.c: do not WARN if page is still mapped in remove_stable_node() (git-fixes (mm/hugetlb)). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/mempolicy.c: use match_string() helper to simplify the code (git-fixes (mm/mempolicy)). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm/page-writeback.c: use div64_ul() for u64-by-unsigned-long divide (git-fixes (mm/writeback)). - mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages (git-fixes (mm/debug)). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix race condition in zs_destroy_pool (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely (git-fixes (mm/zsmalloc)). - mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() (git-fixes (mm/hugetlb)). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - Move upstreamed patches into sorted section - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net/mlx5e: Take common TIR context settings into a function (bsc#1177740). - net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - nvme: do not update disk info for multipathed device (bsc#1171558). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - pty: do tty_flip_buffer_push without port->lock in pty_write (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rtl8xxxu: prevent potential memory leak (git-fixes). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: earlycon dependency (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: handle broken union descriptors (git-fixes). - usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - usb: serial: qcserial: fix altsetting probing (git-fixes). - vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202). - video: fbdev: sis: fix null ptr dereference (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101). - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - x86, fakenuma: Fix invalid starting node ID (git-fixes (mm/x86/fakenuma)). - x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). - xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027). - xfs: limit entries returned when counting fsmap records (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3272=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-3272=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-3272=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-3272=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3272=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-3272=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.67.1 kernel-default-debugsource-4.12.14-197.67.1 kernel-default-extra-4.12.14-197.67.1 kernel-default-extra-debuginfo-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.67.1 kernel-default-debugsource-4.12.14-197.67.1 kernel-default-livepatch-4.12.14-197.67.1 kernel-default-livepatch-devel-4.12.14-197.67.1 kernel-livepatch-4_12_14-197_67-default-1-3.3.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.67.1 kernel-default-debugsource-4.12.14-197.67.1 reiserfs-kmp-default-4.12.14-197.67.1 reiserfs-kmp-default-debuginfo-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.67.1 kernel-obs-build-debugsource-4.12.14-197.67.1 kernel-syms-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.67.1 kernel-source-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.67.1 kernel-default-base-4.12.14-197.67.1 kernel-default-base-debuginfo-4.12.14-197.67.1 kernel-default-debuginfo-4.12.14-197.67.1 kernel-default-debugsource-4.12.14-197.67.1 kernel-default-devel-4.12.14-197.67.1 kernel-default-devel-debuginfo-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.67.1 kernel-macros-4.12.14-197.67.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.67.1 kernel-zfcpdump-debuginfo-4.12.14-197.67.1 kernel-zfcpdump-debugsource-4.12.14-197.67.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.67.1 cluster-md-kmp-default-debuginfo-4.12.14-197.67.1 dlm-kmp-default-4.12.14-197.67.1 dlm-kmp-default-debuginfo-4.12.14-197.67.1 gfs2-kmp-default-4.12.14-197.67.1 gfs2-kmp-default-debuginfo-4.12.14-197.67.1 kernel-default-debuginfo-4.12.14-197.67.1 kernel-default-debugsource-4.12.14-197.67.1 ocfs2-kmp-default-4.12.14-197.67.1 ocfs2-kmp-default-debuginfo-4.12.14-197.67.1 References: https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27675.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1171558 https://bugzilla.suse.com/1173432 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176560 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177101 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177687 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177740 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177753 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178027 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178187 https://bugzilla.suse.com/1178188 https://bugzilla.suse.com/1178202 https://bugzilla.suse.com/1178234 https://bugzilla.suse.com/1178330 From sle-security-updates at lists.suse.com Wed Nov 11 00:19:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 08:19:00 +0100 (CET) Subject: SUSE-CU-2020:669-1: Security update of suse/sles12sp3 Message-ID: <20201111071900.37C52FFAC@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:669-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.229 , suse/sles12sp3:latest Container Release : 24.229 Severity : moderate Type : security References : 1172798 1172846 1173972 1174753 1174817 1175168 CVE-2020-13844 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3263-1 Released: Tue Nov 10 09:48:14 2020 Summary: Security update for gcc10 Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html From sle-security-updates at lists.suse.com Wed Nov 11 00:31:36 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 08:31:36 +0100 (CET) Subject: SUSE-CU-2020:670-1: Security update of suse/sles12sp4 Message-ID: <20201111073136.20463FFAC@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:670-1 Container Tags : suse/sles12sp4:26.260 , suse/sles12sp4:latest Container Release : 26.260 Severity : moderate Type : security References : 1172798 1172846 1173972 1174753 1174817 1175168 CVE-2020-13844 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3263-1 Released: Tue Nov 10 09:48:14 2020 Summary: Security update for gcc10 Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html From sle-security-updates at lists.suse.com Wed Nov 11 00:37:58 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 08:37:58 +0100 (CET) Subject: SUSE-CU-2020:671-1: Security update of suse/sles12sp5 Message-ID: <20201111073758.CF148FFAC@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:671-1 Container Tags : suse/sles12sp5:6.5.89 , suse/sles12sp5:latest Container Release : 6.5.89 Severity : moderate Type : security References : 1172798 1172846 1173972 1174753 1174817 1175168 CVE-2020-13844 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3263-1 Released: Tue Nov 10 09:48:14 2020 Summary: Security update for gcc10 Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html From sle-security-updates at lists.suse.com Wed Nov 11 07:16:31 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 15:16:31 +0100 (CET) Subject: SUSE-SU-2020:14540-1: moderate: Security update for microcode_ctl Message-ID: <20201111141631.1AF0DFFA8@maintenance.suse.de> SUSE Security Update: Security update for microcode_ctl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14540-1 Rating: moderate References: #1170446 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for microcode_ctl fixes the following issue: - Updated Intel CPU Microcode to 20201027 prerelease (bsc#1170446) - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) # New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile # Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-microcode_ctl-14540=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-microcode_ctl-14540=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): microcode_ctl-1.17-102.83.59.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): microcode_ctl-1.17-102.83.59.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Wed Nov 11 07:17:34 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 15:17:34 +0100 (CET) Subject: SUSE-SU-2020:3281-1: important: Security update for the Linux Kernel Message-ID: <20201111141734.E93F1FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3281-1 Rating: important References: #1055014 #1061843 #1065600 #1065729 #1066382 #1077428 #1112178 #1114648 #1131277 #1134760 #1140683 #1152624 #1157424 #1163592 #1168468 #1171558 #1171675 #1172538 #1172757 #1173432 #1174748 #1175520 #1175716 #1176354 #1176381 #1176395 #1176400 #1176410 #1176485 #1176560 #1176713 #1176723 #1176946 #1177027 #1177086 #1177101 #1177258 #1177271 #1177281 #1177340 #1177359 #1177410 #1177411 #1177470 #1177511 #1177685 #1177687 #1177719 #1177724 #1177725 #1177740 #1177749 #1177750 #1177753 #1177754 #1177755 #1177766 #1177855 #1177856 #1177861 #1178027 #1178166 #1178185 #1178187 #1178188 #1178202 #1178234 #1178330 #936888 Cross-References: CVE-2020-0430 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-16120 CVE-2020-25212 CVE-2020-25285 CVE-2020-25645 CVE-2020-25656 CVE-2020-27673 CVE-2020-27675 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 58 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel Azure was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-12351: Implemented a kABI workaround for bluetooth l2cap_ops filter addition (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25212: Fixed a TOCTOU mismatch in the NFS client code (bnc#1176381). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: - ACPI: dock: fix enum-conversion warning (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - amd-xgbe: Add a check for an skb in the timestamp path (git-fixes). - amd-xgbe: Add additional dynamic debug messages (git-fixes). - amd-xgbe: Add additional ethtool statistics (git-fixes). - amd-xgbe: Add ethtool show/set channels support (git-fixes). - amd-xgbe: Add ethtool show/set ring parameter support (git-fixes). - amd-xgbe: Add ethtool support to retrieve SFP module info (git-fixes). - amd-xgbe: Add hardware features debug output (git-fixes). - amd-xgbe: Add NUMA affinity support for IRQ hints (git-fixes). - amd-xgbe: Add NUMA affinity support for memory allocations (git-fixes). - amd-xgbe: Add per queue Tx and Rx statistics (git-fixes). - amd-xgbe: Advertise FEC support with the KR re-driver (git-fixes). - amd-xgbe: Always attempt link training in KR mode (git-fixes). - amd-xgbe: Be sure driver shuts down cleanly on module removal (git-fixes). - amd-xgbe: Convert to generic power management (git-fixes). - amd-xgbe: Fix debug output of max channel counts (git-fixes). - amd-xgbe: Fix error path in xgbe_mod_init() (git-fixes). - amd-xgbe: Fixes for working with PHYs that support 2.5GbE (git-fixes). - amd-xgbe: Fix SFP PHY supported/advertised settings (git-fixes). - amd-xgbe: fix spelling mistake: "avialable" -> "available" (git-fixes). - amd-xgbe: Handle return code from software reset function (git-fixes). - amd-xgbe: Improve SFP 100Mbps auto-negotiation (git-fixes). - amd-xgbe: Interrupt summary bits are h/w version dependent (git-fixes). - amd-xgbe: Limit the I2C error messages that are output (git-fixes). - amd-xgbe: Mark expected switch fall-throughs (git-fixes). - amd-xgbe: Optimize DMA channel interrupt enablement (git-fixes). - amd-xgbe: Prepare for ethtool set-channel support (git-fixes). - amd-xgbe: Read and save the port property registers during probe (git-fixes). - amd-xgbe: Remove field that indicates SFP diagnostic support (git-fixes). - amd-xgbe: remove unnecessary conversion to bool (git-fixes). - amd-xgbe: Remove use of comm_owned field (git-fixes). - amd-xgbe: Set the MDIO mode for 10000Base-T configuration (git-fixes). - amd-xgbe: Simplify the burst length settings (git-fixes). - amd-xgbe: use devm_platform_ioremap_resource() to simplify code (git-fixes). - amd-xgbe: use dma_mapping_error to check map errors (git-fixes). - amd-xgbe: Use __napi_schedule() in BH context (git-fixes). - amd-xgbe: Use the proper register during PTP initialization (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11). - bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: fix incorrect updating of log root tree (bsc#1177687). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: remove root usage from can_overcommit (bsc#1131277). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234). - ceph: map snapid to anonymous bdev ID (bsc#1178234). - ceph: promote to unsigned long long before shifting (bsc#1178187). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - coredump: fix crash when umh is disabled (bsc#1177753). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: dh - check validity of Z before export (bsc#1175716). - crypto: dh - SP800-56A rev 3 local public key validation (bsc#1175716). - crypto: ecc - SP800-56A rev 3 local public key validation (bsc#1175716). - crypto: ecdh - check validity of Z before export (bsc#1175716). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - device property: Do not clear secondary pointer for shared primary firmware node (git-fixes). - device property: Keep secondary firmware node secondary by type (git-fixes). - Disable CONFIG_LIVEPATCH_IPA_CLONES where not needed Explicitly disable CONFIG_LIVEPATCH_IPA_CLONES in configs where it is not needed to avoid confusion and unwanted values due to fragment config files. - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - drivers: net: add missing interrupt.h include (git-fixes). - drivers/net/ethernet/marvell/mvmdio.c: Fix non OF case (git-fixes). - drm/amdgpu: prevent double kfree ttm->sg (git-fixes). - drm/gma500: fix error check (git-fixes). - drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes). - drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes). - drm/sun4i: mixer: Extend regmap max_register (git-fixes). - ea43d9709f72 ("nvme: fix identify error status silent ignore") - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - ext4: fix dir_nlink behaviour (bsc#1177359). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - i2c: meson: fix clock setting overwrite (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - icmp: randomize the global rate limiter (git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - include/linux/swapops.h: correct guards for non_swap_entry() (git-fixes (mm/swap)). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - leds: mt6323: move period calculation (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - lib/mpi: Add mpi_sub_ui() (bsc#1175716). - mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes). - mac80211: handle lack of sband->bitrates in rates (git-fixes). - macsec: avoid use-after-free in macsec_handle_frame() (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mlx5 PPC ringsize workaround (bsc#1173432). - mlx5: remove support for ib_get_vector_affinity (bsc#1174748). - mmc: core: do not set limits.discard_granularity as 0 (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() (git-fixes (mm/hugetlb)). - mm/ksm.c: do not WARN if page is still mapped in remove_stable_node() (git-fixes (mm/hugetlb)). - mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() (bsc#1177685). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/mempolicy.c: use match_string() helper to simplify the code (git-fixes (mm/mempolicy)). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (git-fixes (mm/numa)). - mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages (git-fixes (mm/debug)). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm/page-writeback.c: use div64_ul() for u64-by-unsigned-long divide (git-fixes (mm/writeback)). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix race condition in zs_destroy_pool (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely (git-fixes (mm/zsmalloc)). - Move the upstreamed bluetooth fix into sorted section - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: 8390: Fix manufacturer name in Kconfig help text (git-fixes). - net: amd: fix return type of ndo_start_xmit function (git-fixes). - net/amd: Remove useless driver version (git-fixes). - net: amd-xgbe: fix comparison to bitshift when dealing with a mask (git-fixes). - net: amd-xgbe: Get rid of custom hex_dump_to_buffer() (git-fixes). - net: apple: Fix manufacturer name in Kconfig help text (git-fixes). - net: broadcom: Fix manufacturer name in Kconfig help text (git-fixes). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - net/mlx5e: Take common TIR context settings into a function (bsc#1177740). - net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740). - net: mvmdio: defer probe of orion-mdio if a clock is not ready (git-fixes). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx (git-fixes). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - NFS: On fatal writeback errors, we need to call nfs_inode_remove_request() (bsc#1177340). - NFS: Revalidate the file mapping on all fatal writeback errors (bsc#1177340). - NFSv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - nvme: add a Identify Namespace Identification Descriptor list quirk (bsc#1174748). add two previous futile attempts to fix the bug to blacklist.conf - nvme: do not update disk info for multipathed device (bsc#1171558). - nvme: Fix ctrl use-after-free during sysfs deletion (bsc#1174748). - nvme: fix deadlock caused by ANA update wrong locking (bsc#1174748). - nvme: fix possible io failures when removing multipathed ns (bsc#1174748). - nvme: make nvme_identify_ns propagate errors back (bsc#1174748). - nvme: make nvme_report_ns_ids propagate error back (bsc#1174748). - nvme-multipath: do not reset on unknown status (bsc#1174748). - nvme: Namepace identification descriptor list is optional (bsc#1174748). - nvme: pass status to nvme_error_status (bsc#1174748). - nvme-rdma: Avoid double freeing of async event data (bsc#1174748). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - nvme: return error from nvme_alloc_ns() (bsc#1174748). - perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1114648). - perf/x86: Fix n_pair for cancelled txn (bsc#1114648). - platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP (git-fixes). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - platform/x86: thinkpad_acpi: initialize tp_nvram_state variable (git-fixes). - platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse (git-fixes). - powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - pty: do tty_flip_buffer_push without port->lock in pty_write (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rtl8xxxu: prevent potential memory leak (git-fixes). - scsi: fnic: Do not call 'scsi_done()' for unhandled commands (bsc#1168468, bsc#1171675). - scsi: hisi_sas: Add debugfs ITCT file and add file operations (bsc#1140683). - scsi: hisi_sas: Add manual trigger for debugfs dump (bsc#1140683). - scsi: hisi_sas: Add missing seq_printf() call in hisi_sas_show_row_32() (bsc#1140683). - scsi: hisi_sas: Change return variable type in phy_up_v3_hw() (bsc#1140683). - scsi: hisi_sas: Correct memory allocation size for DQ debugfs (bsc#1140683). - scsi: hisi_sas: Do some more tidy-up (bsc#1140683). - scsi: hisi_sas: Fix a timeout race of driver internal and SMP IO (bsc#1140683). - scsi: hisi_sas: Fix type casting and missing static qualifier in debugfs code (bsc#1140683). Refresh: - scsi: hisi_sas: No need to check return value of debugfs_create functions (bsc#1140683). Update: - scsi: hisi_sas: Some misc tidy-up (bsc#1140683). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258). - scsi: qla2xxx: Add IOCB resource tracking (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Add rport fields in debugfs (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Add SLER and PI control support (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix memory size truncation (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix MPI reset needed message (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix reset of MPI firmware (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Performance tweak (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1176946 bsc#1175520 bsc#1172538). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - target-rbd-fix-unmap-discard-block-size-conversion.patch: (bsc#1177271). - target-use-scsi_set_sense_information-helper-on-misc.patch: (bsc#1177719). - tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: earlycon dependency (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - USB: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - USB: cdc-acm: handle broken union descriptors (git-fixes). - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - USB: core: Solve race condition in anchor cleanup functions (git-fixes). - USB: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - USB: dwc2: Fix parameter type in function pointer prototype (git-fixes). - USB: dwc3: core: add phy cleanup for probe error handling (git-fixes). - USB: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - USB: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - USB: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - USB: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - USB: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - USB: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - USB: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - USB: ohci: Default to per-port over-current protection (git-fixes). - USB: serial: qcserial: fix altsetting probing (git-fixes). - vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202). - video: fbdev: sis: fix null ptr dereference (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - vmxnet3: fix cksum offload issues for non-udp tunnels (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101). - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178). - x86, fakenuma: Fix invalid starting node ID (git-fixes (mm/x86/fakenuma)). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). - xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027). - xfs: limit entries returned when counting fsmap records (git-fixes). - xgbe: no need to check return value of debugfs_create functions (git-fixes). - xgbe: switch to more generic VxLAN detection (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3281=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.34.1 kernel-source-azure-4.12.14-16.34.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.34.1 kernel-azure-base-4.12.14-16.34.1 kernel-azure-base-debuginfo-4.12.14-16.34.1 kernel-azure-debuginfo-4.12.14-16.34.1 kernel-azure-debugsource-4.12.14-16.34.1 kernel-azure-devel-4.12.14-16.34.1 kernel-syms-azure-4.12.14-16.34.1 References: https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27675.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1140683 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1168468 https://bugzilla.suse.com/1171558 https://bugzilla.suse.com/1171675 https://bugzilla.suse.com/1172538 https://bugzilla.suse.com/1172757 https://bugzilla.suse.com/1173432 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1175520 https://bugzilla.suse.com/1175716 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176395 https://bugzilla.suse.com/1176400 https://bugzilla.suse.com/1176410 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176560 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176946 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177101 https://bugzilla.suse.com/1177258 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177340 https://bugzilla.suse.com/1177359 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177685 https://bugzilla.suse.com/1177687 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177740 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177753 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178027 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178187 https://bugzilla.suse.com/1178188 https://bugzilla.suse.com/1178202 https://bugzilla.suse.com/1178234 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/936888 From sle-security-updates at lists.suse.com Wed Nov 11 07:26:21 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 15:26:21 +0100 (CET) Subject: SUSE-SU-2020:3279-1: moderate: Security update for ucode-intel Message-ID: <20201111142621.9CCB0FFA8@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3279-1 Rating: moderate References: #1170446 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8698 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Intel CPU Microcode updated to 20201027 prerelease - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) # New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile # Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3279=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3279=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3279=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3279=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3279=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3279=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3279=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3279=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3279=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3279=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3279=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3279=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3279=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3279=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3279=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE OpenStack Cloud 9 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE OpenStack Cloud 8 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE OpenStack Cloud 7 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - SUSE Enterprise Storage 5 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 - HPE Helion Openstack 8 (x86_64): ucode-intel-20201027-13.76.1 ucode-intel-debuginfo-20201027-13.76.1 ucode-intel-debugsource-20201027-13.76.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Wed Nov 11 07:27:28 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 15:27:28 +0100 (CET) Subject: SUSE-SU-2020:3282-1: important: Security update for u-boot Message-ID: <20201111142728.81D40FFA8@maintenance.suse.de> SUSE Security Update: Security update for u-boot ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3282-1 Rating: important References: #1134157 #1134853 #1143463 #1143777 #1143817 #1143818 #1143819 #1143820 #1143821 #1143823 #1143824 #1143825 #1143827 #1143828 #1143830 #1143831 #1162198 #1167209 Cross-References: CVE-2019-11059 CVE-2019-11690 CVE-2019-13103 CVE-2019-14192 CVE-2019-14193 CVE-2019-14194 CVE-2019-14195 CVE-2019-14196 CVE-2019-14197 CVE-2019-14198 CVE-2019-14199 CVE-2019-14200 CVE-2019-14201 CVE-2019-14202 CVE-2019-14203 CVE-2019-14204 CVE-2020-10648 CVE-2020-8432 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. Description: This update for u-boot fixes the following issues: CVE-2019-14192 (bsc#1143777), CVE-2019-14193 (bsc#1143817), CVE-2019-14199 (bsc#1143824), CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827), CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831), CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819), CVE-2019-14196 (bsc#1143820), CVE-2019-13103 (bsc#1143463), CVE-2020-8432 (bsc#1162198), CVE-2019-11059 (bsc#1134853), CVE-2019-11690 (bsc#1134157) and CVE-2020-10648 (bsc#1167209) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3282=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): u-boot-tools-2019.01-7.10.1 u-boot-tools-debuginfo-2019.01-7.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64): u-boot-rpi3-2019.01-7.10.2 References: https://www.suse.com/security/cve/CVE-2019-11059.html https://www.suse.com/security/cve/CVE-2019-11690.html https://www.suse.com/security/cve/CVE-2019-13103.html https://www.suse.com/security/cve/CVE-2019-14192.html https://www.suse.com/security/cve/CVE-2019-14193.html https://www.suse.com/security/cve/CVE-2019-14194.html https://www.suse.com/security/cve/CVE-2019-14195.html https://www.suse.com/security/cve/CVE-2019-14196.html https://www.suse.com/security/cve/CVE-2019-14197.html https://www.suse.com/security/cve/CVE-2019-14198.html https://www.suse.com/security/cve/CVE-2019-14199.html https://www.suse.com/security/cve/CVE-2019-14200.html https://www.suse.com/security/cve/CVE-2019-14201.html https://www.suse.com/security/cve/CVE-2019-14202.html https://www.suse.com/security/cve/CVE-2019-14203.html https://www.suse.com/security/cve/CVE-2019-14204.html https://www.suse.com/security/cve/CVE-2020-10648.html https://www.suse.com/security/cve/CVE-2020-8432.html https://bugzilla.suse.com/1134157 https://bugzilla.suse.com/1134853 https://bugzilla.suse.com/1143463 https://bugzilla.suse.com/1143777 https://bugzilla.suse.com/1143817 https://bugzilla.suse.com/1143818 https://bugzilla.suse.com/1143819 https://bugzilla.suse.com/1143820 https://bugzilla.suse.com/1143821 https://bugzilla.suse.com/1143823 https://bugzilla.suse.com/1143824 https://bugzilla.suse.com/1143825 https://bugzilla.suse.com/1143827 https://bugzilla.suse.com/1143828 https://bugzilla.suse.com/1143830 https://bugzilla.suse.com/1143831 https://bugzilla.suse.com/1162198 https://bugzilla.suse.com/1167209 From sle-security-updates at lists.suse.com Wed Nov 11 07:37:14 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 15:37:14 +0100 (CET) Subject: SUSE-SU-2020:14541-1: important: Security update for openldap2 Message-ID: <20201111143714.7CA9AFFC8@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14541-1 Rating: important References: #1178387 Cross-References: CVE-2020-25692 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Server 11-SECURITY SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-openldap2-14541=1 - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-openldap2-14541=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-openldap2-14541=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-openldap2-14541=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): compat-libldap-2_3-0-2.3.37-2.74.16.1 libldap-2_4-2-2.4.26-0.74.16.1 openldap2-2.4.26-0.74.16.1 openldap2-back-meta-2.4.26-0.74.16.1 openldap2-client-2.4.26-0.74.16.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libldap-2_4-2-32bit-2.4.26-0.74.16.1 - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): libldap-openssl1-2_4-2-2.4.26-0.74.16.1 openldap2-client-openssl1-2.4.26-0.74.16.1 openldap2-openssl1-2.4.26-0.74.16.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libldap-openssl1-2_4-2-32bit-2.4.26-0.74.16.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libldap-openssl1-2_4-2-x86-2.4.26-0.74.16.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): compat-libldap-2_3-0-2.3.37-2.74.16.1 libldap-2_4-2-2.4.26-0.74.16.1 openldap2-2.4.26-0.74.16.1 openldap2-back-meta-2.4.26-0.74.16.1 openldap2-client-2.4.26-0.74.16.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): openldap2-client-debuginfo-2.4.26-0.74.16.1 openldap2-client-debugsource-2.4.26-0.74.16.1 openldap2-debuginfo-2.4.26-0.74.16.1 openldap2-debugsource-2.4.26-0.74.16.1 References: https://www.suse.com/security/cve/CVE-2020-25692.html https://bugzilla.suse.com/1178387 From sle-security-updates at lists.suse.com Wed Nov 11 07:43:25 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 15:43:25 +0100 (CET) Subject: SUSE-SU-2020:3283-1: important: Security update for u-boot Message-ID: <20201111144325.6CA24FFA8@maintenance.suse.de> SUSE Security Update: Security update for u-boot ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3283-1 Rating: important References: #1098447 #1098649 #1134157 #1134853 #1143463 #1143777 #1143817 #1143818 #1143819 #1143820 #1143821 #1143823 #1143824 #1143825 #1143827 #1143828 #1143830 #1143831 #1162198 #1167209 Cross-References: CVE-2019-11059 CVE-2019-11690 CVE-2019-13103 CVE-2019-14192 CVE-2019-14193 CVE-2019-14194 CVE-2019-14195 CVE-2019-14196 CVE-2019-14197 CVE-2019-14198 CVE-2019-14199 CVE-2019-14200 CVE-2019-14201 CVE-2019-14202 CVE-2019-14203 CVE-2019-14204 CVE-2020-10648 CVE-2020-8432 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves 18 vulnerabilities and has two fixes is now available. Description: This update for u-boot fixes the following issues: - Fix network boot on Raspberry Pi 3 B+ (bsc#1098649) - Fix GOP pixel format (bsc#1098447) - Fix SD writes on Raspberry Pi - Enable a few more armv7 boards to boot with EFI - Fix potentially miscompiled runtime service calls Fix CVE-2019-14192 (bsc#1143777), CVE-2019-14193 (bsc#1143817), CVE-2019-14199 (bsc#1143824), CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827), CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831), CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819), CVE-2019-14196 (bsc#1143820), CVE-2019-13103 (bsc#1143463), CVE-2020-8432 (bsc#1162198), CVE-2019-11059 (bsc#1134853), CVE-2019-11690 (bsc#1134157) and CVE-2020-10648 (bsc#1167209) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3283=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3283=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3283=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3283=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): u-boot-tools-2018.03-4.6.1 u-boot-tools-debuginfo-2018.03-4.6.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): u-boot-tools-2018.03-4.6.1 u-boot-tools-debuginfo-2018.03-4.6.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64): u-boot-rpi3-2018.03-4.6.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): u-boot-tools-2018.03-4.6.1 u-boot-tools-debuginfo-2018.03-4.6.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64): u-boot-rpi3-2018.03-4.6.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): u-boot-tools-2018.03-4.6.1 u-boot-tools-debuginfo-2018.03-4.6.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64): u-boot-rpi3-2018.03-4.6.2 References: https://www.suse.com/security/cve/CVE-2019-11059.html https://www.suse.com/security/cve/CVE-2019-11690.html https://www.suse.com/security/cve/CVE-2019-13103.html https://www.suse.com/security/cve/CVE-2019-14192.html https://www.suse.com/security/cve/CVE-2019-14193.html https://www.suse.com/security/cve/CVE-2019-14194.html https://www.suse.com/security/cve/CVE-2019-14195.html https://www.suse.com/security/cve/CVE-2019-14196.html https://www.suse.com/security/cve/CVE-2019-14197.html https://www.suse.com/security/cve/CVE-2019-14198.html https://www.suse.com/security/cve/CVE-2019-14199.html https://www.suse.com/security/cve/CVE-2019-14200.html https://www.suse.com/security/cve/CVE-2019-14201.html https://www.suse.com/security/cve/CVE-2019-14202.html https://www.suse.com/security/cve/CVE-2019-14203.html https://www.suse.com/security/cve/CVE-2019-14204.html https://www.suse.com/security/cve/CVE-2020-10648.html https://www.suse.com/security/cve/CVE-2020-8432.html https://bugzilla.suse.com/1098447 https://bugzilla.suse.com/1098649 https://bugzilla.suse.com/1134157 https://bugzilla.suse.com/1134853 https://bugzilla.suse.com/1143463 https://bugzilla.suse.com/1143777 https://bugzilla.suse.com/1143817 https://bugzilla.suse.com/1143818 https://bugzilla.suse.com/1143819 https://bugzilla.suse.com/1143820 https://bugzilla.suse.com/1143821 https://bugzilla.suse.com/1143823 https://bugzilla.suse.com/1143824 https://bugzilla.suse.com/1143825 https://bugzilla.suse.com/1143827 https://bugzilla.suse.com/1143828 https://bugzilla.suse.com/1143830 https://bugzilla.suse.com/1143831 https://bugzilla.suse.com/1162198 https://bugzilla.suse.com/1167209 From sle-security-updates at lists.suse.com Wed Nov 11 07:48:39 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 15:48:39 +0100 (CET) Subject: SUSE-SU-2020:3292-1: moderate: Security update for python-waitress Message-ID: <20201111144839.57ABFFFA8@maintenance.suse.de> SUSE Security Update: Security update for python-waitress ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3292-1 Rating: moderate References: #1160790 #1161088 #1161089 #1161670 Cross-References: CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for python-waitress to version 1.4.3 fixes the following security issues: - CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3292=1 Package List: - SUSE Enterprise Storage 5 (noarch): python-waitress-1.4.3-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-16785.html https://www.suse.com/security/cve/CVE-2019-16786.html https://www.suse.com/security/cve/CVE-2019-16789.html https://www.suse.com/security/cve/CVE-2019-16792.html https://bugzilla.suse.com/1160790 https://bugzilla.suse.com/1161088 https://bugzilla.suse.com/1161089 https://bugzilla.suse.com/1161670 From sle-security-updates at lists.suse.com Wed Nov 11 13:15:47 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Nov 2020 21:15:47 +0100 (CET) Subject: SUSE-SU-2020:14542-1: important: Security update for MozillaFirefox Message-ID: <20201111201547.5023DFFA8@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14542-1 Rating: important References: #1178588 Cross-References: CVE-2020-26950 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.4.1 ESR * Fixed: Security fix MFSA 2020-49 (bsc#1178588) * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14542=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-14542=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-78.4.1-78.102.1 MozillaFirefox-translations-common-78.4.1-78.102.1 MozillaFirefox-translations-other-78.4.1-78.102.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): MozillaFirefox-debuginfo-78.4.1-78.102.1 References: https://www.suse.com/security/cve/CVE-2020-26950.html https://bugzilla.suse.com/1178588 From sle-security-updates at lists.suse.com Thu Nov 12 10:19:20 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2020 18:19:20 +0100 (CET) Subject: SUSE-SU-2020:3309-1: important: Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift Message-ID: <20201112171920.5D27DFFA2@maintenance.suse.de> SUSE Security Update: Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3309-1 Rating: important References: #1008037 #1008038 #1010940 #1019021 #1038785 #1056094 #1059235 #1080682 #1097775 #1102126 #1109957 #1112959 #1117080 #1118896 #1123561 #1126503 #1137479 #1137528 #1142121 #1142542 #1144453 #1153452 #1154231 #1154232 #1154830 #1157968 #1157969 #1159447 #1161919 #1164133 #1164134 #1164135 #1164136 #1164137 #1164138 #1164139 #1164140 #1165022 #1165393 #1166389 #1167440 #1167532 #1171162 #1171823 #1172450 #1173413 #1173416 #1173418 #1174006 #1174145 #1174242 #1174302 #1174583 #1175484 #1175986 #1175993 #1177120 #1177948 SOC-10300 SOC-10522 SOC-10616 SOC-11000 SOC-11223 SOC-11342 SOC-11352 SOC-11364 SOC-11386 SOC-11389 SOC-11391 SOC-6780 SOC-9974 SOC-9998 Cross-References: CVE-2016-8614 CVE-2016-8628 CVE-2016-8647 CVE-2016-9587 CVE-2017-7466 CVE-2017-7550 CVE-2018-10875 CVE-2018-11779 CVE-2018-16837 CVE-2018-16859 CVE-2018-16876 CVE-2018-18623 CVE-2018-18624 CVE-2018-18625 CVE-2019-0202 CVE-2019-10156 CVE-2019-10206 CVE-2019-10217 CVE-2019-14846 CVE-2019-14856 CVE-2019-14858 CVE-2019-14864 CVE-2019-14904 CVE-2019-14905 CVE-2019-19844 CVE-2019-3828 CVE-2020-10177 CVE-2020-10378 CVE-2020-10684 CVE-2020-10685 CVE-2020-10691 CVE-2020-10729 CVE-2020-10744 CVE-2020-10994 CVE-2020-11110 CVE-2020-14330 CVE-2020-14332 CVE-2020-14365 CVE-2020-1733 CVE-2020-1734 CVE-2020-1735 CVE-2020-1736 CVE-2020-1737 CVE-2020-17376 CVE-2020-1738 CVE-2020-1739 CVE-2020-1740 CVE-2020-1746 CVE-2020-1753 CVE-2020-25032 CVE-2020-26137 CVE-2020-7471 CVE-2020-9402 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available. Description: This update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift contains the following fixes: Security fixes included in this update: ansible to 2.9.14: - CVE-2020-1733: Fixed insecure temporary directory when running become_user (bsc#1164140). - CVE-2020-1753: Kubectl connection plugin - connection plugin now redact kubectl_token and kubectl_password in console log. (bsc#1166389) - CVE-2020-14365: Previously, regardless of the disable_gpg_check option, packages were not GPG validated. They are now. (bsc#1175993) - CVE-2020-14332: copy - Redact the value of the no_log 'content' parameter in the result's invocation.module_args in check mode. Previously when used with check mode and with '-vvv', the module would not censor the content if a change would be made to the destination path. (bsc#1174302) - CVE-2020-1736: atomic_move - Change default permissions when creating temporary files so they are not world readable (bsc#1164134). - CVE-2020-14330: Sanitize no_log values from any response keys that might be returned from the uri module (bsc#1174145). - CVE-2019-14846: Reset logging level to INFO. (bsc#1153452). - CVE-2020-10744: incomplete fix for CVE-2020-1733 (bsc#1171823). grafana: - CVE-2018-18623, CVE-2018-18624,CVE-2018-18625: Fixed multiple XSS vulnerabilities in dashboard due to a incomplete fix for CVE-2018-12099 (bsc#1172450). - CVE-2020-11110: Fixed a stored XSS (bsc#1174583). openstack-nova: - CVE-2020-17376: Fixed an information leak during live migration (bsc#1175484). python-Django to 1.11.29 - CVE-2020-7471: Fixed a SQL injection via StringAgg delimiter (bsc#1161919). - CVE-2020-9402: Fixed a SQL injection via tolerance parameter in GIS functions and aggregates (bsc#1165022). - CVE-2019-19844: Fixed a potential account hijack via password reset form (bsc#1159447). python-Flask-Cors - CVE-2020-25032: Fixed a potential information leak through path traversal (bsc#1175986). python-Pillow - CVE-2020-10177: Fixed multiple out-of-bounds reads in libImaging/FliDecode.c (bsc#1173413). - CVE-2020-10994: Fixed multiple out-of-bounds reads via a crafted JP2 files (bsc#1173418). - CVE-2020-10378: Fixed an out-of-bounds read when reading PCX files (bsc#1173416). python-urllib3 - CVE-2020-26137: Fixed CRLF injection via HTTP request method (bsc#1177120) storm: - CVE-2018-11779: Fixed java deserialization vulnerability related to the usage of storm-kafka-client or storm-kafka modules (bsc#1143163). - CVE-2019-0202: Fixed an information leak related to the log viewer (bsc#1142617). rubygem-crowbar-client update to 3.9.3: - CVE-2018-17954: Fixed information leak of the admin password to all nodes in cleartext during provisioning (bsc#1117080) Non-security fixes included on this update: Changes in ansible: - Update to ansible 2.9.14: - minor bugs and fixes, including security bugs: - CVE-2020-1753, bsc#1166389: Kubectl connection plugin - connection plugin now redact kubectl_token and kubectl_password in console log. - revert CVE-2020-1736. Users are encouraged to specify a mode parameter in their file-based tasks when the files being manipulated contain sensitive data. - CVE-2020-14365, bsc#1175993: Previously, regardless of the disable_gpg_check option, packages were not GPG validated. They are now. - CVE-2020-14332, bsc#1174302: copy - Redact the value of the no_log 'content' parameter in the result's invocation.module_args in check mode. Previously when used with check mode and with '-vvv', the module would not censor the content if a change would be made to the destination path. - CVE-2020-1736, bsc#1164134: atomic_move - Change default permissions when creating temporary files so they are not world readable - CVE-2020-14330, bsc#1174145: Sanitize no_log values from any response keys that might be returned from the uri module. - CVE-2019-14846, bsc#1153452: Reset logging level to INFO. - CVE-2020-10744, bsc#1171823, gh#ansible/ansible#69782: incomplete fix for CVE-2020-1733 - Remove patches included upstream: - CVE-2020-14330_exposed_keys_uri_mod.patch - CVE-2020-10744_avoid_mkdir_p.patch - Don't Require python-coverage, it is needed only for testing (bsc#1177948). - Add CVE-2020-14330_exposed_keys_uri_mod.patch which fixes CVE-2020-14330 (bsc#1174145). Sanitize no_log values from any response keys that might be returned from the uri module. Sensitive values marked with ``no_log=True`` will automatically have that value stripped from module return values. If your module could return these sensitive values as part of a dictionary key name, you should call the ``ansible.module_utils.basic.sanitize_keys()`` function to strip the values from the keys. See the ``uri`` module for an example. - importlib and argparse are required only on SLE-11 and less. - Add CVE-2020-10744_avoid_mkdir_p.patch (bsc#1171823) to fix insecure temporary directory creation. - Add metadata information to this file to mark which SUSE bugzilla have been already fixed. - Remove CVE-2017-7550-jenkins-disallow-password-in-params.patch as it has been already included in 2.4.1.0 - update to version 2.9.9 * fix for a regression introduced in 2.9.8 - update to version 2.9.8 maintenance release containing numerous bugfixes - update to version 2.9.7 with many bug fixes, especially for these security issues: - bsc#1164140 CVE-2020-1733 - insecure temporary directory when running become_user from become directive - bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe lookup plugin subprocess - bsc#1164137 CVE-2020-1735 - path injection on dest parameter in fetch module - bsc#1164134 CVE-2020-1736 atomic_move primitive sets permissive permissions - bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip module does not check extracted path - bsc#1164136 CVE-2020-1738 module package can be selected by the ansible facts - bsc#1164133 CVE-2020-1739 - svn module leaks password when specified as a parameter - bsc#1164135 CVE-2020-1740 - secrets readable after ansible-vault edit - bsc#1165393 CVE-2020-1746 - information disclosure issue in ldap_attr and ldap_entry modules - bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks sensitive information - bsc#1167532 CVE-2020-10684 - code injection when using ansible_facts as a subkey - bsc#1167440 CVE-2020-10685 - modules which use files encrypted with vault are not properly cleaned up - CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2] - create missing (empty) template and files directories for 'ansible-galaxy init' during package build (fixes boo#1137479) - require python-xml on python 2 systems (boo#1142542) - update to version 2.9.6 (maintenance release) including these security issues: - bsc#1171162 CVE-2020-10729 two random password lookups in same task return same value - update to version 2.9.5 (maintenance release) - update to version 2.9.4 (maintenance release) - fix in yum module - security fixes: - bsc#1157968 CVE-2019-14904 vulnerability in solaris_zone module via crafted solaris zone - bsc#1157969 CVE-2019-14905 malicious code could craft filename in nxos_file_copy module - update to version 2.9.3 (maintenance release) * security fixes - CVE-2019-14904 (solaris_zone module) (boo#1157968) - CVE-2019-14905 (nxos_file_copy module) (boo#1157969) * various bugfixes - sync with upstream spec file (especially for RHEL & Fedora builds) - ran spec-cleaner - remove old SUSE targets (SLE-11, Leap 42.3 and below) This simplifies the spec file and makes building easier - Additional required packages for building: + python-boto3 and python-botocore for Amazon EC2 + python-jmespath for json queries + python-memcached for cloud modules and local caching of JSON formatted, per host records + python-redis for cloud modules and local caching of JSON formatted, per host records + python-requests for many web-based modules (cloud, network, netapp) => as the need for those packages depends on the usage of the tool, they are just recommended on openSUSE/SUSE machines - made dependencies for gitlab, vmware and winrm modules configurable, as most of their dependencies are not (yet) available on current openSUSE/SUSE distributions - exclude /usr/bin/pwsh from the automatic dependency generation, as the Windows Power Shell is not available (yet) on openSUSE/SUSE - build additional docs and split up ansible-doc package; moving changelogs, contrib and example directories there - prepare for building HTML documentation, but disable this per default for the moment, as not all package dependencies are available in openSUSE/SUSE (yet) - package some test scripts with executable permissions - update to version 2.9.2 maintenance release containing numerous bugfixes - Create system directories that Ansible defines as default locations in ansible/config/base.yml - rephrase the summary line - Disable shebang munging for specific paths. These files are data files. ansible-test munges the shebangs itself. - split out ansible-test package for module developers - update to version 2.9.1 Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/ and also available online at https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2. 9.rst + CVE-2019-14864: fixed Splunk and Sumologic callback plugins leak sensitive data in logs (boo#1154830) - replace all #!/usr/bin/env lines to use #!/usr/bin/$1 directly - added file '/usr/bin/ansible-test' to spec file - Update to version 2.9.0: Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/ and also available online at https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2. 9.rst - Fixed among other this security bug: - bsc#1112959 CVE-2018-16837 Information leak in "user" module patch added - include the sha checksum file in the source, which allows to verify the original sources - Update to version 2.8.6: Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/ and also available online at https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2. 8.rst Included security fixes: * CVE-2019-14846: Fixed secrets disclosure on logs due to display is hardcoded to DEBUG level (bsc#1153452) * CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (bsc#1154232) * CVE-2019-14858: Fixed data in the sub parameter fields that will not be masked and will be displayed when run with increased verbosity (bsc#1154231) - Update to version 2.8.5: Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/ and also available online at https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2. 8.rst - removed patches fixed upstream: + CVE-2019-10206-data-disclosure.patch + CVE-2019-10217-gcp-modules-sensitive-fields.patch - Update to version 2.8.3: Full changelog is packaged, but also at https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2. 8.rst - (bsc#1137528) CVE-2019-10156: ansible: templating causing an unexpected key file to be set on remote node - (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch CVE-2019-10217: Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. - Update to version 2.8.1 Full changelog is at /usr/share/doc/packages/ansible/changelogs/ Bugfixes -------- - ACI - DO not encode query_string - ACI modules - Fix non-signature authentication - Add missing directory provided via ``--playbook-dir`` to adjacent collection loading - Fix "Interface not found" errors when using eos_l2_interface with nonexistant interfaces configured - Fix cannot get credential when `source_auth` set to `credential_file`. - Fix netconf_config backup string issue - Fix privilege escalation support for the docker connection plugin when credentials need to be supplied (e.g. sudo with password). - Fix vyos cli prompt inspection - Fixed loading namespaced documentation fragments from collections. - Fixing bug came up after running cnos_vrf module against coverity. - Properly handle data importer failures on PVC creation, instead of timing out. - To fix the ios static route TC failure in CI - To fix the nios member module params - To fix the nios_zone module idempotency failure - add terminal initial prompt for initial connection - allow include_role to work with ansible command - allow python_requirements_facts to report on dependencies containing dashes - asa_config fix - azure_rm_roledefinition - fix a small error in build scope. - azure_rm_virtualnetworkpeering - fix cross subscriptions virtual network peering. - cgroup_perf_recap - When not using file_per_task, make sure we don't prematurely close the perf files - display underlying error when reporting an invalid ``tasks:`` block. - dnf - fix wildcard matching for state: absent - docker connection plugin - accept version ``dev`` as 'newest version' and print warning. - docker_container - ``oom_killer`` and ``oom_score_adj`` options are available since docker-py 1.8.0, not 2.0.0 as assumed by the version check. - docker_container - fix network creation when ``networks_cli_compatible`` is enabled. - docker_container - use docker API's ``restart`` instead of ``stop``/``start`` to restart a container. - docker_image - if ``build`` was not specified, the wrong default for ``build.rm`` is used. - docker_image - if ``nocache`` set to ``yes`` but not ``build.nocache``, the module failed. - docker_image - module failed when ``source: build`` was set but ``build.path`` options not specified. - docker_network module - fix idempotency when using ``aux_addresses`` in ``ipam_config``. - ec2_instance - make Name tag idempotent - eos: don't fail modules without become set, instead show message and continue - eos_config: check for session support when asked to 'diff_against: session' - eos_eapi: fix idempotency issues when vrf was unspecified. - fix bugs for ce - more info see - fix incorrect uses of to_native that should be to_text instead. - hcloud_volume - Fix idempotency when attaching a server to a volume. - ibm_storage - Added a check for null fields in ibm_storage utils module. - include_tasks - whitelist ``listen`` as a valid keyword - k8s - resource updates applied with force work correctly now - keep results subset also when not no_log. - meraki_switchport - improve reliability with native VLAN functionality. - netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and clearing functionality - netapp_e_volumes - fix workload profileId indexing when no previous workload tags exist on the storage array. - nxos_acl some platforms/versions raise when no ACLs are present - nxos_facts fix - nxos_file_copy fix passwordless workflow - nxos_interface Fix admin_state check for n6k - nxos_snmp_traps fix group all for N35 platforms - nxos_snmp_user fix platform fixes for get_snmp_user - nxos_vlan mode idempotence bug - nxos_vlan vlan names containing regex ctl chars should be escaped - nxos_vtp_* modules fix n6k issues - openssl_certificate - fix private key passphrase handling for ``cryptography`` backend. - openssl_pkcs12 - fixes crash when private key has a passphrase and the module is run a second time. - os_stack - Apply tags conditionally so that the module does not throw up an error when using an older distro of openstacksdk - pass correct loading context to persistent connections other than local - pkg_mgr - Ansible 2.8.0 failing to install yum packages on Amazon Linux - postgresql - added initial SSL related tests - postgresql - added missing_required_libs, removed excess param mapping - postgresql - move connect_to_db and get_pg_version into module_utils/postgres.py (https://github.com/ansible/ansible/pull/55514) - postgresql_db - add note to the documentation about state dump and the incorrect rc (https://github.com/ansible/ansible/pull/57297) - postgresql_db - fix for postgresql_db fails if stderr contains output - postgresql_ping - fixed a typo in the module documentation - preserve actual ssh error when we cannot connect. - route53_facts - the module did not advertise check mode support, causing it not to be run in check mode. - sysctl: the module now also checks the output of STDERR to report if values are correctly set (https://github.com/ansible/ansible/pull/55695) - ufw - correctly check status when logging is off - uri - always return a value for status even during failure - urls - Handle redirects properly for IPv6 address by not splitting on ``:`` and rely on already parsed hostname and port values - vmware_vm_facts - fix the support with regular ESXi - vyos_interface fix - we don't really need to template vars on definition as we do this on demand in templating. - win_acl - Fix qualifier parser when using UNC paths - - win_hostname - Fix non netbios compliant name handling - winrm - Fix issue when attempting to parse CLIXML on send input failure - xenserver_guest - fixed an issue where VM whould be powered off even though check mode is used if reconfiguration requires VM to be powered off. - xenserver_guest - proper error message is shown when maximum number of network interfaces is reached and multiple network interfaces are added at once. - yum - Fix false error message about autoremove not being supported - yum - fix failure when using ``update_cache`` standalone - yum - handle special "_none_" value for proxy in yum.conf and .repo files - Update to version 2.8.0 Major changes: * Experimental support for Ansible Collections and content namespacing - Ansible content can now be packaged in a collection and addressed via namespaces. This allows for easier sharing, distribution, and installation of bundled modules/roles/plugins, and consistent rules for accessing specific content via namespaces. * Python interpreter discovery - The first time a Python module runs on a target, Ansible will attempt to discover the proper default Python interpreter to use for the target platform/version (instead of immediately defaulting to /usr/bin/python). You can override this behavior by setting ansible_python_interpreter or via config. (see https://github.com/ansible/ansible/pull/50163) * become - The deprecated CLI arguments for --sudo, --sudo-user, --ask-sudo-pass, -su, --su-user, and --ask-su-pass have been removed, in favor of the more generic --become, --become-user, --become-method, and --ask-become-pass. * become - become functionality has been migrated to a plugin architecture, to allow customization of become functionality and 3rd party become methods (https://github.com/ansible/ansible/pull/50991) - addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837 For the full changelog see /usr/share/doc/packages/ansible/changelogs or online: https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2. 8.rst - Update to version 2.7.10 Minor Changes - Catch all connection timeout related exceptions and raise AnsibleConnectionError instead - openssl_pkcs12, openssl_privatekey, openssl_publickey - These modules no longer delete the output file before starting to regenerate the output, or when generating the output failed. Bugfixes - Backport of https://github.com/ansible/ansible/pull/54105, pamd - fix idempotence issue when removing rules - Use custom JSON encoder in conneciton.py so that ansible objects (AnsibleVaultEncryptedUnicode, for example) can be sent to the persistent connection process - allow 'dict()' jinja2 global to function the same even though it has changed in jinja2 versions - azure_rm inventory plugin - fix missing hostvars properties (https://github.com/ansible/ansible/pull/53046) - azure_rm inventory plugin - fix no nic type in vmss nic. (https://github.com/ansible/ansible/pull/53496) - deprecate {Get/Set}ManagerAttributes commands (https://github.com/ansible/ansible/issues/47590) - flatpak_remote - Handle empty output in remote_exists, fixes https://github.com/ansible/ansible/issues/51481 - foreman - fix Foreman returning host parameters - get_url - Fix issue with checksum validation when using a file to ensure we skip lines in the file that do not contain exactly 2 parts. Also restrict exception handling to the minimum number of necessary lines (https://github.com/ansible/ansible/issues/48790) - grafana_datasource - Fixed an issue when running Python3 and using basic auth (https://github.com/ansible/ansible/issues/49147) - include_tasks - Fixed an unexpected exception if no file was given to include. - openssl_certificate - fix ``state=absent``. - openssl_certificate, openssl_csr, openssl_pkcs12, openssl_privatekey, openssl_publickey - The modules are now able to overwrite write-protected files (https://github.com/ansible/ansible/issues/48656). - openssl_dhparam - fix ``state=absent`` idempotency and ``changed`` flag. - openssl_pkcs12, openssl_privatekey - These modules now accept the output file mode in symbolic form or as a octal string (https://github.com/ansible/ansible/issues/53476). - openssl_publickey - fixed crash on Python 3 when OpenSSH private keys were used with passphrases. - openstack inventory plugin: allow "constructed" functionality (``compose``, ``groups``, and ``keyed_groups``) to work as documented. - random_mac - generate a proper MAC address when the provided vendor prefix is two or four characters (https://github.com/ansible/ansible/issues/50838) - replace - fix behavior when ``before`` and ``after`` are used together (https://github.com/ansible/ansible/issues/31354) - report correct CPU information on ARM systems (https://github.com/ansible/ansible/pull/52884) - slurp - Fix issues when using paths on Windows with glob like characters, e.g. ``[``, ``]`` - ssh - Check the return code of the ssh process before raising AnsibleConnectionFailure, as the error message for the ssh process will likely contain more useful information. This will improve the missing interpreter messaging when using modules such as setup which have a larger payload to transfer when combined with pipelining. (https://github.com/ansible/ansible/issues/53487) - tower_settings - 'name' and 'value' parameters are always required, module can not be used in order to get a setting - win_acl - Fix issues when using paths with glob like characters, e.g. ``[``, ``]`` - win_acl_inheritance - Fix issues when using paths with glob like characters, e.g. ``[``, ``]`` - win_certificate_store - Fix issues when using paths with glob like characters, e.g. ``[``, ``]`` - win_chocolatey - Fix incompatibilities with the latest release of Chocolatey ``v0.10.12+`` - win_copy - Fix issues when using paths with glob like characters, e.g. ``[``, ``]`` - win_file - Fix issues when using paths with glob like characters, e.g. ``[``, ``]`` - win_find - Ensure found files are sorted alphabetically by the path instead of it being random - win_find - Fix issues when using paths with glob like characters, e.g. ``[``, ``]`` - win_owner - Fix issues when using paths with glob like characters, e.g. ``[``, ``]`` - win_psexec - Support executables with a space in the path - win_reboot - Fix reboot command validation failure when running under the psrp connection plugin - win_tempfile - Always return the full NTFS absolute path and not a DOS 8.3 path. - win_user_right - Fix output containing non json data - https://github.com/ansible/ansible/issues/54413 - windows - Fixed various module utils that did not work with path that had glob like chars - yum - fix disable_excludes on systems with yum rhn plugin enabled (https://github.com/ansible/ansible/issues/53134) - Update to version 2.7.9 Minor Changes * Add missing import for ConnectionError in edge and routeros module_utils. * ``to_yaml`` filter updated to maintain formatting consistency when used with ``pyyaml`` versions 5.1 and later (https://github.com/ansible/ansible/pull/53772) * docker_image * set ``changed`` to ``false`` when using ``force: yes`` to tag or push an image that ends up being identical to one already present on the Docker host or Docker registry. * jenkins_plugin * Set new default value for the update_url parameter (https://github.com/ansible/ansible/issues/52086) Bugfixes * Fix bug where some inventory parsing tracebacks were missing or reported under the wrong plugin. * Fix rabbitmq_plugin idempotence due to information message in new version of rabbitmq (https://github.com/ansible/ansible/pull/52166) * Fixed KeyError issue in vmware_host_config_manager when a supported option isn't already set (https://github.com/ansible/ansible/issues/44561). * Fixed issue related to --yaml flag in vmware_vm_inventory. Also fixed caching issue in vmware_vm_inventory (https://github.com/ansible/ansible/issues/52381). * If large integers are passed as options to modules under Python 2, module argument parsing will reject them as they are of type ``long`` and not of type ``int``. * allow nice error to work when auto plugin reads file w/o `plugin` field * ansible-doc * Fix traceback on providing arguemnt --all to ansible-doc command * azure_rm_virtualmachine_facts * fixed crash related to attached managed disks (https://github.com/ansible/ansible/issues/52181) * basic * modify the correct variable when determining available hashing algorithms to avoid errors when md5 is not available (https://github.com/ansible/ansible/issues/51355) * cloudscale * Fix compatibilty with Python3 in version 3.5 and lower. * convert input into text to ensure valid comparisons in nmap inventory plugin * dict2items * Allow dict2items to work with hostvars * dnsimple * fixed a KeyError exception related to record types handling. * docker_container * now returns warnings from docker daemon on container creation and updating. * docker_swarm * Fixed node_id parameter not working for node removal (https://github.com/ansible/ansible/issues/53501) * docker_swarm * do not crash with older docker daemons (https://github.com/ansible/ansible/issues/51175). * docker_swarm * fixes idempotency for the ``ca_force_rotate`` option. * docker_swarm * improve Swarm detection. * docker_swarm * improve idempotency checking; ``rotate_worker_token`` and ``rotate_manager_token`` are now also used when all other parameters have not changed. * docker_swarm * now supports docker-py 1.10.0 and newer for most operations, instead only docker 2.6.0 and newer. * docker_swarm * properly implement check mode (it did apply changes). * docker_swarm * the ``force`` option was ignored when ``state: present``. * docker_swarm_service * do basic validation of ``publish`` option if specified (must be list of dicts). * docker_swarm_service * don't crash when ``publish`` is not specified. * docker_swarm_service * fix problem with docker daemons which do not return ``UpdateConfig`` in the swarm service spec. * docker_swarm_service * the return value was documented as ``ansible_swarm_service``, but the module actually returned ``ansible_docker_service``. Documentation and code have been updated so that the variable is now called ``swarm_service``. In Ansible 2.7.x, the old name ``ansible_docker_service`` can still be used to access the result. * ec2 * if the private_ip has been provided for the new network interface it shouldn't also be added to top level parameters for run_instances() * fix DNSimple to ensure check works even when the number of records is larger than 100 * get_url * return no change in check mode when checksum matches * inventory plugins * Fix creating groups from composed variables by getting the latest host variables * inventory_aws_ec2 * fix no_log indentation so AWS temporary credentials aren't displayed in tests * jenkins_plugin * Prevent plugin to be reinstalled when state=present (https://github.com/ansible/ansible/issues/43728) * lvol * fixed ValueError when using float size (https://github.com/ansible/ansible/issues/32886, https://github.com/ansible/ansible/issues/29429) * mysql * MySQLdb doesn't import the cursors module for its own purposes so it has to be imported in MySQL module utilities before it can be used in dependent modules like the proxysql module family. * mysql * fixing unexpected keyword argument 'cursorclass' issue after migration from MySQLdb to PyMySQL. * mysql_user: match backticks, single and double quotes when checking user privileges. * onepassword_facts * Fixes issues which prevented this module working with 1Password CLI version 0.5.5 (or greater). Older versions of the CLI were deprecated by 1Password and will no longer function. * openssl_certificate * ``has_expired`` correctly checks if the certificate is expired or not * openssl_certificate * fix Python 3 string/bytes problems for `notBefore`/`notAfter` for self-signed and ownCA providers. * openssl_certificate * make sure that extensions are actually present when their values should be checked. * openssl_csr * improve ``subject`` validation. * openssl_csr * improve error messages for invalid SANs. * play order is now applied under all circumstances, fixes * remote_management foreman * Fixed issue where it was impossible to createdelete a product because product was missing in dict choices ( https://github.com/ansible/ansible/issues/48594 ) * rhsm_repository * handle systems without any repos * skip invalid plugin after warning in loader * urpmi module * fixed issue * win_certificate_store * Fix exception handling typo * win_chocolatey * Fix issue when parsing a beta Chocolatey install * https://github.com/ansible/ansible/issues/52331 * win_chocolatey_source * fix bug where a Chocolatey source could not be disabled unless ``source`` was also set * https://github.com/ansible/ansible/issues/50133 * win_domain * Do not fail if DC is already promoted but a reboot is required, return ``reboot_required: True`` * win_domain * Fix when running without credential delegated authentication * https://github.com/ansible/ansible/issues/53182 * win_file * Fix issue when managing hidden files and directories * https://github.com/ansible/ansible/issues/42466 * winrm * attempt to recover from a WinRM send input failure if possible * zabbix_hostmacro: fixes truncation of macro contexts that contain colons (see https://github.com/ansible/ansible/pull/51853) New Plugins * vmware_vm_inventory * VMware Guest inventory source - update URL (use SSL version of the URL) - prepare update for multiple releases (bsc#1102126, bsc#1109957) - Update to version 2.7.8 Minor Changes: * Raise AnsibleConnectionError on winrm connnection errors Bugfixes: * Backport of https://github.com/ansible/ansible/pull/46478 , fixes name collision in haproxy module * Fix aws_ec2 inventory plugin code to automatically populate regions when missing as documentation states, also leverage config system vs self default/type validation * Fix unexpected error when using Jinja2 native types with non-strict constructed keyed_groups (https://github.com/ansible/ansible/issues/52158). * If an ios module uses a section filter on a device which does not support it, retry the command without the filter. * acme_challenge_cert_helper * the module no longer crashes when the required ``cryptography`` library cannot be found. * azure_rm_managed_disk_facts * added missing implementation of listing managed disks by resource group * azure_rm_mysqlserver * fixed issues with passing parameters while updating existing server instance * azure_rm_postgresqldatabase * fix force_update bug (https://github.com/ansible/ansible/issues/50978). * azure_rm_postgresqldatabase * fix force_update bug. * azure_rm_postgresqlserver * fixed issues with passing parameters while updating existing server instance * azure_rm_sqlserver * fix for tags support * azure_rm_virtualmachine * fixed several crashes in module * azure_rm_virtualmachine_facts * fix crash when vm created from custom image * azure_rm_virtualmachine_facts * fixed crash related to VM with managed disk attached * ec2 * Correctly sets the end date of the Spot Instance request. Sets `ValidUntil` value in proper way so it will be auto-canceled through `spot_wait_timeout` interval. * openssl_csr * fixes idempotence problem with PyOpenSSL backend when no Subject Alternative Names were specified. * openstack inventory plugin * send logs from sdk to stderr so they do not combine with output * psrp * do not display bootstrap wrapper for each module exec run * redfish_utils * get standard properties for firmware entries (https://github.com/ansible/ansible/issues/49832) * remote home directory * Disallow use of remote home directories that include relative pathing by means of `..` (CVE-2019-3828, bsc#1126503) (https://github.com/ansible/ansible/pull/52133) * ufw * when using ``state: reset`` in check mode, ``ufw --dry-run reset`` was executed, which causes a loss of firewall rules. The ``ufw`` module was adjusted to no longer run ``ufw --dry-run reset`` to prevent this from happening. * ufw: make sure that only valid values for ``direction`` are passed on. * update GetBiosBootOrder to use standard Redfish resources (https://github.com/ansible/ansible/issues/47571) * win become * Fix some scenarios where become failed to create an elevated process * win_psmodule * the NuGet package provider will be updated, if needed, to avoid issue under adding a repository * yum * Remove incorrect disable_includes error message when using disable_excludes (https://github.com/ansible/ansible/issues/51697) * yum * properly handle a proxy config in yum.conf for an unauthenticated proxy - Update to version 2.7.7 Minor Changes: * Allow check_mode with supports_generate_diff capability in cli_config. (https://github.com/ansible/ansible/pull/51417) * Fixed typo in vmware documentation fragment. Changed "supported added" to "support added". Bugfixes: * All K8S_AUTH_* environment variables are now properly loaded by the k8s lookup plugin * Change backup file globbing for network _config modules so backing up one host's config will not delete the backed up config of any host whose hostname is a subset of the first host's hostname (e.g., switch1 and switch11) * Fixes bug where nios_a_record wasn't getting deleted if an uppercase named a_record was being passed. (https://github.com/ansible/ansible/pull/51539) * aci_aaa_user - Fix setting user description (https://github.com/ansible/ansible/issues/51406) * apt_repository - fixed failure under Python 3.7 (https://github.com/ansible/ansible/pull/47219) * archive - Fix check if archive is created in path to be removed * azure_rm inventory plugin - fix azure batch request (https://github.com/ansible/ansible/pull/50006) * cnos_backup - fixed syntax error (https://github.com/ansible/ansible/pull/47219) * cnos_image - fixed syntax error (https://github.com/ansible/ansible/pull/47219) * consul_kv - minor error-handling bugfix under Python 3.7 (https://github.com/ansible/ansible/pull/47219) * copy - align invocation in return value between check and normal mode * delegate_facts - fix to work properly under block and include_role (https://github.com/ansible/ansible/pull/51553) * docker_swarm_service - fix endpoint_mode and publish idempotency. * ec2_instance - Correctly adds description when adding a single ENI to the instance * ensure we have a XDG_RUNTIME_DIR, as it is not handled correctly by some privilege escalation configurations * file - Allow state=touch on file the user does not own https://github.com/ansible/ansible/issues/50943 * fix ansible-pull hanlding of extra args, complex quoting is needed for inline JSON * fix ansible_connect_timeout variable in network_cli,netconf,httpapi and nxos_install_os timeout check * netapp_e_storagepool - fixed failure under Python 3.7 (https://github.com/ansible/ansible/pull/47219) * onepassword_facts - Fix an issue looking up some 1Password items which have a 'password' attribute alongside the 'fields' attribute, not inside it. * prevent import_role from inserting dupe into roles: execution when duplicate signature role already exists in the section. * reboot - Fix bug where the connection timeout was not reset in the same task after rebooting * ssh connection - do not retry with invalid credentials to prevent account lockout (https://github.com/ansible/ansible/issues/48422) * systemd - warn when exeuting in a chroot environment rather than failing (https://github.com/ansible/ansible/pull/43904) * win_chocolatey - Fix hang when used with proxy for the first time - https://github.com/ansible/ansible/issues/47669 * win_power_plan - Fix issue where win_power_plan failed on newer Windows 10 builds - https://github.com/ansible/ansible/issues/43827 - update to version 2.7.6 Minor Changes: * Added documentation about using VMware dynamic inventory plugin. * Fixed bug around populating host_ip in hostvars in vmware_vm_inventory. * Image reference change in Azure VMSS is detected and applied correctly. * docker_volume - reverted changed behavior of force, which was released in Ansible 2.7.1 to 2.7.5, and Ansible 2.6.8 to 2.6.11. Volumes are now only recreated if the parameters changed and force is set to true (instead of or). This is the behavior which has been described in the documentation all the time. * set ansible_os_family from name variable in os-release * yum and dnf can now handle installing packages from URIs that are proxy redirects and don't end in the .rpm file extension Bugfixes: * Added log message at -vvvv when using netconf connection listing connection details. * Changes how ansible-connection names socket lock files. They now use the same name as the socket itself, and as such do not lock other attempts on connections to the same host, or cause issues with overly-long hostnames. * Fix mandatory statement error for junos modules (https://github.com/ansible/ansible/pull/50138) * Moved error in netconf connection plugin from at import to on connection. * This reverts some changes from commit 723daf3. If a line is found in the file, exactly or via regexp matching, it must not be added again. insertafter/insertbefore options are used only when a line is to be inserted, to specify where it must be added. * allow using openstack inventory plugin w/o a cache * callbacks - Do not filter out exception, warnings, deprecations on failure when using debug (https://github.com/ansible/ansible/issues/47576) * certificate_complete_chain - fix behavior when invalid file is parsed while reading intermediate or root certificates. * copy - Ensure that the src file contents is converted to unicode in diff information so that it is properly wrapped by AnsibleUnsafeText to prevent unexpected templating of diff data in Python3 (https://github.com/ansible/ansible/issues/45717) * correct behaviour of verify_file for vmware inventory plugin, it was always returning True * dnf - fix issue where conf_file was not being loaded properly * dnf - fix update_cache combined with install operation to not cause dnf transaction failure * docker_container - fix network_mode idempotency if the container: form is used (as opposed to container:) (https://github.com/ansible/ansible/issues/49794) * docker_container - warning when non-string env values are found, avoiding YAML parsing issues. Will be made an error in Ansible 2.8. (https://github.com/ansible/ansible/issues/49802) * docker_swarm_service - Document labels and container_labels with correct type. * docker_swarm_service - Document limit_memory and reserve_memory correctly on how to specify sizes. * docker_swarm_service - Document minimal API version for configs and secrets. * docker_swarm_service - fix use of Docker API so that services are not detected as present if there is an existing service whose name is a substring of the desired service * docker_swarm_service - fixing falsely reporting update_order as changed when option is not used. * document old option that was initally missed * ec2_instance now respects check mode https://github.com/ansible/ansible/pull/46774 * fix for network_cli - ansible_command_timeout not working as expected (#49466) * fix handling of firewalld port if protocol is missing * fix lastpass lookup failure on python 3 (https://github.com/ansible/ansible/issues/42062) * flatpak - Fixed Python 2/3 compatibility * flatpak - Fixed issue where newer versions of flatpak failed on flatpak removal * flatpak_remote - Fixed Python 2/3 compatibility * gcp_compute_instance - fix crash when the instance metadata is not set * grafana_dashboard - Fix a pair of unicode string handling issues with version checking (https://github.com/ansible/ansible/pull/49194) * host execution order - Fix reverse_inventory not to change the order of the items before reversing on python2 and to not backtrace on python3 * icinga2_host - fixed the issue with not working use_proxy option of the module. * influxdb_user - An unspecified password now sets the password to blank, except on existing users. This previously caused an unhandled exception. * influxdb_user - Fixed unhandled exception when using invalid login credentials (https://github.com/ansible/ansible/issues/50131) * openssl_* - fix error when path contains a file name without path. * openssl_csr - fix problem with idempotency of keyUsage option. * openssl_pkcs12 - now does proper path expansion for ca_certificates. * os_security_group_rule - os_security_group_rule doesn't exit properly when secgroup doesn't exist and state=absent (https://github.com/ansible/ansible/issues/50057) * paramiko_ssh - add auth_timeout parameter to ssh.connect when supported by installed paramiko version. This will prevent "Authentication timeout" errors when a slow authentication step (>30s) happens with a host (https://github.com/ansible/ansible/issues/42596) * purefa_facts and purefb_facts now correctly adds facts into main ansible_fact dictionary (https://github.com/ansible/ansible/pull/50349) * reboot - add appropriate commands to make the plugin work with VMware ESXi (https://github.com/ansible/ansible/issues/48425) * reboot - add support for rebooting AIX (https://github.com/ansible/ansible/issues/49712) * reboot - gather distribution information in order to support Alpine and other distributions (https://github.com/ansible/ansible/issues/46723) * reboot - search common paths for the shutdown command and use the full path to the binary rather than depending on the PATH of the remote system (https://github.com/ansible/ansible/issues/47131) * reboot - use a common set of commands for older and newer Solaris and SunOS variants (https://github.com/ansible/ansible/pull/48986) * redfish_utils - fix reference to local variable 'systems_service' * setup - fix the rounding of the ansible_memtotal_mb value on VMWare vm's (https://github.com/ansible/ansible/issues/49608) * vultr_server - fixed multiple ssh keys were not handled. * win_copy - Fix copy of a dir that contains an empty directory - https://github.com/ansible/ansible/issues/50077 * win_firewall_rule - Remove invalid 'bypass' action * win_lineinfile - Fix issue where a malformed json block was returned causing an error * win_updates - Correctly report changes on success - update to version 2.7.5 Minor Changes: * Add warning about falling back to jinja2_native=false when Jinja2 version is lower than 2.10. * Change the position to search os-release since clearlinux new versions are providing /etc/os-release too * Fixed typo in ansible-galaxy info command. * Improve the deprecation message for squashing, to not give misleading advice * Update docs and return section of vmware_host_service_facts module. * ansible-galaxy: properly warn when git isn't found in an installed bin path instead of traceback * dnf module properly load and initialize dnf package manager plugins * docker_swarm_service: use docker defaults for the user parameter if it is set to null Bugfixes: * bsc#1118896 CVE-2018-16876 Information disclosure in vvv+ mode with no_log on (https://github.com/ansible/ansible/pull/49569) * ACME modules: improve error messages in some cases (include error returned by server). * Added unit test for VMware module_utils. * Also check stdout for interpreter errors for more intelligent messages to user * Backported support for Devuan-based distribution * Convert hostvars data in OpenShift inventory plugin to be serializable by ansible-inventory * Fix AttributeError (Python 3 only) when an exception occurs while rendering a template * Fix N3K power supply facts (https://github.com/ansible/ansible/pull/49150). * Fix NameError nxos_facts (https://github.com/ansible/ansible/pull/48981). * Fix VMware module utils for self usage. * Fix error in OpenShift inventory plugin when a pod has errored and is empty * Fix if the route table changed to none (https://github.com/ansible/ansible/pull/49533) * Fix iosxr netconf plugin response namespace (https://github.com/ansible/ansible/pull/49300) * Fix issues with nxos_install_os module for nxapi (https://github.com/ansible/ansible/pull/48811). * Fix lldp and cdp neighbors information (https://github.com/ansible/ansible/pull/48318)(https://github.com/ansible/ ansible/pull/48087)(https://github.com/ansible/ansible/pull/49024). * Fix nxos_interface and nxos_linkagg Idempotence issue (https://github.com/ansible/ansible/pull/46437). * Fix traceback when updating facts and the fact cache plugin was nonfunctional * Fix using vault encrypted data with jinja2_native (https://github.com/ansible/ansible/issues/48950) * Fixed: Make sure that the files excluded when extracting the archive are not checked. https://github.com/ansible/ansible/pull/45122 * Fixes issue where a password parameter was not set to no_log * Respect no_log on retry and high verbosity (CVE-2018-16876) * aci_rest - Fix issue ignoring custom port * acme_account, acme_account_facts - in some cases, it could happen that the modules return information on disabled accounts accidentally returned by the ACME server. * docker_swarm - decreased minimal required API version from 1.35 to 1.25; some features require API version 1.30 though. * docker_swarm_service: fails because of default "user: root" (https://github.com/ansible/ansible/issues/49199) * ec2_metadata_facts - Parse IAM role name from the security credential field since the instance profile name is different * fix azure_rm_image module use positional parameter (https://github.com/ansible/ansible/pull/49394) * fixes an issue with dict_merge in network utils (https://github.com/ansible/ansible/pull/49474) * gcp_utils - fix google auth scoping issue with application default credentials or google cloud engine credentials. Only scope credentials that can be scoped. * mail - fix python 2.7 regression * openstack - fix parameter handling when cloud provided as dict https://github.com/ansible/ansible/issues/42858 * os_user - Include domain parameter in user deletion https://github.com/ansible/ansible/issues/42901 * os_user - Include domain parameter in user lookup https://github.com/ansible/ansible/issues/42901 * ovirt_storage_connection - comparing passwords breaks idempotency in update_check (https://github.com/ansible/ansible/issues/48933) * paramiko_ssh - improve log message to state the connection type * reboot - use IndexError instead of TypeError in exception * redis cache - Support version 3 of the redis python library (https://github.com/ansible/ansible/issues/49341) * sensu_silence - Cast int for expire field to avoid call failure to sensu API. * vmware_host_service_facts - handle exception when service package does not have package name. * win_nssm - Switched to Argv-ToString for escaping NSSM credentials (https://github.com/ansible/ansible/issues/48728) * zabbix_hostmacro - Added missing validate_certs logic for running module against Zabbix servers with untrused SSL certificates (https://github.com/ansible/ansible/issues/47611) * zabbix_hostmacro - Fixed support for user macros with context (https://github.com/ansible/ansible/issues/46953) - update to version 2.7.4 Bugfixes: * powershell - add lib/ansible/executor/powershell to the packaging data - update to version 2.7.3 Minor Changes: * Document Path and Port are mutually exclusive parameters in wait_for module * Puppet module remove --ignorecache to allow Puppet 6 support * dnf properly support modularity appstream installation via overloaded group modifier syntax * proxmox_kvm - fix exception * win_security_policy - warn users to use win_user_right instead when editing Privilege Rights Bugfixes: * Fix the issue that FTD HTTP API retries authentication-related HTTP requests * Fix the issue that module fails when the Swagger model does not have required fields * Fix the issue with comparing string-like objects * Fix using omit on play keywords * Windows - prevent sensitive content from appearing in scriptblock logging (CVE-2018-16859) * apt_key - Disable TTY requirement in GnuPG for the module to work correctly when SSH pipelining is enabled * better error message when bad type in config, deal with EVNAR= more gracefully * configuration retrieval would fail on non primed plugins * cs_template - Fixed a KeyError on state=extracted * docker_container - fix idempotency problems with docker-py caused by previous init idempotency fix * docker_container - fix interplay of docker-py version check with argument_spec validation improvements * docker_network - driver_options containing Python booleans would cause Docker to throw exceptions * ec2_group - Fix comparison of determining which rules to purge by ignoring descriptions * pip module - fix setuptools/distutils replacement * sysvinit - enabling a service should use "defaults" if no runlevels are specified - update to version 2.7.2 Minor changes: * Fix documentation for cloning template * Parsing plugin filter may raise TypeError, gracefully handle this exception and let user know about the syntax error in plugin filter file * Scenario guide for VMware HTTP API usage * Update plugin filter documentation * fix yum and dnf autoremove input sanitization to properly warn user if invalid options passed and update documentation to match * improve readability and fix privileges names on vmware scenario_clone_template * k8s - updated module documentation to mention how to avoid SSL validation errors * yum - when checking for updates, now properly include Obsoletes (both old and new) package data in the module JSON output - update to 2.7.1 Minor changes: * Fix yum module to properly check for empty conf_file value * added capability to set the scheme for the consul_kv lookup * added optional certificate and certificate validation for consul_kv lookups * dnf - properly handle modifying the enable/disable excludes data field * dnf appropriately handles disable_excludes repoid argument * dnf proerly honors disable_gpg_check for local package installation * fix yum module to handle list argument optional empty strings properly * netconf_config - Make default_operation optional in netconf_config module * yum - properly handle proxy password and username embedded in url * yum/dnf - fail when space separated string of names - update to 2.7.0 Major changes: * Allow config to enable native jinja types * Remove support for simplejson * yum and dnf modules now at feature parity Minor changes: * Changed the prefix of all Vultr modules from vr to vultr * Enable installroot tests for yum4(dnf) integration testing, dnf backend now supports that * Fixed timer in exponential backoff algorithm in vmware.py Bugfixes: * Security Fix - avoid loading host/group vars from cwd when not specifying a playbook or playbook base dir * Security Fix - avoid using ansible.cfg in a world writable dir * Some connection exception would cause no_log specified on a task to be ignored (stdout info disclosure) * Fix glob path of rc.d (SUSE-specific) * Fix lambda_policy updates * Fix alt linux detection/matching - update to 2.6.4 Minor Changes: * add azure_rm_storageaccount support to StorageV2 kind. * import_tasks - Do not allow import_tasks to transition to dynamic if the file is missing Bugfixes: * Add md5sum check in nxos_file_copy module * Allow arbitrary log_driver for docker_container * Fix Python2.6 regex bug terminal plugin nxos, iosxr * Fix check_mode in nxos_static_route module * Fix glob path of rc.d Some distribtuions like SUSE has the rc%.d directories under /etc/init.d * Fix network config diff issue for lines * Fixed an issue where ansible_facts.pkg_mgr would incorrectly set to zypper on Debian/Ubuntu systems that happened to have the command installed * The docker_* modules respect the DOCKER_* environment variables again * The fix for CVE-2018-10875 prints out a warning message about skipping a config file from a world writable current working directory. However, if the user is in a world writable current working directory which does not contain a config file, it should not print a warning message. This release fixes that extaneous warning. * To resolve nios_network issue where vendor-encapsulated-options can not have a use_option flag. * To resolve the issue of handling exception for Nios lookup gracefully. * always correctly template no log for tasks * ansible-galaxy - properly list all roles in roles_path * basic.py - catch ValueError in case a FIPS enabled platform raises this exception * docker_container: fixing working_dir idempotency problem * docker_container: makes unit parsing for memory sizes more consistent, and fixes idempotency problem when kernel_memory is set * fix example code for AWS lightsail documentation * fix the enable_snat parameter that is only supposed to be used by an user with the right policies. * fixes docker_container check and debug mode * improves docker_container idempotency * ios_l2_interface - fix bug when list of vlans ends with comma * ios_l2_interface - fix issue with certain interface types * ios_user - fix unable to delete user admin issue * ios_vlan - fix unable to work on certain interface types issue * nxos_facts test lldp feature and fix nxapi check_rc * nxos_interface port-channel idempotence fix for mode * nxos_linkagg mode fix * nxos_system idempotence fix * nxos_vlan refactor to support non structured output * one_host - fixes settings via environment variables * use retry_json nxos_banner * user - Strip trailing comments in /etc/default/passwd * user - when creating a new user without an expiration date, properly set no expiration rather that expirining the account * win_domain_computer - fixed deletion of computer active directory object that have dependent objects * win_domain_computer - fixed error in diff_support * win_domain_computer - fixed error when description parameter is empty * win_psexec - changed code to not escape the command option when building the args * win_uri -- Fix support for JSON output when charset is set * win_wait_for - fix issue where timeout doesn't wait unless state=drained - update to 2.6.3 Bugfixes: * Fix lxd module to be idempotent when the given configuration for the lxd container has not changed * Fix setting value type to str to avoid conversion during template read. Fix Idempotency in case of 'no key'. * Fix the mount module's handling of swap entries in fstab * The fix for (CVE-2018-10875) prints out a warning message about skipping a config file from a world writable current working directory. However, if the user explicitly specifies that the config file should be used via the ANSIBLE_CONFIG environment variable then Ansible would honor that but still print out the warning message. This has been fixed so that Ansible honors the user's explicit wishes and does not print a warning message in that circumstance. * To fix the bug where existing host_record was deleted when existing record name is used with different IP. * VMware handle pnic in proxyswitch * fix azure security group cannot add rules when purge_rule set to false. * fix azure_rm_deployment collect tags from existing Resource Group. * fix azure_rm_loadbalancer_facts list takes at least 2 arguments. * fix for the bundled selectors module (used in the ssh and local connection plugins) when a syscall is restarted after being interrupted by a signal * get_url - fix the bug that get_url does not change mode when checksum matches * nicer error when multiprocessing breaks * openssl_certificate - Convert valid_date to bytes for conversion * openstack_inventory.py dynamic inventory file fixed the plugin to the script so that it will work with current ansible-inventory. Also redirect stdout before dumping the ouptput, because not doing so will cause JSON parse errors in some cases. * slack callback - Fix invocation by looking up data from cli.options * sysvinit module: handle values of optional parameters. Don't disable service when enabled parameter isn't set. Fix command when arguments parameter isn't set. * vars_prompt - properly template play level variables in vars_prompt * win_domain - ensure the Netlogon service is up and running after promoting host to controller * win_domain_controller - ensure the Netlogon service is up and running after promoting host to controller - update to 2.6.2 Minor Changes + Sceanrio guide for removing an existing virtual machine is added. + lineinfile - add warning when using an empty regexp + Restore module_utils.basic.BOOLEANS variable for backwards compatibility with the module API in older ansible releases. Bugfixes: + Includes fix for bsc#1099808 (CVE-2018-10875) ansible.cfg is being read from current working directory allowing possible code execution + Add text output along with structured output in nxos_facts + Allow more than one page of results by using the right pagination indicator ('NextMarker' instead of 'NextToken'). + Fix an atomic_move error that is 'true', but misleading. Now we show all 3 files involved and clarify what happened. + Fix eos_l2_interface eapi. + Fix fetching old style facts in junos_facts module + Fix get_device_info nxos zero or more whitespace regex + Fix nxos CI failures + Fix nxos_nxapi default http behavior + Fix nxos_vxlan_vtep_vni + Fix regex network_os_platform nxos + Refactor nxos cliconf get_device_info for non structured output supported devices + To fix the NoneType error raised in ios_l2_interface when Access Mode VLAN is unassigned + emtpy host/group name is an error + fix default SSL version for docker modules + fix mail module when using starttls + fix nmap config example + fix ps detection of service + fix the remote tmp folder permissions issue when becoming a non admin user + fix typoe in sysvinit that breaks update.rc-d detection + fixes docker_container compatibilty with docker-py < 2.2 + get_capabilities in nxapi module_utils should not return empty dictionary + inventory - When using an inventory directory, ensure extension comparison uses text types + ios_vlan - fix unable to identify correct vlans issue + nxos_facts warning message improved + openvswitch_db - make 'key' argument optional + pause - do not set stdout to raw mode when redirecting to a file + pause - nest try except when importing curses to gracefully fail if curses is not present + plugins/inventory/openstack.py - Do not create group with empty name if region is not set + preseve delegation info on nolog + remove ambiguity when it comes to 'the source' + remove dupes from var precedence + restores filtering out conflicting facts + user - fix bug that resulted in module always reporting a change when specifiying the home directory on FreeBSD + user - use correct attribute name in FreeBSD for creat_home + vultr - Do not fail trying to load configuration from ini files if required variables have been set as environment variables. + vyos_command correcting conditionals looping + win_chocolatey - enable TLSv1.2 support when downloading the Chocolatey installer + win_reboot - fix for handling an already scheduled reboot and other minor log formatting issues + win_reboot - fix issue when overridding connection timeout hung the post reboot uptime check + win_reboot - handle post reboots when running test_command + win_security_policy - allows an empty string to reset a policy value + win_share - discard any cmdlet output we don't use to ensure only the return json is received by Ansible + win_unzip - discard any cmdlet output we don't use to ensure only the return json is received by Ansible + win_updates - fixed module return value is lost in error in some cases + win_user - Use LogonUser to validate the password as it does not rely on SMB/RPC to be available + Security Fix - avoid loading host/group vars from cwd when not specifying a playbook or playbook base dir + Security Fix - avoid using ansible.cfg in a world writable dir. + Fix junos_config confirm commit timeout issue (https://github.com/ansible/ansible/pull/41527) + file module - The touch subcommand had its diff output broken during the 2.6.x development cycle. This is now fixed. + inventory manager - This fixes required options being populated before the inventory config file is read, so the required options may be set in the config file. + nsupdate - allow hmac-sha384 https://github.com/ansible/ansible/pull/42209 + win_domain - fixes typo in one of the AD cmdlets https://github.com/ansible/ansible/issues/41536 + win_group_membership - uses the internal Ansible SID conversion logic and uses that when comparing group membership instead of the name - use fdupes to save some space in python_sitelib - define BuildRoot on older distributions like SLE-11 - be a bit more flexible with the ending of manpage files to allow Fedora builds to succeed - includes fix for bsc#1099805 (CVE-2018-10874) Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution (included upstream in 2.6.1). - revert some unneeded changes from spec-cleaner - updated to latest release 2.6.0 - New Plugins: + Callback: - cgroup_memory_recap - grafana_annotations - sumologic + Connection: - httpapi + Inventory: - foreman - gcp_compute - generator - nmap + Lookup: - onepassword - onepassword_raw - Modules updates too many to mention here please look at package documentation directory (/usr/share/doc/packages/.../changelogs) - bug fixes: - **Security Fix** - Some connection exceptions would cause no_log specified on a task to be ignored. If this happened, the task information, including any private information coul d have been displayed to stdout and (if enabled, not the default) logged to a log file specified in ansible.cfg's log_path. Additionally, sites which redirected stdout from ansible runs to a log file may have stored that private information onto disk that way as well. (https://github.com/ansible/ansible/pull/41414) - Changed the admin_users config option to not include "admin" by default as admin is frequently used for a non-privileged account (https://github.com/ansible/ansible/pull/41164) - Changed the output to "text" for "show vrf" command as default "json" output format with respect to "eapi" transport was failing (https://github.com/ansible/ansible/pull/41470) - Document mode=preserve for both the copy and template module - Fix added for Digital Ocean Volumes API change causing Ansible to recieve an unexpected value in the response. (https://github.com/ansible/ansible/pull/41431) - Fix an encoding issue when parsing the examples from a plugins' documentation - Fix iosxr_config module to handle route-policy, community-set, prefix-set, as-path-set and rd-set blocks. All these blocks are part of route-policy language of iosxr. - Fix mode=preserve with remote_src=True for the copy module - Implement mode=preserve for the template module - The yaml callback plugin now allows non-ascii characters to be displayed. - Various grafana_* modules - Port away from the deprecated b64encodestring function to the b64encode function instead. https://github.com/ansible/ansible/pull/38388 - added missing 'raise' to exception definition https://github.com/ansible/ansible/pull/41690 - allow custom endpoints to be used in the aws_s3 module (https://github.com/ansible/ansible/pull/36832) - allow set_options to be called multiple times https://github.com/ansible/ansible/pull/41913 - ansible-doc - fixed traceback on missing plugins (https://github.com/ansible/ansible/pull/41167) - cast the device_mapping volume size to an int in the ec2_ami module (https://github.com/ansible/ansible/pull/40938) - copy - fixed copy to only follow symlinks for files in the non-recursive case - copy module - The copy module was attempting to change the mode of files for remote_src=True even if mode was not set as a parameter. This failed on filesystems which do not have permission bits (https://github.com/ansible/ansible/pull/40099) - copy module - fixed recursive copy with relative paths (https://github.com/ansible/ansible/pull/40166) - correct debug display for all cases https://github.com/ansible/ansible/pull/41331 - correctly check hostvars for vars term https://github.com/ansible/ansible/pull/41819 - correctly handle yaml inventory files when entries are null dicts https://github.com/ansible/ansible/issues/41692 - dynamic includes - Allow inheriting attributes from static parents (https://github.com/ansible/ansible/pull/38827) - dynamic includes - Don't treat undefined vars for conditional includes as truthy (https://github.com/ansible/ansible/pull/39377) - dynamic includes - Fix IncludedFile comparison for free strategy (https://github.com/ansible/ansible/pull/37083) - dynamic includes - Improved performance by fixing re-parenting on copy (https://github.com/ansible/ansible/pull/38747) - dynamic includes - Use the copied and merged task for calculating task vars (https://github.com/ansible/ansible/pull/39762) - file - fixed the default follow behaviour of file to be true - file module - Eliminate an error if we're asked to remove a file but something removes it while we are processing the request (https://github.com/ansible/ansible/pull/39466) - file module - Fix error when recursively assigning permissions and a symlink to a nonexistent file is present in the directory tree (https://github.com/ansible/ansible/issues/39456) - file module - Fix error when running a task which assures a symlink to a nonexistent file exists for the second and subsequent times (https://github.com/ansible/ansible/issues/39558) - file module - The file module allowed the user to specify src as a parameter when state was not link or hard. This is documented as only applying to state=link or state=hard but in previous Ansible, this could have an effect in rare cornercases. For instance, "ansible -m file -a 'state=directory path=/tmp src=/var/lib'" would create /tmp/lib. This has been disabled and a warning emitted (will change to an error in Ansible-2.10). - file module - The touch subcommand had its diff output broken during the 2.6.x development cycle. This is now fixed (https://github.com/ansible/ansible/issues/41755) - fix BotoCoreError exception handling - fix apt-mark on debian6 (https://github.com/ansible/ansible/pull/41530) - fix async for the aws_s3 module by adding async support to the action plugin (https://github.com/ansible/ansible/pull/40826) - fix decrypting vault files for the aws_s3 module (https://github.com/ansible/ansible/pull/39634) - fix errors with S3-compatible APIs if they cannot use ACLs for buckets or objects - fix permission handling to try to download a file even if the user does not have permission to list all objects in the bucket - fixed config required handling, specifically for _terms in lookups https://github.com/ansible/ansible/pull/41740 - gce_net - Fix sorting of allowed ports (https://github.com/ansible/ansible/pull/41567) - group_by - support implicit localhost (https://github.com/ansible/ansible/pull/41860) - import/include - Ensure role handlers have the proper parent, allowing for correct attribute inheritance (https://github.com/ansible/ansible/pull/39426) - import_playbook - Pass vars applied to import_playbook into parsing of the playbook as they may be needed to parse the imported plays (https://github.com/ansible/ansible/pull/39521) - include_role/import_role - Don't overwrite included role handlers with play handlers on parse (https://github.com/ansible/ansible/pull/39563) - include_role/import_role - Fix parameter templating (https://github.com/ansible/ansible/pull/36372) - include_role/import_role - Use the computed role name for include_role/import_role so to diffentiate between names computed from host vars (https://github.com/ansible/ansible/pull/39516)- include_role/import_role - improved performance and recursion depth (https://github.com/ansible/ansible/pull/36470) - lineinfile - fix insertbefore when used with BOF to not insert duplicate lines (https://github.com/ansible/ansible/issues/38219) - password lookup - Do not load password lookup in network filters, allowing the password lookup to be overriden (https://github.com/ansible/ansible/pull/41907) - pause - ensure ctrl+c interrupt works in all cases (https://github.com/ansible/ansible/issues/35372) - powershell - use the tmpdir set by `remote_tmp` for become/async tasks instead of the generic $env:TEMP - https://github.com/ansible/ansible/pull/40210 - selinux - correct check mode behavior to report same changes as normal mode (https://github.com/ansible/ansible/pull/40721) - spwd - With python 3.6 spwd.getspnam returns PermissionError instead of KeyError if user does not have privileges (https://github.com/ansible/ansible/issues/39472) - synchronize - Ensure the local connection created by synchronize uses _remote_is_local=True, which causes ActionBase to build a local tmpdir (https://github.com/ansible/ansible/pull/40833) - template - Fix for encoding issues when a template path contains non-ascii characters and using the template path in ansible_managed (https://github.com/ansible/ansible/issues/27262) - template action plugin - fix the encoding of filenames to avoid tracebacks on Python2 when characters that are not present in the user's locale are present. (https://github.com/ansible/ansible/pull/39424) - user - only change the expiration time when necessary (https://github.com/ansible/ansible/issues/13235) - uses correct conn info for reset_connection https://github.com/ansible/ansible/issues/27520 - win_environment - Fix for issue where the environment value was deleted when a null value or empty string was set - https://github.com/ansible/ansible/issues/40450 - win_file - fix issue where special chars like [ and ] were not being handled correctly https://github.com/ansible/ansible/pull/37901 - win_get_url - fixed a few bugs around authentication and force no when using an FTP URL - win_iis_webapppool - redirect some module output to null so Ansible can read the output JSON https://github.com/ansible/ansible/issues/40874 - win_template - fix when specifying the dest option as a directory with and without the trailing slash https://github.com/ansible/ansible/issues/39886 - win_updates - Added the ability to run on a scheduled task for older hosts so async starts working again - https://github.com/ansible/ansible/issues/38364 - win_updates - Fix logic when using a whitelist for multiple updates - win_updates - Fix typo that hid the download error when a download failed - win_updates - Fixed issue where running win_updates on async fails without any error - windows become - Show better error messages when the become process fails - winrm - Add better error handling when the kinit process fails - winrm - allow `ansible_user` or `ansible_winrm_user` to override `ansible_ssh_user` when both are defined in an inventory - https://github.com/ansible/ansible/issues/39844 - winrm - ensure pexpect is set to not echo the input on a failure and have a manual sanity check afterwards https://github.com/ansible/ansible/issues/41865 - winrm connection plugin - Fix exception messages sometimes raising a traceback when the winrm connection plugin encounters an unrecoverable error. https://github.com/ansible/ansible/pull/39333 - xenserver_facts - ensure module works with newer versions of XenServer (https://github.com/ansible/ansible/pull/35821) - use python3 on (open)SUSE 15 or newer - Update to 2.5.5 - Fixed the honouration of the no_log option with failed task iterations (CVE-2018-10855 boo#1097775) - Bufixes: - Changed the admin_users config option to not include "admin" by default as admin is frequently used for a non-privileged account - aws_s3 - add async support to the action plugin - aws_s3 - fix decrypting vault files - ec2_ami - cast the device_mapping volume size to an int - eos_logging - fix idempotency issues - cache plugins - A cache timeout of 0 means the cache will not expire. - ios_logging - fix idempotency issues - ios/nxos/eos_config - don't retrieve config in running_config when config is provided for diff - nxos_banner - fix multiline banner issue - nxos terminal plugin - fix output truncation - nxos_l3_interface - fix no switchport issue with loopback and svi interfaces - nxos_snapshot - fix compare_option - Applied spec-cleaner - Update to 2.5.1 Minor Changes + Updated example in vcenter_license module. + Updated virtual machine facts with instanceUUID which is unique for each VM irrespective of name and BIOS UUID. + A lot of Bugfixes, please refer to the Changelog installed in /usr/share/doc/packages/ansible/changelogs/CHANGELOG-v2.5.rst - Update to 2.5.0: Major Changes * Ansible Network improvements + Created new connection plugins network_cli and netconf to replace connection=local. connection=local will continue to work for a number of Ansible releases. + No more unable to open shell. A clear and descriptive message will be displayed in normal ansible-playbook output without needing to enable debug mode + Loads of documentation, see Ansible for Network Automation Documentation. + Refactor common network shared code into package under module_utils/network/ + Filters: Add a filter to convert XML response from a network device to JSON object. + Loads of bug fixes. + Plus lots more. * New simpler and more intuitive 'loop' keyword for task loops. The with_ loops will likely be deprecated in the near future and eventually removed. * Added fact namespacing; from now on facts will be available under ansible_facts namespace (for example: ansible_facts.os_distribution) without the ansible_ prefix. They will continue to be added into the main namespace directly, but now with a configuration toggle to enable this. This is currently on by default, but in the future it will default to off. * Added a configuration file that a site administrator can use to specify modules to exclude from being used. Minor Changes * please refer to /share/doc/packages/ansible/changelogs/CHANGELOG-v2.5.rst Deprecated Features * Previously deprecated 'hostfile' config settings have been 're-deprecated' because previously code did not warn about deprecated configuration settings. * Using Ansible-provided Jinja tests as filters is deprecated and will be removed in Ansible 2.9. * The stat and win_stat modules have deprecated get_md5 and the md5 return values. These options will become undocumented in Ansible 2.9 and removed in a later version. * The redis_kv lookup has been deprecated in favor of new redis lookup * Passing arbitrary parameters that begin with HEADER_ to the uri module, used for passing http headers, is deprecated. Use the headers parameter with a dictionary of header names to value instead. This will be removed in Ansible 2.9 * Passing arbitrary parameters to the zfs module to set zfs properties is deprecated. Use the extra_zfs_properties parameter with a dictionary of property names to values instead. This will be removed in Ansible 2.9. * Use of the AnsibleModule parameter check\_invalid\_arguments in custom modules is deprecated. In the future, all parameters will be checked to see whether they are listed in the arg spec and an error raised if they are not listed. This behaviour is the current and future default so most custom modules can simply remove check\_invalid\_arguments if they set it to the default value of True. The check\_invalid\_arguments parameter will be removed in Ansible 2.9. * The nxos_ip_interface module is deprecated in Ansible 2.5. Use nxos_l3_interface module instead. * The nxos_portchannel module is deprecated in Ansible 2.5. Use nxos_linkagg module instead. * The nxos_switchport module is deprecated in Ansible 2.5. Use nxos_l2_interface module instead. * The ec2_ami_find has been deprecated; use ec2_ami_facts instead. * panos_security_policy: Use panos_security_rule - the old module uses deprecated API calls * vsphere_guest is deprecated in Ansible 2.5 and will be removed in Ansible-2.9. Use vmware_guest module instead. Removed Features (previously deprecated) * accelerate. * boundary_meter: There was no deprecation period for this but the hosted service it relied on has gone away so the module has been removed. #29387 * cl_ : cl_interface, cl_interface_policy, cl_bridge, cl_img_install, cl_ports, cl_license, cl_bond. Use nclu instead * docker. Use docker_container and docker_image instead. * ec2_vpc. * ec2_ami_search, use ec2_ami_facts instead. * nxos_mtu. Use nxos_system's system_mtu option instead. To specify an interface's MTU use nxos_interface. * panos_nat_policy: Use panos_nat_rule the old module uses deprecated API calls - also package the changelogs directory below /usr/share/doc/packages/ansible/ for better reference - License changed to GPL-3.0-or-later, as mentioned in the source (former license focues on GPL-3.0 only) - Add python-passlib as Requires (bsc#1080682) passlib is needed for the "vars_prompt" feature of ansible - Update to version 2.4.3.0: * Fix `pamd` rule args regexp to match file paths. * Check if SELinux policy exists before setting. * Set locale to `C` in `letsencrypt` module to fix date parsing errors. * Fix include in loop when stategy=free. * Fix save parameter in asa_config. * Fix --vault-id support in ansible-pull. * In nxos_interface_ospf, fail nicely if loopback is used with passive_interface. * Fix quote filter when given an integer to quote. * nxos_vrf_interface fix when validating the interface. * Fix for win_copy when sourcing files from an SMBv1 share. * correctly report callback plugin file. * restrict revaulting to vault cli. * Fix python3 tracebacks in letsencrypt module. * Fix ansible_*_interpreter variables to be templated prior to being used. * Fix setting of environment in a task that uses a loop * Fix fetch on Windows failing to fetch files or particular block size. * preserve certain fields during no log. * fix issue with order of declaration of sections in ini inventory. * Fix win_iis_webapppool to correctly stop a apppool. * Fix CloudEngine host failed. * Fix ios_config save issue. * Handle vault filenames with nonascii chars when displaying messages. * Fix win_iis_webapppool to not return passwords. * Fix extended file attributes detection and changing. * correctly ensure 'ungrouped' membership rules. * made warnings less noisy when empty/no inventory is supplied. * Fixes a failure which prevents to create servers in module cloudscale_server. * Fix win_firewall_rule "Specified cast is invalid" error when modifying a rule with all of Domain/Public/Private profiles set. * Fix case for multilib when installing from a file in the yum module. * Fix WinRM parsing/escaping of IPv6 addresses. * Fix win_package to detect MSI regardless of the extension case. * Updated win_mapped_drive docs to clarify what it is used for. * Fix file related modules run in check_mode when the file being operated on does not exist. * Make eos_vlan idempotent. * Fix win_iis_website to properly check attributes before setting. * Fixed the removal date for ios_config save and force parameters. * cloudstack: fix timeout from ini config file being ignored. * fixes memory usage issues with many blocks/includes. * Fixes maximum recursion depth exceeded with include_role. * Fix to win_dns_client module to take ordering of DNS servers to resolve into account. * Fix for the nxos_banner module where some nxos images nest the output inside of an additional dict. * Fix failure message "got multiple values for keyword argument id" in the azure_rm_securitygroup module (caused by changes to the azure python API). * Bump Azure storage client minimum to 1.5.0 to fix deserialization issues. This will break Azure Stack until it receives storage API version 2017-10-01 or changes are made to support multiple versions. * Flush stdin when passing the become password. Fixes some cases of timeout on Python 3 with the ssh connection plugin. update to version v2.4.2.0: * lock azure containerservice to below 2.0.0 * ovirt_host_networks: Fix label assignment * Fix vault --ask-vault-pass with no tty (#31493) * cherry-pick changes of azure_rm_common from devel to 2.4 (#32607) * Fixes #31090. In network parse_cli filter plugin, this change moves the creation of a (#31092) (#32458) * Use an abspath for network inventory ssh key path. * Remove toLower on source (#31983) * Add k8s_common.py logging fixes to the changelog * inserts enable cmd hash with auth_pass used (#32107) * Fix exception upon display.warn() (#31876) * ios_system: Fix typo in unit test (#32284) * yum: use the C locale when screen scraping (#32203) * Use region derived from get_aws_connection_info() in dynamodb_table to fix tagging bug (#32557) * fix item var in delegation (#32986) * Add changelog entry for elb_application_lb fix * Add a validate example to blockinfile. (#32088) * Correct formatting --arguments (#31808) * Add changelog for URI/get_url fix * [cloud] Bugfix for aws_s3 empty directory creation (#32198) * Fix junos integration test fixes as per connection refactor (#33050) (#33055) * Update win_copy for #32677 (#32682) * ios_interface testfix (#32381) * Add proper check mode support to the script module (#31852) * Add galaxy --force fix to changelog * Fix non-ascii errors in config manager * Add python3 urllib fixes to changelog * Add changelog entry for the stdin py3 fix * Update version info for the 2.4.2 release * Add max_fail_percentage fix to changelog * Changelog entry for script inventory plugin fix. * Make RPM spec compatible with RHEL 6 (#31653) * Add changelog entry for the yum locale fix * Use vyos/1.1.8 in CI. * Fix patching to epel package * Pass proper error value to to_text (#33030) * Fix and re-enable zypper* integration tests in CI. * avoid chroot paths (#32778) * Add changelog entry for inventory nonascii paths fix * Fix ios_config integration test failures (#32959) (#32970) * Fix ios_config file prompt issue (#32744) (#32780) * Mdd module unit test docs (#31373) * dont add all group vars to implicit on create * Fix nxos_banner removal idempotence issue in N1 images (#31259) * Clarify the release and maintenance cycle (#32402) * Add ansible_distribution_major_version to macOS (#31708) * Docs (#32718) * Keep newlines when reading LXC container config file (#32219) * Updated changelog for vmware logon error handling * New release v2.4.2.0-0.2.beta2 * added doc notes about vars plugins in precedence * revert module_utils/nxos change from #32846 (#32956) * [cloud] add boto3 requirement to `cloudformation` module docs (#31135) * Fixes #31056 (#31057) * - Fix logging module issue where facility is being deleted along with host (#32234) * Get the moid in a more failsafe manner (#32671) * Integration Tests only: add static route, snmp_user, snapshot and hsrp it cases (#28933) * Add the change to when we escape backslashes (for the template lookup plugin) to changelog * correctly deal with changed (#31812) * Add the template lookup escaping to the 2.4 porting guide (#32760) * tests for InventoryModule error conditions (#31381) * Disable pylint rules for stable-2.4. * fix typo * Enable TLS1.1 and TLS1.2 for win_package (#32184) * Add remove host fix to changelog * ios_interface provider issue testfix (#32335) * win_service: quoted path fix (#32469) * Add changes to succeeded/failed tests to the 2.4 porting guide (#33201) * Run OS X tests in 3 groups in CI. * ini inventory: document value parsing workaround * Change netconf port in testcase as per test enviornment (#32883) (#32889) * fix inventory loading for ansible-doc * jsonify inventory (#32990) * firewalld: don't reference undefined variable in error case (#31949) * change ports to non well known ports and drop time_range for N1 (#31261) * make vars only group declarations an error * Add changelog for os_floating_ip fix * Fix example on comparing master config (#32406) * py2/py3 safer shas on hostvars (#31788) * ensure we always have a basedir * Add missing ansible-test --remote-terminate support. (#32918) * Use show command to support wider platform set for nxos_interface module (#33037) * ios_logging: change IOS command pipe to section to include (#33100) (#33116) * win_find: allow module to skip on files it fails to check (#32105) * New release v2.4.2.0-0.4.beta4 * multiple nxos fixes (#32905) * Add changelog entry for git archive fix * Add changelog entries for a myriad of 2.4.2 bugfixes * iosxr integration testfix (#32344) * Fix #31694: running with closed stdin on python 3 (#31695) * Add eos_user fix to changelog * updated changelog with win_find fix * Added urls python3 fix to changelog * [cloud] Support changeset_name parameter on CloudFormation stack create (#31436) * use configured ansible_shell_executable * New release v2.4.2.0-0.3.beta3 * Fix ec2_lc failing to create multi-volume configurations (#32191) * Changelog win_package TLS fix * Fix wrong prompt issue for network modules (#32426) (#32442) * New release v2.4.2.0-0.1.beta1 * Exclude stack policy when running in check mode. * change inventory_hostname to ansible_host to fix test (#32890) (#32891) * Add azure_rm_acs check mode fix * Updated changelog for win_copy fix * corrected package docs * make sure patterns are strings * Add more bugfixes to changelog * Fix junos netconf port issue in integration test (#32610) (#32668) * fixed .loads error for non decoded json in Python 3 (#32065) * nxos_config and nxos_facts - fixes for N35 platform. (#32762) (#32875) * Add changelog entry for #32219 * Remove provider from ios integration test (#31037) (#32230) * added note about serial behaviour (#32461) * Fixes ios_logging unit test (#32240) * Avoid AttributeError: internal_network on os_floating_ip (#32887) * use to_str instead of json.dumps when serializing k8s object for logging * Prefer the stdlib SSLContext over urllib3 context * git: fix archive when update is set to no (#31829) * Add elb_target_group port fix to the changelog * Changelog entry for aws_s3 issue #32144 * Add error handling for user login (#32613) * Move asa provider to suboptions (#32356) * fix dci failure nxos (#32877) (#32878) * Add inventory jsonification to the changelog * eos_eapi: adding the desired state config to the new vrf fixes #32111 (#32112) (#32452) * Handle ip name-server lines containing multiple nameservers (#32235) (#32373) * Remove provider from prepare_ios_tests integration test (#31038) * Add last minute bugfixes and doc updates for rc1 * Fix snmp bugs on Nexus 3500 platform (#32773) (#32847) * validate that existing dest is valid directory * Update the release data for 2.4.1 in the changelog * add check mode for acs delete (#32063) * More fixes added to changelog * Add wait_for fix to the changelog * removed psobject to hashtables that were missed (#32710) * wait_for: treat broken connections as "unready" (#28839) * Return all elements in a more robust way * fix ios_interface test (#32372) * Add missing packages to default docker image. * fix nxos_igmp_snooping (#31688) * - Fix to return error message back to the module. (#31035) * Ensure that readonly result members are serialized (#33170) * Keywords docs (#32807) * remove hosts from removed when rescuing * Add panos_security_rule docs typo fix to changelog * Update vyos completion in network.txt. * move to use ansible logging * ovirt_clusters: Fix fencing and kuma comparision * Documentation typo fixes (#32473) * [fix] issue #30516 : take care about autoremove in upgrade function * Enable ECHO in prompt module (#32083) * calculate max fail against all hosts in batch * Fix urlparse import for Python3 (#31240) * Bunch of changelog updates for cherry-picks * restore hostpattern regex/glob behaviour * Better handling of malformed vault data envelope (#32515) * Updated changelog regarding win_service quoted path fix * nxos_interface error handling (#32846) * An availability zone will be selected if none is provided. Set az to an empty string if it's None to avoid traceback. (#32216) * Use to_native when validating proxy result (#32596) * vmware_guest: refactor spec serialization (#32681) * Add new default Docker container for ansible-test. (#31944) * warn on bad keys in group * NXOS: Integration tests to Ansible (part 3) (#29030) * Add spec file fix to changelog * eos_user testfix (#32264) * iam.py: return iam.role dict when creating roles (#28964) * Add networking bug fixes to changelog (#32201) * [cloud] sns_topic: Fix unreferenced variable * Fix service_mgr fact collection (#32086) * Fix include_role unit tests (#31920) * Updated changelog for win_iis_* modules things * handle ignore_errors in loop * adjust nohome param when using luser * better cleanup on task results display (#27175) * Improve python 2/3 ABC fallback for pylint. (#31848) * fix html formatting * Add ansible_shell_executable fix to changelog * Move resource pool login to a separate function and fix undefined var reference (#32674) * Update ansible-test sanity command. (#31958) * ios_ping test fix (#32342) * fix CI failure yaml syntax (#32374) * Scan group_vars/host_vars in sorted order * luseradd defaults to creating w/o need for -m (#32411) * Integration Tests only: nxos_udld, nxos_udld_interface, nxos_vxlan_vtep_vni (#29143) (#32962) * Fix: modifying existing application lb using certificates now properly sets certificates (#28217) * ios_logging: Fix some smaller issues, add unit test (#32321) * Fix nxos_snmp_host bug (#32916) (#32958) * ovirt_hosts: Don't fail upgrade when NON_RESPONSIVE state * ini plugin should recursively instantiate pending * eos_user: sends user secret first on user creation fixes #31680 (#32162) * Cast target port to an int in elb_target_group. Fixes #32098 (#32202) * New release v2.4.2.0-0.5.rc1 * remove misleading group vars as they are flat (#32276) * Fix typo * Avoid default inventory proccessing for pull (#32135) * Fix ansible-test default image. (#31966) * removed superfluous `type` field from RecordSet constructor (#33167) * Update k8s_common.py * Add ios_logging fixes to changelog 2.4.2beta2 (#32447) * Revert "Removed a force conditional (#28851)" (#32282) * Add new documentation on writing unittests to the changelog * Fix ansible-test race calling get_coverage_path. * New release v2.4.2.0-1 - update to 2.3.2.0 (final) - bsc#1059235 - update to 2.3.1 RC1 (package version 2.3.0.1) (bsc#1056094): as "unsafe". bsc#1038785 * SECURITY (MODERATE): fix for CVE-2017-7466, which finally fixes an arbitrary command execution vulnerability - security update to rc4 of 2.2.1.0 version CVE-2016-9587, CVE-2016-8628, CVE-2016-8614, CVE-2016-8647, CVE-2016-9587 (bsc#1008037, bsc#1008038, bsc#1010940, bsc#1019021) Changes in ardana-ansible: - Update to version 8.0+git.1596735237.54109b1: * Update the Swift XFS inode size check (SOC-10300) - Update to version 8.0+git.1596204601.75b0e4e: * Fix upgrade validations Keystone V3 check target (SOC-10300) Changes in ardana-cinder: - Update to version 8.0+git.1596129856.263f430: * Install python-swiftclient as cinder-backup dependency (SOC-11364) Changes in ardana-glance: - Update to version 8.0+git.1593631779.76fa9b7: * Idempotent cirros image upload to glance (SOC-11342) Changes in ardana-mq: - Update to version 8.0+git.1593618123.678c32b: * Ensure epmd.service started/stopped independent of rabbitmq (SOC-6780) Changes in ardana-nova: - Update to version 8.0+git.1601298847.dd01585: * restore ram_weight_multiplier to default (bsc#1123561) * enable all weigher classes by default (bsc#1123561) - Update to version 8.0+git.1595857666.cf6b4a9: * Correction for (bsc#1174242) - Update to version 8.0+git.1595356665.56726ed: * Disable nova-consoleauth monasca process check (bsc#1174242) Changes in ardana-osconfig: - Update to version 8.0+git.1595885113.93abcbc: * Enable SLE12 SP3 LTSS for SMT deployments (SOC-11223) Changes in crowbar-core: - Update to version 5.0+git.1600432272.b3ad722f0: * provisioner: check for client_user (SOC-11389) * upgrade: Allow transition from crowbar_upgrade to reboot (trivial) - Update to version 5.0+git.1600352887.1e23b8015: * Ignore CVE-2020-15169 (SOC-11391) - Update to version 5.0+git.1594898401.caf0b325c: * crowbar: Also add access to /restricted/ in SSL vhost (SOC-11352) - Update to version 5.0+git.1593779118.8362c57e5: * crowbar: Allow hardware-installing -> discovering transition (noref) * crowbar: Add Restricted controller with API for restricted clients (bsc#1117080) * crowbar: Add complete list of states to Crowbar::State (noref) * provisioner: Remove the need for /updates/parse_node_data (noref) * crowbar: Create helper module to validate states (noref) * provisioner: Use new restricted API (bsc#1117080) * provisioner: Do not read /etc/crowbar.install.key from crowbar_joi (bsc#1117080) * provisioner: Remove use of privileged user for Windows machine (bsc#1117080) * provisioner: Use restricted client during provisioning (bsc#1117080) * provisioner: Use restricted client for crowbar_register (bsc#1117080) * provisioner: Drop /etc/crowbar.install.key bits from autoyast prof (bsc#1117080) * Avoid hardcoding machine-install user (bsc#1117080) * crowbar: Restrict admin access (bsc#1117080) Changes in crowbar-openstack: - Update to version 5.0+git.1599037158.5c4d07480: * horizon: Update configuration for Grafana 5.x Changes in documentation-suse-openstack-cloud: - Update to version 8.20201007: * reveresed step8 and 9 in PTF installation (SOC-10616) * Modified the PTF install instructions as per the (SOC-10616) - Update to version 8.20200904: * Clarify reboot instructions during update workflow (SOC-11386) - Update to version 8.20200921: * replacd postgreSQL to MariaDB as per comments4 and 5 in ticket (SOC-11000) - Update to version 8.20200424: * Update ESX documentation for DVS creation (bsc#1142121) * Fix table issues Changes in grafana: - BuildRequire go1.14 explicitly - Add recompress source service - Add go_modules source service to create vendor.tar.gz containing 3rd party go modules. - Adjust spec to work for Grafana-6.7.4 - Adjust Makefile to work for Grafana-6.7.4 - Remove CVE-2019-15043.patch (merged upstream) - Remove CVE-2020-13379.patch (merged upstream) - Remove 0001-fix-XSS-vulnerabilities-in-dashboard-links.patch (merged upstream) - Remove 0002-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch (merged upstream) - Remove systemd-notification.patch (merged upstream) - Update to version 6.7.4 (bsc#1172450, CVE-2018-18623, CVE-2018-18624, CVE-2018-18625, bsc#1174583, CVE-2020-11110) * Security: Urgent security fix for stored XSS - Update to version 6.7.3 * Admin: Fix Synced via LDAP message for non-LDAP external users. [#23477] * Alerting: Fix notifications for alerts with empty message in Google Hangouts notifier. [#23559] * AuthProxy: Fix bug where long username could not be cached. [#22926] * Dashboard: Fix saving dashboard when editing raw dashboard JSON model. [#23314] * Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. [#21694] * DashboardListPanel: Fix problem with empty panel after going into edit mode (General folder filter being automatically added) . [#23426] * Data source: Handle datasource withCredentials option properly. [#23380] * Security: Fix annotation popup XSS vulnerability [#23813] * Security: Fix XSS vulnerability in table panel [#23816] * Server: Exit Grafana with status code 0 if no error. [#23312] * TablePanel: Fix XSS issue in header column rename (backport). [#23814] * Variables: Fix error when setting adhoc variable values. [#23580] - Update to version 6.7.2 * BackendSrv: Adds config to response to fix issue for external plugins that used this property . [#23032] * Dashboard: Fix issue with saving new dashboard after changing title . [#23104] * DataLinks: make sure we use the correct datapoint when dataset contains null value.. [#22981] * Plugins: Fix issue for plugins that imported dateMath util . [#23069] * Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. [#23254] * Variables: Fix issue with too many queries being issued for nested template variables after value change. [#23220] * Plugins: Expose promiseToDigest. [#23249] * Reporting: Fix issue updating a report created by someone else (Enterprise) - Update to version 6.7.1 * Azure: Fix dropdowns not showing current value. [#22914] * BackendSrv: only add content-type on POST, PUT requests. [#22910] * Panels: Fix size issue with panel internal size when exiting panel edit mode. [#22912] * Reporting: fixes migrations compatibility with mysql (Enterprise) * Reporting: Reduce default concurrency limit to 4 (Enterprise) - Update to version 6.7.0 * AzureMonitor: support workspaces function for template variables. [#22882] * SQLStore: Add migration for adding index on annotation.alert_id. [#22876] * TablePanel: Enable new units picker . [#22833] * AngularPanels: Fix inner height calculation for angular panels. [#22796] * BackendSrv: makes sure provided headers are correctly recognized and set. [#22778] * Forms: Fix input suffix position (caret-down in Select) . [#22780] * Graphite: Fix issue with query editor and next select metric now showing after selecting metric node [#22856] * Rich History: UX adjustments and fixes. [#22729] * Slack: Removed _Mention_ setting and instead introduce _Mention Users_, _Mention Groups_, and _Mention Channel_. * Alerting: Reverts the behavior of `diff` and `percent_diff` to not always be absolute. * API: Include IP address when logging request error. [#21596] * Alerting: Support passing tags to Pagerduty and allow notification on specific event categories [#21335] * Chore: Remove angular dependency from backendSrv. [#20999] * CloudWatch: Surround dimension names with double quotes. [#22222] * CloudWatch: updated metrics and dimensions for Athena, DocDB, and Route53Resolver. [#22604] * Cloudwatch: add Usage Metrics. [#22179] * Dashboard: Adds support for a global minimum dashboard refresh interval. [#19416] * DatasourceEditor: Add UI to edit custom HTTP headers. [#17846] Elastic: To get fields, start with today's index and go backwards. [#22318] * Explore: Rich history. [#22570] * Graph: canvas's Stroke is executed after loop. [#22610] * Graphite: Don't issue empty "select metric" queries. [#22699] * Image Rendering: Store render key in remote cache to enable renderer to callback to public/load balancer URL when running in HA mode. [#22031] * LDAP: Add fallback to search_base_dns if group_search_base_dns is undefined [#21263] * OAuth: Implement Azure AD provide. [#20030] * Prometheus: Implement region annotation. [#22225] * Prometheus: make \$\_\_range more precise. [#21722] * Prometheus: Do not show rate hint when increase function is used in query. [#21955] * Stackdriver: Project selector. [#22447] * TablePanel: display multi-line text. [#20210] * Templating: Add new global built-in variables. [#21790] * Reporting: add concurrent render limit to settings (Enterprise) * Reporting: Add rendering timeout in settings (Enterprise) * API: Fix redirect issues. [#22285] * Alerting: Don't include image_url field with Slack message if empty. [#22372] * Alerting: Fix bad background color for default notifications in alert tab . [#22660] * Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. [#22323] * Azure Monitor: Fix app insights source to allow for new timeFrom and timeTo. [#21879] * BackendSrv: Fix POST body for form data. [#21714] * CloudWatch: Credentials cache invalidation fix. [#22473] CloudWatch: Expand alias variables when query yields no result [#22695] * Dashboard: Fix bug with NaN in alerting. [#22053] * Explore: Fix display of multiline logs in log panel and explore. [#22057] * Heatmap: Legend color range is incorrect when using custom min/max [#21748] * Security: Fix XSS issue in dashboard history diff. [#22680] * StatPanel: Fix base color being used for null values. [#22646] - Update to version 6.6.2 * Data proxy: Log proxy errors using Grafana logger. [#22174] * Metrics: Add gauge for requests currently in flight. [#22168] * @grafana/ui: Fix displaying of bars in React Graph. [#21968] * API: Fix redirect issue when configured to use a subpath. [#21652] * API: Improve recovery middleware when response already been written [#22256] * Auth: Don't rotate auth token when requests are cancelled by client [#22106] * Elasticsearch: Fix auto interval for date histogram in explore logs mode. [#21937] * Image Rendering: Fix PhantomJS compatibility with es2016 node dependencies. [#21677] * Links: Assure base url when single stat, panel and data links are built. [#21956] * Loki, Prometheus: Fix PromQL and LogQL syntax highlighting. [#21944] * OAuth: Enforce auto_assign_org_id setting when role mapping enabled using Generic OAuth. [#22268] * Prometheus: Updates explore query editor to prevent it from throwing error on edit. [#21605] * Server: Reorder cipher suites for better security. [#22101] * TimePicker: fixing weird behavior with calendar when switching between months/years. [#22253] - Update to version 6.6.1 * Annotations: Change indices and rewrites annotation find query to improve database query performance. [#21915] * Azure Monitor: Fix Application Insights API key field to allow input. [#21738] * BarGauge: Fix so we properly display the "no result" value when query returns empty result. [#21791] * Datasource: Show access (Browser/Server) select on the Prometheus datasource. [#21833] * DatasourceSettings: Fix issue navigating away from data source settings page. [#21841] * Graph Panel: Fix typo in thresholds form. [#21903] * Graphite: Fix issue with functions with multiple required params and no defaults [#21814] * Image Rendering: Fix render of graph panel legend aligned to the right using Grafana image renderer plugin/service. [#21854] * Metrics: Adds back missing summary quantiles. [#21858] * OpenTSDB: Adds back missing ngInject to make it work again. [#21796] * Plugins: Fix routing in app plugin pages. [#21847] * Prometheus: Fix default step value for annotation query. [#21934] * Quota: Makes LDAP + Quota work for the first login of a new user. [#21949] * StatPanels: Fix change from singlestat to Gauge / BarGauge / Stat where default min & max (0, 100) was copied . [#21820] * TimePicker: Should display in kiosk mode. [#21816] * grafana/toolkit: Fix failing linter when there were lint issues. [#21849] - Update to version 6.6.0 * CloudWatch: Add DynamoDB Accelerator (DAX) metrics & dimensions. [#21644] * CloudWatch: Auto period snap to next higher period. [#21659] * Template variables: Add error for failed query variable on time range update. [#21731] * XSS: Sanitize column link. [#21735] * Elasticsearch: Fix adhoc variable filtering for logs query. [#21346] * Explore: Fix colors for log level when level value is capitalised. [#21646] * Explore: Fix context view in logs, where some rows may have been filtered out. [#21729] Loki: Fix Loki with repeated panels and interpolation for Explore. [#21685] * SQLStore: Fix PostgreSQL failure to create organisation for first time. [#21648] * PagerDuty: Change `payload.custom_details` field in PagerDuty notification to be a JSON object instead of a string. * Security: The `[security]` setting `cookie_samesite` configured to `none` now renders cookies with `SameSite=None` attribute. * Graphite: Add Metrictank dashboard to Graphite datasource * Admin: Show name of user in users table view. [#18108] * Alerting: Add configurable severity support for PagerDuty notifier. [#19425] * Alerting: Add more information to webhook notifications. [#20420] * Alerting: Add support for sending tags in OpsGenie notifier. [#20810] * Alerting: Added fallbackText to Google Chat notifier. [#21464] * Alerting: Adds support for sending a single email to all recipients in email notifier. [#21091] * Alerting: Enable setting of OpsGenie priority via a tag. [#21298] * Alerting: Use fully qualified status emoji in Threema notifier. [#21305] * Alerting: new min_interval_seconds option to enforce a minimum evaluation frequency. [#21188] * CloudWatch: Calculate period based on time range. [#21471] * CloudWatch: Display partial result in graph when max DP/call limit is reached. [#21533] * CloudWatch: ECS/ContainerInsights metrics support. [#21125] * CloudWatch: Upgrade aws-sdk-go. [#20510] * DataLinks: allow using values from other fields in the same row (cells). [#21478] * Editor: Ignore closing brace when it was added by editor. [#21172] * Explore: Context tooltip to copy labels and values from graph. [#21405] * Explore: Log message line wrapping options for logs. [#20360] * Forms: introduce RadioButtonGroup. [#20828] * Frontend: Changes in Redux location should not strip subpath from location url. [#20161] * Graph: Add fill gradient option to series override line fill. [#20941] * Graphite: Add metrictank dashboard to Graphite datasource. [#20776] * Graphite: Do not change query when opening the query editor and there is no data. [#21588] * Gravatar: Use HTTPS by default. [#20964] * Loki: Support for template variable queries. [#20697] * NewsPanel: Add news as a builtin panel. [#21128] * OAuth: Removes send_client_credentials_via_post setting. [#20044] * OpenTSDB: Adding lookup limit to OpenTSDB datasource settings. [#20647] * Postgres/MySQL/MSSQL: Adds support for region annotations. [#20752] * Prometheus: Field to specify step in Explore. [#20195] * Prometheus: User metrics metadata to inform query hints. [#21304] * Renderer: Add user-agent to remote rendering service requests. [#20956] * Security: Add disabled option for cookie samesite attribute. [#21472] * Stackdriver: Support meta labels. [#21373] * TablePanel, GraphPanel: Exclude hidden columns from CSV. [#19925] * Templating: Update variables on location changed. [#21480] * Tracing: Support configuring Jaeger client from environment. [#21103] * Units: Add currency and energy units. [#20428] * Units: Support dynamic count and currency units. [#21279] * grafana/toolkit: Add option to override webpack config. [#20872] * grafana/ui: ConfirmModal component. [#20965] * grafana/ui: Create Tabs component. [#21328] * grafana/ui: New table component. [#20991] * grafana/ui: New updated time picker. [#20931] * White-labeling: Makes it possible to customize the footer and login background (Enterprise) * API: Optionally list expired API keys. [#20468] * Alerting: Fix custom_details to be a JSON object instead of a string in PagerDuty notifier. [#21150] * Alerting: Fix image rendering and uploading timeout preventing to send alert notifications. [#21536] * Alerting: Fix panic in dingding notifier. [#20378] * Alerting: Fix template query validation logic. [#20721] * Alerting: If no permission to clear history, keep the historical data. [#19007] * Alerting: Unpausing a non-paused alert rule should not change status to Unknown. [#21375] * Api: Fix returned message when enabling, disabling and deleting a non-existing user. [#21391] * Auth: Rotate auth tokens at the end of requests. [#21347] * Azure Monitor: Fix error when using azure monitor credentials with log analytics and non-default cloud. [#21032] * CLI: Return error and aborts when plugin file extraction fails. [#20849] * CloudWatch: Multi-valued template variable dimension alias fix. [#21541] * Dashboard: Disable draggable panels on small devices. [#20629] * DataLinks: Links with \${\_\_value.time} do not work when clicking on first result. [#20019] * Explore: Fix showing of results in selected timezone (UTC/local). [#20812] * Explore: Fix timepicker when browsing back after switching datasource. [#21454] * Explore: Sync timepicker and logs after live-tailing stops. [#20979] * Graph: Fix when clicking a plot on a touch device we won't display the annotation menu. [#21479] * OAuth: Fix role mapping from id token. [#20300] * Plugins: Add appSubUrl string to config pages. [#21414] * Provisioning: Start provision dashboards after Grafana server have started. [#21564] * Render: Use https as protocol when rendering if HTTP2 enabled. [#21600] * Security: Use same cookie settings for all cookies. [#19787] * Singlestat: Support empty value map texts. [#20952] * Units: Custom suffix and prefix units can now be specified, for example custom currency & SI & time formats. [#20763] * grafana/ui: Do not build grafana/ui in strict mode as it depends on non-strict libs. [#21319] - Update to version 6.5.3 * API: Validate redirect_to cookie has valid (Grafana) url. [#21057] * AdHocFilter: Shows SubMenu when filtering directly from table. [#21017] * Cloudwatch: Fix crash when switching from cloudwatch data source. [#21376] * DataLinks: Sanitize data/panel link URLs. [#21140] * Elastic: Fix multiselect variable interpolation for logs. [#20894] * Prometheus: allow user to change HTTP Method in config settings. [#21055] * Prometheus: Prevents validation of inputs when clicking in them without changing the value. [#21059] * Rendering: Fix panel PNG rendering when using sub url and serve_from_sub_path = true. [#21306] * Table: Matches column names with unescaped regex characters. [#21164] - Update to version 6.5.2 * Alerting: Improve alert threshold handle dragging behavior. [#20922] * AngularPanels: Fix loading spinner being stuck in some rare cases. [#20878] * CloudWatch: Fix query editor does not render in Explore. [#20909] * CloudWatch: Remove illegal character escaping in inferred expressions. [#20915] * CloudWatch: Remove template variable error message. [#20864] * CloudWatch: Use datasource template variable in curated dashboards. [#20917] * Elasticsearch: Set default port to 9200 in ConfigEditor. [#20948] * Gauge/BarGauge: Added support for value mapping of "no data"-state to text/value. [#20842] * Graph: Prevent tooltip from being displayed outside of window. [#20874] * Graphite: Fix error with annotation metric queries. [#20857] * Login: Fix fatal error when navigating from reset password page. [#20747] * MixedDatasources: Do not filter out all mixed data sources in add mixed query dropdown. [#20990] * Prometheus: Fix caching for default labels request. [#20718] * Prometheus: Run default labels query only once. [#20898] * Security: Fix invite link still accessible after completion or revocation. [#20863] * Server: Fail when unable to create log directory. [#20804] * TeamPicker: Increase size limit from 10 to 100. [#20882] * Units: Remove SI prefix symbol from new milli/microSievert(/h) units. [#20650] - Update to version 6.5.1 * CloudWatch: Region template query fix. [#20661] * CloudWatch: Fix annotations query editor loading. [#20687] * Panel: Fix undefined services/dependencies in plugins without `/@ngInject*/`. [#20696] * Server: Fix failure to start with "bind: address already in use" when using socket as protocol. [#20679] * Stats: Fix active admins/editors/viewers stats are counted more than once if the user is part of more than one org. [#20711] - Update to version 6.5.0 * CloudWatch: Add curated dashboards for most popular amazon services. [#20486] * CloudWatch: Enable Min time interval. [#20260] * Explore: UI improvements for log details. [#20485] * Server: Improve grafana-server diagnostics configuration for profiling and tracing. [#20593] * BarGauge/Gauge: Add back missing title option field display options. [#20616] * CloudWatch: Fix high CPU load. [#20579] * CloudWatch: Fix high resolution mode without expression. [#20459] * CloudWatch: Make sure period variable is being interpreted correctly. [#20447] * CloudWatch: Remove HighResolution toggle since it's not being used. [#20440] * Cloudwatch: Fix LaunchTime attribute tag bug. [#20237] * Data links: Fix URL field turns read-only for graph panels. [#20381] * Explore: Keep logQL filters when selecting labels in log row details. [#20570] * MySQL: Fix TLS auth settings in config page. [#20501] * Provisioning: Fix unmarshaling nested jsonData values. [#20399] * Server: Should fail when server is unable to bind port. [#20409] * Templating: Prevents crash when \$\_\_searchFilter is not a string. [#20526] * TextPanel: Fix issue with template variable value not properly html escaped [#20588] * TimePicker: Should update after location change. [#20466] * CloudWatch: use GetMetricsData API for all queries * CloudWatch: The GetMetricData API does not return metric unit, so unit auto detection in panels is no longer supported. * CloudWatch: The `HighRes` switch has been removed from the query editor. * API: Add `createdAt` and `updatedAt` to api/users/lookup. [#19496] * API: Add createdAt field to /api/users/:id. [#19475] * Admin: Adds setting to disable creating initial admin user. [#19505] * Alerting: Include alert_state in Kafka notifier payload. [#20099] * AuthProxy: Can now login with auth proxy and get a login token. [#20175] * AuthProxy: replaces setting ldap_sync_ttl with sync_ttl. [#20191] * AzureMonitor: Alerting for Azure Application Insights. [#19381] * Build: Upgrade to Go 1.13. [#19502] * CLI: Reduce memory usage for plugin installation. [#19639] * CloudWatch: Add ap-east-1 to hard-coded region lists. [#19523] * CloudWatch: ContainerInsights metrics support. [#18971] * CloudWatch: Support dynamic queries using dimension wildcards [#20058] * CloudWatch: Stop using GetMetricStatistics and use GetMetricData for all time series requests [#20057] * CloudWatch: Convert query editor from Angular to React [#19880] * CloudWatch: Convert config editor from Angular to React [#19881] * CloudWatch: Improved error handling when throttling occurs [#20348] * CloudWatch: Deep linking from Grafana panel to CloudWatch console [#20279] * CloudWatch: Add Grafana user agent to GMD calls [#20277] * Dashboard: Allows the d-solo route to be used without slug. [#19640] * Elasticsearch: Adds support for region annotations. [#17602] * Explore: Add custom DataLinks on datasource level (like tracing links). [#20060] * Explore: Add functionality to show/hide query row results. [#19794] * Explore: Synchronise time ranges in split mode. [#19274] * Explore: UI change for log row details . [#20034] * Frontend: Migrate DataSource HTTP Settings to React. [#19452] * Frontend: Show browser not supported notification. [#19904] * Graph: Added series override option to have hidden series be persisted on save. [#20124] * Graphite: Add Metrictank option to settings to view Metrictank request processing info in new inspect feature. [#20138] * LDAP: Enable single user sync. [#19446] * LDAP: Last org admin can login but wont be removed. [#20326] * LDAP: Support env variable expressions in ldap.toml file. [#20173] * OAuth: Generic OAuth role mapping support. [#17149] * Prometheus: Custom query parameters string for Thanos downsampling. [#19121] * Provisioning: Allow saving of provisioned dashboards. [#19820] * Security: Minor XSS issue resolved by angularjs upgrade from 1.6.6 -> 1.6.9. [#19849] * TablePanel: Prevents crash when data contains mixed data formats. [#20202] * Templating: Introduces \$\_\_searchFilter to Query Variables. [#19858] * Templating: Made default template variable query editor field a textarea with automatic height. [#20288] * Units: Add milli/microSievert, milli/microSievert/h and pixels. [#20144] * Units: Added mega ampere and watt-hour per kg. [#19922] * Enterprise: Enterprise without a license behaves like OSS (Enterprise) * API: Added dashboardId and slug in response to dashboard import api. [#19692] * API: Fix logging of dynamic listening port. [#19644] * BarGauge: Fix so that default thresholds not keeps resetting. [#20190] * CloudWatch: Fix incorrect casing of Redshift dimension entry for service class and stage. [#19897] * CloudWatch: Fixing AWS Kafka dimension names. [#19986] * CloudWatch: Metric math broken when using multi template variables [#18337] * CloudWatch: Graphs with multiple multi-value dimension variables don't work [#17949] * CloudWatch: Variables' values surrounded with braces in request sent to AWS [#14451] * CloudWatch: Cloudwatch Query for a list of instances for which data is available in the selected time interval [#12784] * CloudWatch: Dimension's positioning/order should be stored in the json dashboard [#11062] * CloudWatch: Batch CloudWatch API call support in backend [#7991] * ColorPicker: Fix issue with ColorPicker disappearing too quickly. [#20289] * Datasource: Add custom headers on alerting queries. [#19508] plugins in alpine. [#20214] * Elasticsearch: Fix template variables interpolation when redirecting to Explore. [#20314] * Elasticsearch: Support rendering in logs panel. [#20229] * Explore: Expand template variables when redirecting from dashboard panel. [#19582] * OAuth: Make the login button display name of custom OAuth provider. [#20209] * ReactPanels: Adds Explore menu item. [#20236] * Team Sync: Fix URL encode Group IDs for external team sync. [#20280] - Update to version 6.4.5 * CloudWatch: Fix high CPU load [#20579] - Update to version 6.4.4 * MySQL: Fix encoding in connection string [#20192] * DataLinks: Fix blur issues. [#19883] * LDAP: try all LDAP servers even if one returns a connection error. [#20077] * LDAP: No longer shows incorrectly matching groups based on role in debug page. [#20018] * Singlestat: Fix no data / null value mapping . [#19951] - Update to version 6.4.3 * Alerting: All notification channels should send even if one fails to send. [#19807] * AzureMonitor: Fix slate interference with dropdowns. [#19799] * ContextMenu: make ContextMenu positioning aware of the viewport width. [#19699] * DataLinks: Fix context menu not showing in singlestat-ish visualisations. [#19809] * DataLinks: Fix url field not releasing focus. [#19804] * Datasource: Fix issue where clicking outside of some query editors required 2 clicks. [#19822] * Panels: Fix default tab for visualizations without Queries Tab. [#19803] * Singlestat: Fix issue with mapping null to text. [#19689] * @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. [#19821] * @grafana/toolkit: TSLint line number off by 1. [#19782] - Update to version 6.4.2 * CloudWatch: Changes incorrect dimension wmlid to wlmid . [#19679] * Grafana Image Renderer: Fix plugin page. [#19664] * Graph: Fix auto decimals logic for y axis ticks that results in too many decimals for high values. [#19618] * Graph: Switching to series mode should re-render graph. [#19623] * Loki: Fix autocomplete on label values. [#19579] * Loki: Removes live option for logs panel. [#19533] * Profile: Fix issue with user profile not showing more than sessions sessions in some cases. [#19578] * Prometheus: Always sort results in Panel by query order. [#19597] * Show SAML login button if SAML is enabled. [#19591] * SingleStat: Fix $__name postfix/prefix usage. [#19687] * Table: Proper handling of json data with dataframes. [#19596] * Units: Fix wrong id for Terabits/sec. [#19611] - Update to version 6.4.1 * Provisioning: Fix issue where empty nested keys in YAML provisioning caused server crash, [#19547] - Update to version 6.4.0 * Build: Upgrade go to 1.12.10. [#19499] * DataLinks: Suggestions menu improvements. [#19396] * Explore: Take root_url setting into account when redirecting from dashboard to explore. [#19447] * Explore: Update broken link to logql docs. [#19510] * Logs: Adds Logs Panel as a visualization. [#19504] * Reporting: Generate and email PDF reports based on Dashboards (Enterprise) * CLI: Fix version selection for plugin install. [#19498] * Graph: Fix minor issue with series override color picker and custom color. [#19516] * Splunk plugin needs to be updated when upgrading from 6.3 to 6.4 * Azure Monitor: Remove support for cross resource queries (#19115)". [#19346] * Graphite: Time range expansion reduced from 1 minute to 1 second. [#19246] * grafana/toolkit: Add plugin creation task. [#19207] * Alerting: Prevents creating alerts from unsupported queries. [#19250] * Alerting: Truncate PagerDuty summary when greater than 1024 characters. [#18730] * Cloudwatch: Fix autocomplete for Gamelift dimensions. [#19146] * Dashboard: Fix export for sharing when panels use default data source. [#19315] * Database: Rewrite system statistics query to perform better. [#19178] * Gauge/BarGauge: Fix issue with [object Object] in titles . [#19217] * MSSQL: Revert usage of new connectionstring format introduced by #18384. [#19203] * Multi-LDAP: Do not fail-fast on invalid credentials. [#19261] * MySQL, Postgres, MSSQL: Fix validating query with template variables in alert. [#19237] * MySQL, Postgres: Update raw sql when query builder updates. [#19209] * MySQL: Limit datasource error details returned from the backend. [#19373] * Reporting: Created scheduled PDF reports for any dashboard (Enterprise). * API: Readonly datasources should not be created via the API. [#19006] * Alerting: Include configured AlertRuleTags in Webhooks notifier. [#18233] * Annotations: Add annotations support to Loki. [#18949] * Annotations: Use a single row to represent a region. [#17673] * Auth: Allow inviting existing users when login form is disabled. [#19048] * Azure Monitor: Add support for cross resource queries. [#19115] * CLI: Allow installing custom binary plugins. [#17551] * Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. [#18641] * Dashboard: Reuse query results between panels . [#16660] * Dashboard: Set time to to 23:59:59 when setting To time using calendar. [#18595] * DataLinks: Add DataLinks support to Gauge, BarGauge and stat panel. [#18605] * DataLinks: Enable access to labels & field names. [#18918] * DataLinks: Enable multiple data links per panel. [#18434] * Elasticsearch: allow templating queries to order by doc_count. [#18870] * Explore: Add throttling when doing live queries. [#19085] * Explore: Adds ability to go back to dashboard, optionally with query changes. [#17982] * Explore: Reduce default time range to last hour. [#18212] * Gauge/BarGauge: Support decimals for min/max. [#18368] * Graph: New series override transform constant that renders a single point as a line across the whole graph. [#19102] * Image rendering: Add deprecation warning when PhantomJS is used for rendering images. [#18933] * InfluxDB: Enable interpolation within ad-hoc filter values. [#18077] * LDAP: Allow an user to be synchronized against LDAP. [#18976] * Ldap: Add ldap debug page. [#18759] * Loki: Remove prefetching of default label values. [#18213] * Metrics: Add failed alert notifications metric. [#18089] * OAuth: Support JMES path lookup when retrieving user email. [#14683] * OAuth: return GitLab groups as a part of user info (enable team sync). [#18388] * Panels: Add unit for electrical charge - ampere-hour. [#18950] * Plugin: AzureMonitor - Reapply MetricNamespace support. [#17282] * Plugins: better warning when plugins fail to load. [#18671] * Postgres: Add support for scram sha 256 authentication. [#18397] * RemoteCache: Support SSL with Redis. [#18511] * SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . [#18610] * Stackdriver: Add extra alignment period options. [#18909] * Units: Add South African Rand (ZAR) to currencies. [#18893] * Units: Adding T,P,E,Z,and Y bytes. [#18706] * Alerting: Notification is sent when state changes from no_data to ok. [#18920] * Alerting: fix duplicate alert states when the alert fails to save to the database. [#18216] * Alerting: fix response popover prompt when add notification channels. [#18967] * CloudWatch: Fix alerting for queries with Id (using GetMetricData). [#17899] * Explore: Fix auto completion on label values for Loki. [#18988] * Explore: Fix crash using back button with a zoomed in graph. [#19122] * Explore: only run queries in Explore if Graph/Table is shown. [#19000] * MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. [#18384] * MSSQL: Fix memory leak when debug enabled. [#19049] * Provisioning: Allow escaping literal '$' with '$\$' in configs to avoid interpolation. [#18045] * TimePicker: Fix hiding time picker dropdown in FireFox. [#19154] * Various breaking changes in the annotations HTTP API for region annotations. - Update to version 6.3.7 * CloudWatch: Fix high CPU load [#20579] - Update to version 6.3.6 * Metrics: Adds setting for turning off total stats metrics. [#19142] * Database: Rewrite system statistics query to perform better. [#19178] * Explore: Fix error when switching from prometheus to loki data sources. [#18599] - Update to version 6.3.5 * Dashboard: Fix dashboards init failed loading error for dashboards with panel links that had missing properties. [#18786] * Editor: Fix issue where only entire lines were being copied. [#18806] * Explore: Fix query field layout in splitted view for Safari browsers. [#18654] * LDAP: multildap + ldap integration. [#18588] * Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds. [#18788] * Prometheus: Prevents panel editor crash when switching to Prometheus data source. [#18616] * Prometheus: Changes brace-insertion behavior to be less annoying. [#18698] - Update to version 6.3.4 * Annotations: Fix failing annotation query when time series query is cancelled. [#18532] * Auth: Do not set SameSite cookie attribute if cookie_samesite is none. [#18462] * DataLinks: Apply scoped variables to data links correctly. [#18454] * DataLinks: Respect timezone when displaying datapoint's timestamp in graph context menu. [#18461] * DataLinks: Use datapoint timestamp correctly when interpolating variables. [#18459] * Explore: Fix loading error for empty queries. [#18488] * Graph: Fix legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. [#18563] * Graphite: Avoid glob of single-value array variables . [#18420] * Prometheus: Fix queries with label_replace remove the \$1 match when loading query editor. [#18480] * Prometheus: More consistently allows for multi-line queries in editor. [#18362] * TimeSeries: Assume values are all numbers. [#18540] - Update to version 6.3.2 * Gauge/BarGauge: Fix issue with lost thresholds and an issue loading Gauge with avg stat. [#18375] - Update to version 6.3.1 * PanelLinks: Fix crash issue with Gauge & Bar Gauge panels with panel links (drill down links). [#18430] - Update to version 6.3.0 * OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. [#18392] * PanelLinks: Fix render issue when there is no panel description. [#18408] * Auth Proxy: Include additional headers as part of the cache key. [#18298] * OAuth: Fix "missing saved state" OAuth login failure due to SameSite cookie policy. [#18332] * cli: fix for recognizing when in dev mode.. [#18334] * Build grafana images consistently. [#18224] * Docs: SAML. [#18069] * Permissions: Show plugins in nav for non admin users but hide plugin configuration. [#18234] * TimePicker: Increase max height of quick range dropdown. [#18247] * DataLinks: Fix incorrect interpolation of \${\_\_series_name} . [#18251] * Loki: Display live tailed logs in correct order in Explore. [#18031] * PhantomJS: Fix rendering on Debian Buster. [#18162] * TimePicker: Fix style issue for custom range popover. [#18244] * Timerange: Fix a bug where custom time ranges didn't respect UTC. [#18248] * remote_cache: Fix redis connstr parsing. [#18204] * Alerting: Add tags to alert rules. [#10989] * Alerting: Attempt to send email notifications to all given email addresses. [#16881] * Alerting: Improve alert rule testing. [#16286] * Alerting: Support for configuring content field for Discord alert notifier. [#17017] * Alertmanager: Replace illegal chars with underscore in label names. [#17002] * Auth: Allow expiration of API keys. [#17678] * Auth: Return device, os and browser when listing user auth tokens in HTTP API. [#17504] * Auth: Support list and revoke of user auth tokens in UI. [#17434] * AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. [#17140] * CloudWatch: Made region visible for AWS Cloudwatch Expressions. [#17243] * Cloudwatch: Add AWS DocDB metrics. [#17241] * Dashboard: Use timezone dashboard setting when exporting to CSV. [#18002] * Data links. [#17267] * Elasticsearch: Support for visualizing logs in Explore . [#17605] * Explore: Adds Live option for supported data sources. [#17062] * Explore: Adds orgId to URL for sharing purposes. [#17895] * Explore: Adds support for new loki 'start' and 'end' params for labels endpoint. [#17512] * Explore: Adds support for toggling raw query mode in explore. [#17870] * Explore: Allow switching between metrics and logs . [#16959] * Explore: Combines the timestamp and local time columns into one. [#17775] * Explore: Display log lines context . [#17097] * Explore: Don't parse log levels if provided by field or label. [#17180] * Explore: Improves performance of Logs element by limiting re-rendering. [#17685] * Explore: Support for new LogQL filtering syntax. [#16674] * Explore: Use new TimePicker from Grafana/UI. [#17793] * Explore: handle newlines in LogRow Highlighter. [#17425] * Graph: Added new fill gradient option. [#17528] * GraphPanel: Don't sort series when legend table & sort column is not visible. [#17095] * InfluxDB: Support for visualizing logs in Explore. [#17450] * Logging: Login and Logout actions (#17760). [#17883] * Logging: Move log package to pkg/infra. [#17023] * Metrics: Expose stats about roles as metrics. [#17469] * MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. [#13086] * MySQL: Add support for periodically reloading client certs. [#14892] * Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. [#16984] * Prometheus: Take timezone into account for step alignment. [#17477] * Prometheus: Use overridden panel range for \$\_\_range instead of dashboard range. [#17352] * Prometheus: added time range filter to series labels query. [#16851] * Provisioning: Support folder that doesn't exist yet in dashboard provisioning. [#17407] * Refresh picker: Handle empty intervals. [#17585] * Singlestat: Add y min/max config to singlestat sparklines. [#17527] * Snapshot: use given key and deleteKey. [#16876] * Templating: Correctly display __text in multi-value variable after page reload. [#17840] * Templating: Support selecting all filtered values of a multi-value variable. [#16873] * Tracing: allow propagation with Zipkin headers. [#17009] * Users: Disable users removed from LDAP. [#16820] * SAML: Add SAML as an authentication option (Enterprise) * AddPanel: Fix issue when removing moved add panel widget . [#17659] * CLI: Fix encrypt-datasource-passwords fails with sql error. [#18014] * Elasticsearch: Fix default max concurrent shard requests. [#17770] * Explore: Fix browsing back to dashboard panel. [#17061] * Explore: Fix filter by series level in logs graph. [#17798] * Explore: Fix issues when loading and both graph/table are collapsed. [#17113] * Explore: Fix selection/copy of log lines. [#17121] * Fix: Wrap value of multi variable in array when coming from URL. [#16992] * Frontend: Fix for Json tree component not working. [#17608] * Graphite: Fix for issue with alias function being moved last. [#17791] * Graphite: Fix issue with seriesByTag & function with variable param. [#17795] * Graphite: use POST for /metrics/find requests. [#17814] * HTTP Server: Serve Grafana with a custom URL path prefix. [#17048] * InfluxDB: Fix single quotes are not escaped in label value filters. [#17398] * Prometheus: Correctly escape '|' literals in interpolated PromQL variables. [#16932] * Prometheus: Fix when adding label for metrics which contains colons in Explore. [#16760] * SinglestatPanel: Remove background color when value turns null. [#17552] - Update to version 6.2.5 * Grafana-CLI: Wrapper for `grafana-cli` within RPM/DEB packages and config/homepath are now global flags. [#17695] * Panel: Fully escape html in drilldown links (was only sanitized before). [#17731] * Config: Fix connectionstring for remote_cache in defaults.ini. [#17675] * Elasticsearch: Fix empty query (via template variable) should be sent as wildcard. [#17488] * HTTP-Server: Fix Strict-Transport-Security header. [#17644] * TablePanel: fix annotations display. [#17646] - Update to version 6.2.4 * Grafana-CLI: Fix receiving flags via command line . [#17617] * HTTPServer: Fix X-XSS-Protection header formatting. [#17620] - Update to version 6.2.3 * AuthProxy: Optimistic lock pattern for remote cache Set. [#17485] * HTTPServer: Options for returning new headers X-Content-Type-Options, X-XSS-Protection and Strict-Transport-Security. [#17522] * Auth Proxy: Fix non-negative cache TTL. [#17495] * Grafana-CLI: Fix receiving configuration flags from the command line. [#17606] * OAuth: Fix for wrong user token updated on OAuth refresh in DS proxy. [#17541] * remote_cache: Fix redis. [#17483] - Update to version 6.2.2 * Security: Prevent CSV formula injection attack when exporting data. [#17363] * CloudWatch: Fix error when hiding/disabling queries. [#17283] * Database: Fix slow permission query in folder/dashboard search. [#17427] * Explore: Fix updating time range before running queries. [#17349] * Plugins: Fix plugin config page navigation when using subpath. [#17364] - Update to version 6.2.1 * CLI: Add command to migrate all data sources to use encrypted password fields . [#17118] * Gauge/BarGauge: Improvements to auto value font size . [#17292] * Auth Proxy: Resolve database is locked errors. [#17274] * Database: Retry transaction if sqlite returns database is locked error. [#17276] * Explore: Fix filtering query by clicked value when a Prometheus Table is clicked. [#17083] * Singlestat: Fix issue with value placement and line wraps. [#17249] * Tech: Update jQuery to 3.4.1 to fix issue on iOS 10 based browsers as well as Chrome 53.x. [#17290] - Update to version 6.2.0 * BarGauge: Fix for negative min values. [#17192] * Gauge/BarGauge: Fix for issues editing min & max options. [#17174] * Search: Make only folder name only open search with current folder filter. [#17226] * AzureMonitor: Revert to clearing chained dropdowns. [#17212] * Data source plugins that process hidden queries need to add a "hiddenQueries: true" attribute in plugin.json. [#17124] * Plugins: Support templated urls in plugin routes. [#16599] * Packaging: New MSI windows installer package\*\*. [#17073] * Dashboard: Fix blank dashboard after window resize with panel without title. [#16942] * Dashboard: Fix lazy loading & expanding collapsed rows on mobile. [#17055] * Dashboard: Fix scrolling issues for Edge browser. [#17033] * Dashboard: Show refresh button in first kiosk(tv) mode. [#17032] * Explore: Fix empty result from data source should render logs container. [#16999] * Explore: Filter query by clicked value when clicking in a Prometheus Table [#17083] * Explore: Makes it possible to zoom in Explore/Loki/Graph without exception. [#16991] * Gauge: Fix orientation issue after switching from BarGauge to Gauge. [#17064] * GettingStarted: Fix layout issues in getting started panel. [#16941] * InfluxDB: Fix HTTP method should default to GET. [#16949] * Panels: Fix alert icon position in panel header. [#17070] * Panels: Fix panel error tooltip not showing. [#16993] * Plugins: Fix how datemath utils are exposed to plugins. [#16976] * Singlestat: fixed centering issue for very small panels. [#16944] * Search: Scroll issue in dashboard search in latest Chrome. [#17054] * Gauge: Adds background shade to gauge track and improves height usage. [#17019] * RemoteCache: Avoid race condition in Set causing error on insert. . [#17082] * Admin: Add more stats about roles. [#16667] * Alert list panel: Support variables in filters. [#16892] * Alerting: Adjust label for send on all alerts to default . [#16554] * Alerting: Makes timeouts and retries configurable. [#16259] * Alerting: No notification when going from no data to pending. [#16905] * Alerting: Pushover alert, support for different sound for OK. [#16525] * Auth: Enable retries and transaction for some db calls for auth tokens. [#16785] * AzureMonitor: Adds support for multiple subscriptions per data source. [#16922] * Bar Gauge: New multi series enabled gauge like panel with horizontal and vertical layouts and 3 display modes. [#16918] * Build: Upgrades to golang 1.12.4. [#16545] * CloudWatch: Update AWS/IoT metric and dimensions. [#16337] * Config: Show user-friendly error message instead of stack trace. [#16564] * Dashboard: Enable filtering dashboards in search by current folder. [#16790] * Dashboard: Lazy load out of view panels . [#15554] * DataProxy: Restore Set-Cookie header after proxy request. [#16838] * Data Sources: Add pattern validation for time input on data source config pages. [#16837] * Elasticsearch: Add 7.x version support. [#16646] * Explore: Adds reconnect for failing data source. [#16226] * Explore: Support user timezone. [#16469] * InfluxDB: Add support for POST HTTP verb. [#16690] * Loki: Search is now case insensitive. [#15948] * OAuth: Update jwt regexp to include `=`. [#16521] * Panels: No title will no longer make panel header take up space. [#16884] * Prometheus: Adds tracing headers for Prometheus datasource. [#16724] * Provisioning: Add API endpoint to reload provisioning configs. [#16579] * Provisioning: Do not allow deletion of provisioned dashboards. [#16211] * Provisioning: Interpolate env vars in provisioning files. [#16499] * Provisioning: Support FolderUid in Dashboard Provisioning Config. [#16559] * Security: Add new setting allow_embedding. [#16853] * Security: Store data source passwords encrypted in secureJsonData. [#16175] * UX: Improve Grafana usage for smaller screens. [#16783] * Units: Add angle units, Arc Minutes and Seconds. [#16271] * CloudWatch: Fix query order not affecting series ordering & color. [#16408] * CloudWatch: Use default alias if there is no alias for metrics. [#16732] * Config: Fix bug where timeouts for alerting was not parsed correctly. [#16784] * Elasticsearch: Fix view percentiles metric in table without date histogram. [#15686] * Explore: Prevents histogram loading from killing Prometheus instance. [#16768] * Graph: Allow override decimals to fully override. [#16414] * Mixed Data Source: Fix error when one query is disabled. [#16409] * Search: Fix search limits and add a page parameter. [#16458] * Security: Responses from backend should not be cached. [#16848] * Gauge Panel: The suffix / prefix options have been removed from the new Gauge Panel (introduced in v6.0). [#16870] - Update to version 6.1.6 * Security: Bump jQuery to 3.4.0 . [#16761] * Playlist: Fix loading dashboards by tag. [#16727] - Update to version 6.1.4 * DataPanel: Added missing built-in interval variables to scopedVars. [#16556] * Explore: Adds maxDataPoints to data source query options . [#16513] * Explore: Recalculate intervals on run query. [#16510] * Heatmap: Fix for empty graph when panel is too narrow (#16378). [#16460] * Heatmap: Fix auto decimals when bucket name is not number. [#16609] * QueryInspector: Now shows error responses again. [#16514] - Update to version 6.1.3 * Graph: Fix auto decimals in legend values for some units like `ms` and `s`. [#16455] * Graph: Fix png rendering with legend to the right. [#16463] * Singlestat: Use decimals when manually specified. [#16451] * Fix broken UI switches: Default Data Source switch, Explore Logs switches, Gauge option switches. [#16303] - Update to version 6.1.2 * Graph: Fix series legend color for hidden series. [#16438] * Graph: Fix tooltip highlight on white theme. [#16429] * Styles: Fix menu hover highlight border. [#16431] * Singlestat Panel: Correctly use the override decimals. [#16413] - Update to version 6.1.1 * Graphite: Editing graphite query function now works again. [#16390] * Playlist: Kiosk & auto fit panels modes are working normally again . [#16403] * QueryEditors: Toggle edit mode now always work on slower computers. [#16394] - Update to version 6.1.0 * CloudWatch: Fix for dimension value list when changing dimension key. [#16356] * Graphite: Editing function arguments now works again. [#16297] * InfluxDB: Fix tag names with periods in alert evaluation. [#16255] * PngRendering: Fix for panel height & title centering . [#16351] * Templating: Fix for editing query variables. [#16299] * Prometheus: adhoc filter support [#8253] * Permissions: Editors can become admin for dashboards, folders and teams they create. [#15977] * Alerting: Don't include non-existing image in MS Teams notifications. [#16116] * Api: Invalid org invite code [#10506] * Annotations: Fix for native annotations filtered by template variable with pipe. [#15515] * Dashboard: Fix for time regions spanning across midnight. [#16201] * Data Source: Handles nil jsondata field gracefully [#14239] * Data Source: Empty user/password was not updated when updating data sources [#15608] * Elasticsearch: Fix using template variables in the alias field. [#16229] * Elasticsearch: Fix incorrect index pattern padding in alerting queries. [#15892] * Explore: Fix for Prometheus autocomplete not working in Firefox. [#16192] * Explore: Fix for url does not keep query after browser refresh. [#16189] * Gauge: Interpolate scoped variables in repeated gauges [#15739] * Graphite: Fix issue with using series ref and series by tag. [#16111] * Graphite: Fix variable quoting when variable value is numeric. [#16149] * Heatmap: Fix Y-axis tick labels being in wrong order for some Prometheus queries. [#15932] * Heatmap: Negative values are now displayed correctly in graph & legend. [#15953] * Heatmap: legend shows wrong colors for small values [#14019] * InfluxDB: Always close request body even for error status codes. [#16207] * ManageDashboards: Fix for checkboxes not appearing properly Firefox . [#15981] * Playlist: Leaving playlist now always stops playlist . [#15791] * Prometheus: fixes regex ad-hoc filters variables with wildcards. [#16234] * TablePanel: Column color style now works even after removing columns. [#16227] * TablePanel: Fix for white text on white background when value is null. [#16199] - Update to version 6.0.2 * Alerting: Fix issue with AlertList panel links resulting in panel not found errors. [#15975] * Dashboard: Improved error handling when rendering dashboard panels. [#15970] * LDAP: Fix allow anonymous server bind for ldap search. [#15872] * Discord: Fix discord notifier so it doesn't crash when there are no image generated. [#15833] * Panel Edit: Prevent search in VizPicker from stealing focus. [#15802] * Data Source admin: Fix url of back button in data source edit page, when root_url configured. [#15759] - Update to version 6.0.1 * Metrics: Fix broken usagestats metrics for /metrics [#15651] * Dashboard: append &kiosk to the url in Kiosk mode [#15765] * Dashboard: respect header in kiosk=tv mode with autofitpanels [#15650] * Image rendering: Fix image rendering issue for dashboards with auto refresh. [#15818] * Dashboard: Fix only users that can edit a dashboard should be able to update panel json. [#15805] * LDAP: fix allow anonymous initial bind for ldap search. [#15803] * UX: ixed scrollbar not visible initially (only after manual scroll). [#15798] * Data Source admin TestData [#15793] * Dashboard: Fix scrolling issue that caused scroll to be locked to bottom. [#15792] * Explore: Viewers with viewers_can_edit should be able to access /explore. [#15787] * Security fix: limit access to org admin and alerting pages. [#15761] * Panel Edit minInterval changes did not persist [#15757] * Teams: Fix bug when getting teams for user. [#15595] * Stackdriver: fix for float64 bounds for distribution metrics [#14509] * Stackdriver: no reducers available for distribution type [#15179] - Update to version 6.0.0 * Dashboard: fixes click after scroll in series override menu [#15621] * MySQL: fix mysql query using \_interval_ms variable throws error [#14507] * Influxdb: Add support for alerting on InfluxDB queries that use the non_negative_difference function [#15415] * Alerting: Fix percent_diff calculation when points are nulls [#15443] * Alerting: Fix handling of alert urls with true flags [#15454] * AzureMonitor: Enable alerting by converting Azure Monitor API to Go [#14623] * Security: Fix CSRF Token validation for POSTs [#1441] * Internal Metrics Edition has been added to the build_info metric. This will break any Graphite queries using this metric. Edition will be a new label for the Prometheus metric. [#15363] * Gauge: Fix issue with gauge requests being cancelled [#15366] * Gauge: Accept decimal inputs for thresholds [#15372] * UI: Fix error caused by named colors that are not part of named colors palette [#15373] * Search: Bug pressing special regexp chars in input fields [#12972] * Permissions: No need to have edit permissions to be able to "Save as" [#13066] * Alerting: Adds support for Google Hangouts Chat notifications [#11221] * Elasticsearch: Support bucket script pipeline aggregations [#5968] * Influxdb: Add support for time zone (`tz`) clause [#10322] * Snapshots: Enable deletion of public snapshot [#14109] * Provisioning: Provisioning support for alert notifiers [#10487] * Explore: A whole new way to do ad-hoc metric queries and exploration. Split view in half and compare metrics & logs. * Auth: Replace remember me cookie solution for Grafana's builtin, LDAP and OAuth authentication with a solution based on short-lived tokens [#15303] * Search: Fix for issue with scrolling the "tags filter" dropdown, fixes [#14486] * Prometheus: fix annotation always using 60s step regardless of dashboard range [#14795] * Annotations: Fix creating annotation when graph panel has no data points position the popup outside viewport [#13765] * Piechart/Flot: Fix multiple piechart instances with donut bug [#15062] * Postgres: Fix default port not added when port not configured [#15189] * Alerting: Fix crash bug when alert notifier folders are missing [#15295] * Dashboard: Fix save provisioned dashboard modal [#15219] * Dashboard: Fix having a long query in prometheus dashboard query editor * blocks 30% of the query field when on OSX and having native scrollbars [#15122] * Explore: Fix issue with wrapping on long queries [#15222] * Explore: Fix cut & paste adds newline before and after selection [#15223] * Dataproxy: Fix global data source proxy timeout not added to correct http client [#15258] * Text Panel: The text panel does no longer by default allow unsanitized HTML. [#4117] * Dashboard: Panel property `minSpan` replaced by `maxPerRow`. Dashboard * migration will automatically migrate all dashboard panels using the `minSpan` property to the new `maxPerRow` property [#12991] - Update to version 5.4.3 * MySQL only update session in mysql database when required [#14540] * Alerting Invalid frequency causes division by zero in alert scheduler [#14810] * Dashboard Dashboard links do not update when time range changes [#14493] * Limits Support more than 1000 data sources per org [#13883] * Backend fix signed in user for orgId=0 result should return active org id [#14574] * Provisioning Adds orgId to user dto for provisioned dashboards [#14678] - Update to version 5.4.2 * Data Source admin: Fix for issue creating new data source when same name exists [#14467] * OAuth: Fix for oauth auto login setting, can now be set using env variable [#14435] - Update to version 5.4.1 * Stackdriver: Fix issue with data proxy and Authorization header [#14262] * Units: fixedUnit for Flow:l/min and mL/min [#14294] * Logging: Fix for issue where data proxy logged a secret when debug logging was enabled, now redacted. [#14319] * TSDB: Fix always take dashboard timezone into consideration when handle custom time ranges: Add support for alerting on InfluxDB queries that use the cumulative_sum function. [#14314] * Embedded Graphs: Iframe graph panels should now work as usual. [#14284] * Postgres: Improve PostgreSQL Query Editor if using different Schemas, [#14313] * Quotas: Fix updating org & user quotas. [#14347] * Cloudwatch: Add the AWS/SES Cloudwatch metrics of BounceRate and ComplaintRate to auto complete list. [#14401] * Dashboard Search: Fix filtering by tag issues. * Graph: Fix time region issues, [#14425] - Update to version 5.4.0 * Cloudwatch: Fix invalid time range causes segmentation fault [#14150] * Cloudwatch: AWS/CodeBuild metrics and dimensions [#14167] * MySQL: Fix `$__timeFrom()` and `$__timeTo()` should respect local time zone [#14228] * Graph: Fix legend always visible even if configured to be hidden [#14144] * Elasticsearch: Fix regression when using data source version 6.0+ and alerting [#14175] * Alerting: Introduce alert debouncing with the `FOR` setting. [#7886] * Alerting: Option to disable OK alert notifications [#12330] * Postgres/MySQL/MSSQL: Adds support for configuration of max open/idle connections and connection max lifetime. Also, panels with multiple SQL queries will now be executed concurrently [#11711] * MySQL: Graphical query builder [#13762] * MySQL: Support connecting thru Unix socket for MySQL data source [#12342] * MSSQL: Add encrypt setting to allow configuration of how data sent between client and server are encrypted [#13629] * Stackdriver: Not possible to authenticate using GCE metadata server [#13669] * Teams: Team preferences (theme, home dashboard, timezone) support [#12550] * Graph: Time regions support enabling highlight of weekdays and/or certain timespans [#5930] * OAuth: Automatic redirect to sign-in with OAuth [#11893] * Stackdriver: Template query editor [#13561] * Security: Upgrade macaron session package to fix security issue. [#14043] * Postgres/MySQL/MSSQL data sources now per default uses `max open connections` = `unlimited` (earlier 10), `max idle connections` = `2` (earlier 10) and `connection max lifetime` = `4` hours (earlier unlimited). - Update to version 5.3.4 * Alerting: Delete alerts when parent folder was deleted [#13322] * MySQL: Fix `$__timeFilter()` should respect local time zone [#13769] * Dashboard: Fix data source selection in panel by enter key [#13932] * Graph: Fix table legend height when positioned below graph and using Internet Explorer 11 [#13903] * Dataproxy: Drop origin and referer http headers [#13328] - Update to version 5.3.3 * Fix file exfiltration vulnerability - Update to version 5.3.2 * InfluxDB/Graphite/Postgres: Prevent XSS in query editor [#13667] * Postgres: Fix template variables error [#13692] * Cloudwatch: Fix service panic because of race conditions [#13674] * Cloudwatch: Fix check for invalid percentile statistics [#13633] * Stackdriver/Cloudwatch: Allow user to change unit in graph panel if cloudwatch/stackdriver data source response doesn't include unit [#13718] * Stackdriver: stackdriver user-metrics duplicated response when multiple resource types [#13691] * Variables: Fix text box template variable doesn't work properly without a default value [#13666] * Variables: Fix variable dependency check when using `${var}` format [#13600] * Dashboard: Fix kiosk=1 url parameter should put dashboard in kiosk mode [#13764] * LDAP: Fix super admins can also be admins of orgs [#13710] * Provisioning: Fix deleting provisioned dashboard folder should cleanup provisioning meta data [#13280] - Update to version 5.3.1 * Render: Fix PhantomJS render of graph panel when legend displayed as table to the right [#13616] * Stackdriver: Filter option disappears after removing initial filter [#13607] * Elasticsearch: Fix no limit size in terms aggregation for alerting queries [#13172] * InfluxDB: Fix for annotation issue that caused text to be shown twice [#13553] * Variables: Fix nesting variables leads to exception and missing refresh [#13628] * Variables: Prometheus: Single letter labels are not supported [#13641] * Graph: Fix graph time formatting for Last 24h ranges [#13650] * Playlist: Fix cannot add dashboards with long names to playlist [#13464] * HTTP API: Fix /api/org/users so that query and limit querystrings works - Update to version 5.3.0 * Stackdriver: Filter wildcards and regex matching are not yet supported [#13495] * Stackdriver: Support the distribution metric type for heatmaps [#13559] * Cloudwatch: Automatically set graph yaxis unit [#13575] * Stackdriver: Fix for missing ngInject [#13511] * Permissions: Fix for broken permissions selector [#13507] * Alerting: Alert reminders deduping not working as expected when running multiple Grafana instances [#13492] * Annotations: Enable template variables in tagged annotations queries [#9735] * Stackdriver: Support for Google Stackdriver data source [#13289] * Alerting: Notification reminders [#7330] * Dashboard: TV & Kiosk mode changes, new cycle view mode button in dashboard toolbar [#13025] * OAuth: Gitlab OAuth with support for filter by groups [#5623] * Postgres: Graphical query builder [#10095] * LDAP: Define Grafana Admin permission in ldap group mappings [#2469] * LDAP: Client certificates support [#12805] * Profile: List teams that the user is member of in current/active organization [#12476] * Configuration: Allow auto-assigning users to specific organization (other than Main. Org) [#1823] * Dataproxy: Pass configured/auth headers to a data source [#10971] * CloudWatch: GetMetricData support [#11487] * Postgres: TimescaleDB support, e.g. use `time_bucket` for grouping by time when option enabled [#12680] * Cleanup: Make temp file time to live configurable [#11607] * Postgres data source no longer automatically adds time column alias when using the $__timeGroup alias. * Kiosk mode now also hides submenu (variables) * ?inactive url parameter no longer supported, replaced with kiosk=tv url parameter * Dashboard: Auto fit dashboard panels to optimize space used for current TV or Monitor [#12768] * Frontend: Convert all Frontend Karma tests to Jest tests [#12224] * Backend: Upgrade to golang 1.11 [#13030] - Update to version 5.2.4 * GrafanaCli: Fix issue with grafana-cli install plugin resulting in corrupt http response from source error. [#13079] - Update to version 5.2.3 * Important fix for LDAP & OAuth login vulnerability - Update to version 5.2.2 * Prometheus: Fix graph panel bar width issue in aligned prometheus queries [#12379] * Dashboard: Dashboard links not updated when changing variables [#12506] * Postgres/MySQL/MSSQL: Fix connection leak [#12636] * Plugins: Fix loading of external plugins [#12551] * Dashboard: Remove unwanted scrollbars in embedded panels [#12589] * Prometheus: Prevent error using \$\_\_interval_ms in query [#12533] - Update to version 5.2.1 * Auth Proxy: Important security fix for whitelist of IP address feature [#12444] * UI: Fix - Grafana footer overlapping page [#12430] * Logging: Errors should be reported before crashing [#12438] - Update to version 5.2.0 * Plugins: Handle errors correctly when loading data source plugin [#12383] * Render: Enhance error message if phantomjs executable is not found [#11868] * Dashboard: Set correct text in drop down when variable is present in url [#11968] * LDAP: Handle "dn" ldap attribute more gracefully [#12385] * Dashboard: Import dashboard to folder [#10796] * Permissions: Important security fix for API keys with viewer role [#12343] * Dashboard: Fix so panel titles doesn't wrap [#11074] * Dashboard: Prevent double-click when saving dashboard [#11963] * Dashboard: AutoFocus the add-panel search filter [#12189] * Units: W/m2 (energy), l/h (flow) and kPa (pressure) [#11233] * Units: Liter/min (flow) and milliLiter/min (flow) [#12282] * Alerting: Fix mobile notifications for Microsoft Teams alert notifier [#11484] * Influxdb: Add support for mode function [#12286] * Cloudwatch: Fix panic caused by bad timerange settings [#12199] * Auth Proxy: Whitelist proxy IP address instead of client IP address [#10707] * User Management: Make sure that a user always has a current org assigned [#11076] * Snapshots: Fix: annotations not properly extracted leading to incorrect rendering of annotations [#12278] * LDAP: Allow use of DN in group_search_filter_user_attribute and member_of [#3132] * Graph: Fix legend decimals precision calculation [#11792] * Dashboard: Make sure to process panels in collapsed rows when exporting dashboard [#12256] * Dashboard: Dashboard link doesn't work when "As dropdown" option is checked [#12315] * Dashboard: Fix regressions after save modal changes, including adhoc template issues [#12240] * Elasticsearch: Alerting support [#5893] * Build: Crosscompile and packages Grafana on arm, windows, linux and darwin [#11920] * Login: Change admin password after first login [#11882] * Alert list panel: Updated to support filtering alerts by name, dashboard title, folder, tags [#11500] * Dashboard: Modified time range and variables are now not saved by default [#10748] * Graph: Show invisible highest value bucket in histogram [#11498] * Dashboard: Enable "Save As..." if user has edit permission [#11625] * Prometheus: Query dates are now step-aligned [#10434] * Prometheus: Table columns order now changes when rearrange queries [#11690] * Variables: Fix variable interpolation when using multiple formatting types [#11800] * Dashboard: Fix date selector styling for dark/light theme in time picker control [#11616] * Discord: Alert notification channel type for Discord, [#7964] * InfluxDB: Support SELECT queries in templating query, [#5013] * InfluxDB: Support count distinct aggregation [#11645] * Dashboard: JSON Model under dashboard settings can now be updated & changes saved. [#1429] * Security: Fix XSS vulnerabilities in dashboard links [#11813] * Singlestat: Fix "time of last point" shows local time when dashboard timezone set to UTC [#10338] * Prometheus: Add support for passing timeout parameter to Prometheus [#11788] * Login: Add optional option sign out url for generic oauth [#9847] * Login: Use proxy server from environment variable if available [#9703] * Invite users: Friendlier error message when smtp is not configured [#12087] * Graphite: Don't send distributed tracing headers when using direct/browser access mode [#11494] * Sidenav: Show create dashboard link for viewers if at least editor in one folder [#11858] * SQL: Second epochs are now correctly converted to ms. [#12085] * Singlestat: Fix singlestat threshold tooltip [#11971] * Dashboard: Hide grid controls in fullscreen/low-activity views [#11771] * Dashboard: Validate uid when importing dashboards [#11515] * Alert list panel: Show alerts for user with viewer role [#11167] * Provisioning: Verify checksum of dashboards before updating to reduce load on database [#11670] * Provisioning: Support symlinked files in dashboard provisioning config files [#11958] * Dashboard list panel: Search dashboards by folder [#11525] * Sidenav: Always show server admin link in sidenav if grafana admin [#11657] - Update to version 5.1.4 * Permissions: Important security fix for API keys with viewer role [#12343] - Update to version 5.1.3 * Scroll: Graph panel / legend texts shifts on the left each time we move scrollbar on firefox [#11830] - Update to version 5.1.2 * Database: Fix MySql migration issue [#11862] * Google Analytics: Enable Google Analytics anonymizeIP setting for GDPR [#11656] - Update to version 5.1.1 * LDAP: LDAP login with MariaDB/MySQL database and dn>100 chars not possible [#11754] * Build: AppVeyor Windows build missing version and commit info [#11758] * Scroll: Scroll can't start in graphs on Chrome mobile [#11710] * Units: Revert renaming of unit key ppm [#11743] - Update to version 5.1.0 * Folders: Default permissions on folder are not shown as inherited in its dashboards [#11668] * Templating: Allow more than 20 previews when creating a variable [#11508] * Dashboard: Row edit icon not shown [#11466] * SQL: Unsupported data types for value column using time series query [#11703] * Prometheus: Prometheus query inspector expands to be very large on autocomplete queries [#11673] * MSSQL: New Microsoft SQL Server data source [#10093] * Prometheus: The heatmap panel now support Prometheus histograms [#10009] * Postgres/MySQL: Ability to insert 0s or nulls for missing intervals [#9487] * Postgres/MySQL/MSSQL: Fix precision for the time column in table mode [#11306] * Graph: Align left and right Y-axes to one level [#1271] * Graph: Thresholds for Right Y axis [#7107] * Graph: Support multiple series stacking in histogram mode [#8151] * Alerting: Pausing/un alerts now updates new_state_date [#10942] * Alerting: Support Pagerduty notification channel using Pagerduty V2 API [#10531] * Templating: Add comma templating format [#10632] * Prometheus: Show template variable candidate in query editor [#9210] * Prometheus: Support POST for query and query_range [#9859] * Alerting: Add support for retries on alert queries [#5855] * Table: Table plugin value mappings [#7119] * IE11: IE 11 compatibility [#11165] * Scrolling: Better scrolling experience [#11053] * Folders: A folder admin cannot add user/team permissions for folder/its dashboards [#11173] * Provisioning: Improved workflow for provisioned dashboards [#10883] * OpsGenie: Add triggered alerts as description [#11046] * Cloudwatch: Support high resolution metrics [#10925] * Cloudwatch: Add dimension filtering to CloudWatch `dimension_values()` [#10029] * Units: Second to HH:mm:ss formatter [#11107] * Singlestat: Add color to prefix and postfix in singlestat panel [#11143] * Dashboards: Version cleanup fails on old databases with many entries [#11278] * Server: Adjust permissions of unix socket [#11343] * Shortcuts: Add shortcut for duplicate panel [#11102] * AuthProxy: Support IPv6 in Auth proxy white list [#11330] * SMTP: Don't connect to STMP server using TLS unless configured. [#7189] * Prometheus: Escape backslash in labels correctly. [#10555] * Variables: Case-insensitive sorting for template values [#11128] * Annotations (native): Change default limit from 10 to 100 when querying api [#11569] * MySQL/Postgres/MSSQL: PostgreSQL data source generates invalid query with dates before 1970 [#11530] * Kiosk: Adds url parameter for starting a dashboard in inactive mode [#11228] * Dashboard: Enable closing timepicker using escape key [#11332] * Data Sources: Rename direct access mode in the data source settings [#11391] * Search: Display dashboards in folder indented [#11073] * Units: Use B/s instead Bps for Bytes per second [#9342] * Units: Radiation units [#11001] * Units: Timeticks unit [#11183] * Units: Concentration units and "Normal cubic meter" [#11211] * Units: New currency - Czech koruna [#11384] * Avatar: Fix DISABLE_GRAVATAR option [#11095] * Heatmap: Disable log scale when using time time series buckets [#10792] * Provisioning: Remove `id` from json when provisioning dashboards, [#11138] * Prometheus: tooltip for legend format not showing properly [#11516] * Playlist: Empty playlists cannot be deleted [#11133] * Switch Orgs: Alphabetic order in Switch Organization modal [#11556] * Postgres: improve `$__timeFilter` macro [#11578] * Permission list: Improved ux [#10747] * Dashboard: Sizing and positioning of settings menu icons [#11572] * Dashboard: Add search filter/tabs to new panel control [#10427] * Folders: User with org viewer role should not be able to save/move dashboards in/to general folder [#11553] * Influxdb: Don't assume the first column in table response is time. [#11476] - Update to version 5.0.4 * Dashboard Fix inability to link collapsed panels directly to [#11114] * Dashboard Provisioning dashboard with alert rules should create alerts [#11247] * Snapshots For snapshots, the Graph panel renders the legend incorrectly on right hand side [#11318] * Alerting Link back to Grafana returns wrong URL if root_path contains sub-path components [#11403] * Alerting Incorrect default value for upload images setting for alert notifiers [#11413] - Update to version 5.0.3 * Mysql: Mysql panic occurring occasionally upon Grafana dashboard access (a bigger patch than the one in 5.0.2) [#11155] - Update to version 5.0.2 * Mysql: Mysql panic occurring occasionally upon Grafana dashboard access [#11155] * Dashboards: Should be possible to browse dashboard using only uid [#11231] * Alerting: Fix bug where alerts from hidden panels where deleted [#11222] * Import: Fix bug where dashboards with alerts couldn't be imported [#11227] * Teams: Remove quota restrictions from teams [#11220] * Render: Fix bug with legacy url redirection for panel rendering [#11180] - Update to version 5.0.1 * Postgres: PostgreSQL error when using ipv6 address as hostname in connection string [#11055] * Dashboards: Changing templated value from dropdown is causing unsaved changes [#11063] * Prometheus: Fix bundled Prometheus 2.0 dashboard [#11016] * Sidemenu: Profile menu "invisible" when gravatar is disabled [#11097] * Dashboard: Fix a bug with resizable handles for panels [#11103] * Alerting: Telegram inline image mode fails when caption too long [#10975] * Alerting: Fix silent failing validation [#11145] * OAuth: Only use jwt token if it contains an email address [#11127] - Update to version 5.0.0 * oauth Fix GitHub OAuth not working with private Organizations [#11028] * kiosk white area over bottom panels in kiosk mode [#11010] * alerting Fix OK state doesn't show up in Microsoft Teams [#11032] * Permissions Fix search permissions issues [#10822] * Permissions Fix problem issues displaying permissions lists [#10864] * PNG-Rendering Fix problem rendering legend to the right [#10526] * Reset password Fix problem with reset password form [#10870] * Light theme Fix problem with light theme in safari, [#10869] * Provisioning Now handles deletes when dashboard json files removed from disk [#10865] * MySQL: Fix issue with schema migration on old mysql (index too long) [#10779] * GitHub OAuth: Fix fetching github orgs from private github org [#10823] * Embedding:Fix issues with embedding panel [#10787] * Dashboards: Dashboard folders, [#1611] * Teams User groups (teams) implemented. Can be used in folder & dashboard permission list. * Dashboard grid: Panels are now laid out in a two dimensional grid (with x, y, w, h). [#9093] * Templating: Vertical repeat direction for panel repeats. * UX: Major update to page header and navigation * Dashboard settings: Combine dashboard settings views into one with side menu, [#9750] * Persistent dashboard url's: New url's for dashboards that allows renaming dashboards without breaking links. [#7883] * dashboard.json files have been replaced with dashboard provisioning API. * Config files for provisioning data sources as configuration have changed from /etc/grafana/conf/datasources to /etc/grafana/provisioning/datasources. * Pagerduty notifier now defaults to not auto resolve incidents. More details at [#10222] * `GET /api/alerts` property dashboardUri renamed to url * New grid engine for positioning dashboard panels * Alerting: Add support for internal image store [#6922] * Data Source Proxy: Add support for whitelisting specified cookies to be be passed through to the data source when proxying [#5457] * Postgres/MySQL: add \_\_timeGroup macro for mysql [#9596] * Text: Text panel are now edited in the ace editor. [#9698] * Teams: Add Microsoft Teams notifier as [#8523] * Data Sources: Its now possible to configure data sources with config files [#1789] * Graphite: Query editor updated to support new query by tag features [#9230] * Dashboard history: New config file option versions_to_keep sets how many versions per dashboard to store, [#9671] * Dashboard as cfg: Load dashboards from file into Grafana on startup/change [#9654] * Prometheus: Grafana can now send alerts to Prometheus Alertmanager while firing [#7481] * Table: Support multiple table formatted queries in table panel [#9170] * Security: Protect against brute force (frequent) login attempts [#7616] * Graph: Don't hide graph display options (Lines/Points) when draw mode is unchecked [#9770] * Alert panel: Adds placeholder text when no alerts are within the time range [#9624] * Mysql: MySQL enable MaxOpenCon and MaxIdleCon regards how constring is configured. [#9784] * Cloudwatch: Fix broken query inspector for cloudwatch [#9661] * Dashboard: Make it possible to start dashboards from search and dashboard list panel [#1871] * Annotations: Posting annotations now return the id of the annotation [#9798] * Systemd: Use systemd notification ready flag [#10024] * GitHub: Use organizations_url provided from github to verify user belongs in org. [#10111] * Backend: Fix bug where Grafana exited before all sub routines where finished [#10131] * Azure: Adds support for Azure blob storage as external image stor [#8955] * Telegram: Add support for inline image uploads to telegram notifier plugin [#9967] * Sensu: Send alert message to sensu output [#9551] * Singlestat: suppress error when result contains no datapoints [#9636] * Postgres/MySQL: Control quoting in SQL-queries when using template variables [#9030] * Pagerduty: Pagerduty don't auto resolve incidents by default anymore. [#10222] * Cloudwatch: Fix for multi-valued templated queries. [#9903] * RabbitMq: Remove support for publishing events to RabbitMQ [#9645] * API: GET /api/dashboards/db/:slug deprecated, use GET /api/dashboards/uid/:uid * API: DELETE /api/dashboards/db/:slug deprecated, use DELETE /api/dashboards/uid/:uid * API: `uri` property in GET /api/search deprecated, use `url` or `uid` property * API: `meta.slug` property in GET /api/dashboards/uid/:uid and GET /api/dashboards/db/:slug deprecated, use `meta.url` or `dashboard.uid` property Changes in grafana-natel-discrete-panel: - Add recompress source service - Add set_version source service - Enable changesgenerate for tar_scm source service - Update to version 0.0.9: * split commands * put back the history Changes in openstack-cinder: - Update to version cinder-11.2.3.dev29: * Remove VxFlex OS credentials from connection\_properties * Fix stable/pike gate * tintri: Enable SSL with requests * [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock Changes in openstack-cinder: - Update to version cinder-11.2.3.dev29: * Remove VxFlex OS credentials from connection\_properties * Fix stable/pike gate * tintri: Enable SSL with requests * [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock Changes in openstack-monasca-installer: - Add 0001-Add-support-for-ansible-2.9.patch Changes in openstack-neutron: - Update to version neutron-11.0.9.dev69: * Do not block connection between br-int and br-phys on startup * [EM releases] Move non-voting jobs to the experimental queue - Update to version neutron-11.0.9.dev66: * Fix pike gates, multiple fixes Changes in openstack-neutron: - Add 0001-Ensure-drop-flows-on-br-int-at-agent-startup-for-DVR-too.patch (LP#1887148) - Update to version neutron-11.0.9.dev69: * Do not block connection between br-int and br-phys on startup * [EM releases] Move non-voting jobs to the experimental queue - Update to version neutron-11.0.9.dev66: * Fix pike gates, multiple fixes Changes in openstack-nova: - Update to version nova-16.1.9.dev76: * Removed the host FQDN from the exception message - Update to version nova-16.1.9.dev74: * libvirt: Provide VIR\_MIGRATE\_PARAM\_PERSIST\_XML during live migration - Update to version nova-16.1.9.dev73: * Fix os-simple-tenant-usage result order - Update to version nova-16.1.9.dev71: * Fix false ERROR message at compute restart - Update to version nova-16.1.9.dev69: * Check cherry-pick hashes in pep8 tox target - Update to version nova-16.1.9.dev67: * libvirt: Do not reraise DiskNotFound exceptions during resize - Update to version nova-16.1.9.dev66: * Clean up allocation if unshelve fails due to neutron * Reproduce bug 1862633 - Update to version nova-16.1.9.dev64: * Init HostState.failed\_builds - Update to version nova-16.1.9.dev62: * Fix os\_CODENAME detection and repo refresh during ceph tests Changes in openstack-nova: - Update to version nova-16.1.9.dev76: * Removed the host FQDN from the exception message - Rebased patches: + 0004-Provide-VIR_MIGRATE_PARAM_PERSIST_XML-during-live-migration.patch dropped (merged upstream) - Update to version nova-16.1.9.dev74: * libvirt: Provide VIR\_MIGRATE\_PARAM\_PERSIST\_XML during live migration - Add 0004-Provide-VIR_MIGRATE_PARAM_PERSIST_XML-during-live-migration.patch * (bsc#1175484, CVE-2020-17376) - Update to version nova-16.1.9.dev73: * Fix os-simple-tenant-usage result order - Update to version nova-16.1.9.dev71: * Fix false ERROR message at compute restart - Update to version nova-16.1.9.dev69: * Check cherry-pick hashes in pep8 tox target - Update to version nova-16.1.9.dev67: * libvirt: Do not reraise DiskNotFound exceptions during resize - Update to version nova-16.1.9.dev66: * Clean up allocation if unshelve fails due to neutron * Reproduce bug 1862633 - Update to version nova-16.1.9.dev64: * Init HostState.failed\_builds - Update to version nova-16.1.9.dev62: * Fix os\_CODENAME detection and repo refresh during ceph tests Changes in python-Django: - Update to version 1.11.29 (bsc#1161919, CVE-2020-7471, bsc#1165022, CVE-2020-9402, bsc#1159447, CVE-2019-19844) * Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. * Pinned PyYAML < 5.3 in test requirements. * Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter. * Fixed timezones tests for PyYAML 5.3+. * Fixed CVE-2019-19844 -- Used verified user email for password reset requests. * Fixed #31073 -- Prevented CheckboxInput.get_context() from mutating attrs. * Fixed #30826 -- Fixed crash of many JSONField lookups when one hand side is key transform. * Fixed #30769 -- Fixed a crash when filtering against a subquery JSON/HStoreField annotation. * Fixed #30672 -- Fixed crash of JSONField/HStoreField key transforms on expressions with params. * Added patch CVE-2020-13254.patch * Added patch CVE-2020-13596.patch Changes in python-Flask-Cors: - Add patches to fix a relative directory traversal issue (boo#1175986, CVE-2020-25032): * 0001-Handle-request_headers-None.patch * 0002-Fix-request-path-normalization.patch Changes in python-Pillow: - Add 011-Fix-OOB-reads-in-FLI-decoding.patch * From upstream, backported * Fixes CVE-2020-10177, bsc#1173413 - Add 012-Fix-bounds-overflow-in-JPEG-2000-decoding.patch * From upstream, backported * Fixes CVE-2020-10994, bsc#1173418 - Add 013-Fix-bounds-overflow-in-PCX-decoding.patch * From upstream, backported * Fixes CVE-2020-10378, bsc#1173416 Changes in python-ardana-packager: - fetch updated nova_host_aggregate from git - Add missing novaclient required domain entries (bsc#1174006) Changes in python-keystoneclient: - add 2020-tests-pass.patch: - Make tests pass in 2020 - update to version 3.13.1 - Updated from global requirements - Update .gitreview for stable/pike - Update UPPER_CONSTRAINTS_FILE for stable/pike - import zuul job settings from project-config - Avoid tox_install.sh for constraints support Changes in python-keystonemiddleware: - added 0001-Make-tests-pass-in-2022.patch - removed 0001-Add-use_oslo_messaging-option.patch - update to version 4.17.1 - Update .gitreview for stable/pike - Update UPPER_CONSTRAINTS_FILE for stable/pike - Add option to disable using oslo_message notifier - Fix docs builds - Updated from global requirements - import zuul job settings from project-config Changes in python-kombu: - Add 0001-Fix-failing-unittests-of-pyamqp-transport.patch Changes in python-straight-plugin: - Add pip_no_plugins.patch to avoid error: "UnboundLocalError: local variable 'r' referenced before assignment", when there is no plugin available. - Initial packaging Changes in python-urllib3: - Update urllib3-fix-test-urls.patch. Adjust to match upstream solution. - Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for CVE-2019-9740. - Add urllib3-cve-2020-26137.patch. Don't allow control chars in request method. (bsc#1177120, CVE-2020-26137) Changes in release-notes-suse-openstack-cloud: - Update to version 8.20200922: * postgreSQL db replace changes are updated for suse openstack cloud section (SOC-11000) Changes in storm: - Fix duplicate BuildRequire on storm-kit - update to 1.2.3 (SOC-9974, CVE-2019-0202, SOC-9998, CVE-2018-11779): * 1.2.3 * [STORM-3233] - Upgrade zookeeper client to newest version (3.4.13) * [STORM-3077] - Upgrade Disruptor version to 3.3.11 * [STORM-3083] - Upgrade HikariCP version to 2.4.7 * [STORM-3094] - Topology name needs to be validated at storm-client * [STORM-3222] - Fix KafkaSpout internals to use LinkedList instead of ArrayList * [STORM-3292] - Trident HiveState must flush writers when the batch commits * [STORM-3013] - Deactivated topology restarts if data flows into Kafka * [STORM-3028] - HdfsSpout does not handle empty files in case of ack enabled * [STORM-3046] - Getting a NPE leading worker to die when starting a topology. * [STORM-3047] - Ensure Trident emitter refreshPartitions is only called with partitions assigned to the emitter * [STORM-3055] - never refresh connection * [STORM-3068] - STORM_JAR_JVM_OPTS are not passed to storm-kafka-monitor properly * [STORM-3082] - NamedTopicFilter can't handle topics that don't exist yet * [STORM-3087] - FluxBuilder.canInvokeWithArgs is too permissive when the method parameter type is a primitive * [STORM-3090] - The same offset value is used by the same partition number of different topics. * [STORM-3097] - Remove storm-druid in 2.x and deprecate support for it in 1.x * [STORM-3102] - Storm Kafka Client performance issues with Kafka Client v1.0.0 * [STORM-3109] - Wrong canonical path set to STORM_LOCAL_DIR in storm kill_workers * [STORM-3110] - Supervisor does not kill all worker processes in secure mode in case of user mismatch * [STORM-3121] - Fix flaky metrics tests in storm-core * [STORM-3122] - FNFE due to race condition between "async localizer" and "update blob" timer thread * [STORM-3123] - Storm Kafka Monitor does not work with Kafka over two-way SSL * [STORM-3161] - Local mode should force setting min replication count to 1 * [STORM-3164] - Multilang storm.py uses traceback.format_exc incorrectly * [STORM-3184] - Storm supervisor log showing keystore and truststore password in plaintext * [STORM-3201] - kafka spout lag on UI needs some cleanup * [STORM-3301] - The KafkaSpout can in some cases still replay tuples that were already committed * [STORM-3381] - Upgrading to Zookeeper 3.4.14 added an LGPL dependency * [STORM-3384] - storm set-log-level command throws wrong exception when the topology is not running * [STORM-3086] - Update Flux documentation to demonstrate static factory methods (STORM-2796) * [STORM-3089] - Document worker hooks on the hooks page * [STORM-3199] - Metrics-ganglia depends on an LGPL library, so we shouldn't depend on it * [STORM-3289] - Add note about KAFKA-7044 to storm-kafka-client compatibility docs * [STORM-3330] - Migrate parts of storm-webapp, and reduce use of mocks for files * 1.2.2 * [STORM-3026] - Upgrade ZK instance for security * [STORM-3027] - Make Impersonation Optional * [STORM-2896] - Support automatic migration of offsets from storm-kafka to storm-kafka-client KafkaSpout * [STORM-2997] - Add logviewer ssl module in SECURITY.md * [STORM-3006] - Distributed RPC documentation needs an update * [STORM-3011] - Use default bin path in flight.bash if $JAVA_HOME is undefined * [STORM-3022] - Decouple storm-hive UTs with Hive * [STORM-3039] - Ports of killed topologies remain in TIME_WAIT state preventing to start new topology * [STORM-3069] - Allow users to specify maven local repository directory for storm submit tool * [STORM-2911] - SpoutConfig is serializable but does not declare a serialVersionUID field * [STORM-2967] - Upgrade jackson to latest version 2.9.4 * [STORM-2968] - Exclude a few unwanted jars from storm-autocreds * [STORM-2978] - The fix for STORM-2706 is broken, and adds a transitive dependency on Zookeeper 3.5.3-beta for projects that depend on e.g. storm-kafka * [STORM-2979] - WorkerHooks EOFException during run_worker_shutdown_hooks * [STORM-2981] - Upgrade Curator to lastest patch version * [STORM-2985] - Add jackson-annotations to dependency management * [STORM-2988] - "Error on initialization of server mk-worker" when using org.apache.storm.metrics2.reporters.JmxStormReporter on worker * [STORM-2989] - LogCleaner should preserve current worker.log.metrics * [STORM-2993] - Storm HDFS bolt throws ClosedChannelException when Time rotation policy is used * [STORM-2994] - KafkaSpout consumes messages but doesn't commit offsets * [STORM-3043] - NullPointerException thrown in SimpleRecordTranslator.apply() * [STORM-3052] - Let blobs un archive * [STORM-3059] - KafkaSpout throws NPE when hitting a null tuple if the processing guarantee is not AT_LEAST_ONCE * [STORM-2960] - Better to stress importance of setting up proper OS account for Storm processes * [STORM-3060] - Configuration mapping between storm-kafka & storm-kafka-client * [STORM-2952] - Deprecate storm-kafka in 1.x * [STORM-3005] - [DRPC] LinearDRPCTopologyBuilder shouldn't be deprecated Changes in storm-kit: - Add _constraints to prevent build from running out of disk space - Updated kit for storm-1.2.3 Changes in venv-openstack-cinder: - Ensure that python-swiftclient is pulled into the built venv via an explicit BuildRequires directive. (SOC-10522) Changes in venv-openstack-swift: - Ensure that python-oslo.log is pulled into the built venv by explicitly requiring the package using a BuildRequires entry. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3309=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3309=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3309=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): crowbar-openstack-5.0+git.1599037158.5c4d07480-4.43.1 documentation-suse-openstack-cloud-deployment-8.20201007-1.29.1 documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1 documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1 documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1 grafana-natel-discrete-panel-0.0.9-3.3.6 openstack-cinder-11.2.3~dev29-3.28.2 openstack-cinder-api-11.2.3~dev29-3.28.2 openstack-cinder-backup-11.2.3~dev29-3.28.2 openstack-cinder-doc-11.2.3~dev29-3.28.1 openstack-cinder-scheduler-11.2.3~dev29-3.28.2 openstack-cinder-volume-11.2.3~dev29-3.28.2 openstack-monasca-installer-20190923_16.32-3.15.1 openstack-neutron-11.0.9~dev69-3.37.2 openstack-neutron-dhcp-agent-11.0.9~dev69-3.37.2 openstack-neutron-doc-11.0.9~dev69-3.37.1 openstack-neutron-ha-tool-11.0.9~dev69-3.37.2 openstack-neutron-l3-agent-11.0.9~dev69-3.37.2 openstack-neutron-linuxbridge-agent-11.0.9~dev69-3.37.2 openstack-neutron-macvtap-agent-11.0.9~dev69-3.37.2 openstack-neutron-metadata-agent-11.0.9~dev69-3.37.2 openstack-neutron-metering-agent-11.0.9~dev69-3.37.2 openstack-neutron-openvswitch-agent-11.0.9~dev69-3.37.2 openstack-neutron-server-11.0.9~dev69-3.37.2 openstack-nova-16.1.9~dev76-3.39.2 openstack-nova-api-16.1.9~dev76-3.39.2 openstack-nova-cells-16.1.9~dev76-3.39.2 openstack-nova-compute-16.1.9~dev76-3.39.2 openstack-nova-conductor-16.1.9~dev76-3.39.2 openstack-nova-console-16.1.9~dev76-3.39.2 openstack-nova-consoleauth-16.1.9~dev76-3.39.2 openstack-nova-doc-16.1.9~dev76-3.39.1 openstack-nova-novncproxy-16.1.9~dev76-3.39.2 openstack-nova-placement-api-16.1.9~dev76-3.39.2 openstack-nova-scheduler-16.1.9~dev76-3.39.2 openstack-nova-serialproxy-16.1.9~dev76-3.39.2 openstack-nova-vncproxy-16.1.9~dev76-3.39.2 python-Django-1.11.29-3.19.2 python-cinder-11.2.3~dev29-3.28.2 python-keystoneclient-3.13.1-3.3.2 python-keystoneclient-doc-3.13.1-3.3.2 python-keystonemiddleware-4.17.1-5.3.1 python-kombu-4.1.0-3.7.1 python-neutron-11.0.9~dev69-3.37.2 python-nova-16.1.9~dev76-3.39.2 python-straight-plugin-1.5.0-1.3.1 python-urllib3-1.22-5.12.1 release-notes-suse-openstack-cloud-8.20200922-3.23.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): ansible-2.9.14-3.15.1 crowbar-core-5.0+git.1600432272.b3ad722f0-3.44.1 crowbar-core-branding-upstream-5.0+git.1600432272.b3ad722f0-3.44.1 grafana-6.7.4-4.12.1 grafana-debuginfo-6.7.4-4.12.1 python-Pillow-4.2.1-3.9.2 python-Pillow-debuginfo-4.2.1-3.9.2 python-Pillow-debugsource-4.2.1-3.9.2 ruby2.1-rubygem-crowbar-client-3.9.3-1.1 storm-1.2.3-3.6.1 storm-nimbus-1.2.3-3.6.1 storm-supervisor-1.2.3-3.6.1 - SUSE OpenStack Cloud 8 (noarch): ardana-ansible-8.0+git.1596735237.54109b1-3.77.1 ardana-cinder-8.0+git.1596129856.263f430-3.43.1 ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1 ardana-mq-8.0+git.1593618123.678c32b-3.26.1 ardana-nova-8.0+git.1601298847.dd01585-3.42.1 ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1 documentation-suse-openstack-cloud-installation-8.20201007-1.29.1 documentation-suse-openstack-cloud-operations-8.20201007-1.29.1 documentation-suse-openstack-cloud-opsconsole-8.20201007-1.29.1 documentation-suse-openstack-cloud-planning-8.20201007-1.29.1 documentation-suse-openstack-cloud-security-8.20201007-1.29.1 documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1 documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1 documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1 documentation-suse-openstack-cloud-user-8.20201007-1.29.1 grafana-natel-discrete-panel-0.0.9-3.3.6 openstack-cinder-11.2.3~dev29-3.28.2 openstack-cinder-api-11.2.3~dev29-3.28.2 openstack-cinder-backup-11.2.3~dev29-3.28.2 openstack-cinder-doc-11.2.3~dev29-3.28.1 openstack-cinder-scheduler-11.2.3~dev29-3.28.2 openstack-cinder-volume-11.2.3~dev29-3.28.2 openstack-monasca-installer-20190923_16.32-3.15.1 openstack-neutron-11.0.9~dev69-3.37.2 openstack-neutron-dhcp-agent-11.0.9~dev69-3.37.2 openstack-neutron-doc-11.0.9~dev69-3.37.1 openstack-neutron-ha-tool-11.0.9~dev69-3.37.2 openstack-neutron-l3-agent-11.0.9~dev69-3.37.2 openstack-neutron-linuxbridge-agent-11.0.9~dev69-3.37.2 openstack-neutron-macvtap-agent-11.0.9~dev69-3.37.2 openstack-neutron-metadata-agent-11.0.9~dev69-3.37.2 openstack-neutron-metering-agent-11.0.9~dev69-3.37.2 openstack-neutron-openvswitch-agent-11.0.9~dev69-3.37.2 openstack-neutron-server-11.0.9~dev69-3.37.2 openstack-nova-16.1.9~dev76-3.39.2 openstack-nova-api-16.1.9~dev76-3.39.2 openstack-nova-cells-16.1.9~dev76-3.39.2 openstack-nova-compute-16.1.9~dev76-3.39.2 openstack-nova-conductor-16.1.9~dev76-3.39.2 openstack-nova-console-16.1.9~dev76-3.39.2 openstack-nova-consoleauth-16.1.9~dev76-3.39.2 openstack-nova-doc-16.1.9~dev76-3.39.1 openstack-nova-novncproxy-16.1.9~dev76-3.39.2 openstack-nova-placement-api-16.1.9~dev76-3.39.2 openstack-nova-scheduler-16.1.9~dev76-3.39.2 openstack-nova-serialproxy-16.1.9~dev76-3.39.2 openstack-nova-vncproxy-16.1.9~dev76-3.39.2 python-Django-1.11.29-3.19.2 python-Flask-Cors-3.0.3-3.3.1 python-ardana-packager-0.0.3-7.7.2 python-cinder-11.2.3~dev29-3.28.2 python-keystoneclient-3.13.1-3.3.2 python-keystoneclient-doc-3.13.1-3.3.2 python-keystonemiddleware-4.17.1-5.3.1 python-kombu-4.1.0-3.7.1 python-neutron-11.0.9~dev69-3.37.2 python-nova-16.1.9~dev76-3.39.2 python-straight-plugin-1.5.0-1.3.1 python-urllib3-1.22-5.12.1 release-notes-suse-openstack-cloud-8.20200922-3.23.1 venv-openstack-aodh-x86_64-5.1.1~dev7-12.28.1 venv-openstack-barbican-x86_64-5.0.2~dev3-12.29.1 venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.26.1 venv-openstack-cinder-x86_64-11.2.3~dev29-14.30.1 venv-openstack-designate-x86_64-5.0.3~dev7-12.27.1 venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.24.1 venv-openstack-glance-x86_64-15.0.3~dev3-12.27.1 venv-openstack-heat-x86_64-9.0.8~dev22-12.29.1 venv-openstack-horizon-x86_64-12.0.5~dev3-14.32.1 venv-openstack-ironic-x86_64-9.1.8~dev8-12.29.1 venv-openstack-keystone-x86_64-12.0.4~dev11-11.30.1 venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.28.1 venv-openstack-manila-x86_64-5.1.1~dev5-12.33.1 venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.24.1 venv-openstack-monasca-x86_64-2.2.2~dev1-11.24.1 venv-openstack-murano-x86_64-4.0.2~dev2-12.24.1 venv-openstack-neutron-x86_64-11.0.9~dev69-13.32.1 venv-openstack-nova-x86_64-16.1.9~dev76-11.30.1 venv-openstack-octavia-x86_64-1.0.6~dev3-12.29.1 venv-openstack-sahara-x86_64-7.0.5~dev4-11.28.1 venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.21.1 venv-openstack-trove-x86_64-8.0.2~dev2-11.28.1 - SUSE OpenStack Cloud 8 (x86_64): ansible-2.9.14-3.15.1 grafana-6.7.4-4.12.1 grafana-debuginfo-6.7.4-4.12.1 python-Pillow-4.2.1-3.9.2 python-Pillow-debuginfo-4.2.1-3.9.2 python-Pillow-debugsource-4.2.1-3.9.2 storm-1.2.3-3.6.1 storm-nimbus-1.2.3-3.6.1 storm-supervisor-1.2.3-3.6.1 - HPE Helion Openstack 8 (x86_64): ansible-2.9.14-3.15.1 grafana-6.7.4-4.12.1 grafana-debuginfo-6.7.4-4.12.1 python-Pillow-4.2.1-3.9.2 python-Pillow-debuginfo-4.2.1-3.9.2 python-Pillow-debugsource-4.2.1-3.9.2 storm-1.2.3-3.6.1 storm-nimbus-1.2.3-3.6.1 storm-supervisor-1.2.3-3.6.1 - HPE Helion Openstack 8 (noarch): ardana-ansible-8.0+git.1596735237.54109b1-3.77.1 ardana-cinder-8.0+git.1596129856.263f430-3.43.1 ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1 ardana-mq-8.0+git.1593618123.678c32b-3.26.1 ardana-nova-8.0+git.1601298847.dd01585-3.42.1 ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1 documentation-hpe-helion-openstack-installation-8.20201007-1.29.1 documentation-hpe-helion-openstack-operations-8.20201007-1.29.1 documentation-hpe-helion-openstack-opsconsole-8.20201007-1.29.1 documentation-hpe-helion-openstack-planning-8.20201007-1.29.1 documentation-hpe-helion-openstack-security-8.20201007-1.29.1 documentation-hpe-helion-openstack-user-8.20201007-1.29.1 grafana-natel-discrete-panel-0.0.9-3.3.6 openstack-cinder-11.2.3~dev29-3.28.2 openstack-cinder-api-11.2.3~dev29-3.28.2 openstack-cinder-backup-11.2.3~dev29-3.28.2 openstack-cinder-doc-11.2.3~dev29-3.28.1 openstack-cinder-scheduler-11.2.3~dev29-3.28.2 openstack-cinder-volume-11.2.3~dev29-3.28.2 openstack-monasca-installer-20190923_16.32-3.15.1 openstack-neutron-11.0.9~dev69-3.37.2 openstack-neutron-dhcp-agent-11.0.9~dev69-3.37.2 openstack-neutron-doc-11.0.9~dev69-3.37.1 openstack-neutron-ha-tool-11.0.9~dev69-3.37.2 openstack-neutron-l3-agent-11.0.9~dev69-3.37.2 openstack-neutron-linuxbridge-agent-11.0.9~dev69-3.37.2 openstack-neutron-macvtap-agent-11.0.9~dev69-3.37.2 openstack-neutron-metadata-agent-11.0.9~dev69-3.37.2 openstack-neutron-metering-agent-11.0.9~dev69-3.37.2 openstack-neutron-openvswitch-agent-11.0.9~dev69-3.37.2 openstack-neutron-server-11.0.9~dev69-3.37.2 openstack-nova-16.1.9~dev76-3.39.2 openstack-nova-api-16.1.9~dev76-3.39.2 openstack-nova-cells-16.1.9~dev76-3.39.2 openstack-nova-compute-16.1.9~dev76-3.39.2 openstack-nova-conductor-16.1.9~dev76-3.39.2 openstack-nova-console-16.1.9~dev76-3.39.2 openstack-nova-consoleauth-16.1.9~dev76-3.39.2 openstack-nova-doc-16.1.9~dev76-3.39.1 openstack-nova-novncproxy-16.1.9~dev76-3.39.2 openstack-nova-placement-api-16.1.9~dev76-3.39.2 openstack-nova-scheduler-16.1.9~dev76-3.39.2 openstack-nova-serialproxy-16.1.9~dev76-3.39.2 openstack-nova-vncproxy-16.1.9~dev76-3.39.2 python-Django-1.11.29-3.19.2 python-Flask-Cors-3.0.3-3.3.1 python-ardana-packager-0.0.3-7.7.2 python-cinder-11.2.3~dev29-3.28.2 python-keystoneclient-3.13.1-3.3.2 python-keystoneclient-doc-3.13.1-3.3.2 python-keystonemiddleware-4.17.1-5.3.1 python-kombu-4.1.0-3.7.1 python-neutron-11.0.9~dev69-3.37.2 python-nova-16.1.9~dev76-3.39.2 python-urllib3-1.22-5.12.1 release-notes-hpe-helion-openstack-8.20200922-3.23.1 venv-openstack-aodh-x86_64-5.1.1~dev7-12.28.1 venv-openstack-barbican-x86_64-5.0.2~dev3-12.29.1 venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.26.1 venv-openstack-cinder-x86_64-11.2.3~dev29-14.30.1 venv-openstack-designate-x86_64-5.0.3~dev7-12.27.1 venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.24.1 venv-openstack-glance-x86_64-15.0.3~dev3-12.27.1 venv-openstack-heat-x86_64-9.0.8~dev22-12.29.1 venv-openstack-horizon-hpe-x86_64-12.0.5~dev3-14.32.1 venv-openstack-ironic-x86_64-9.1.8~dev8-12.29.1 venv-openstack-keystone-x86_64-12.0.4~dev11-11.30.1 venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.28.1 venv-openstack-manila-x86_64-5.1.1~dev5-12.33.1 venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.24.1 venv-openstack-monasca-x86_64-2.2.2~dev1-11.24.1 venv-openstack-murano-x86_64-4.0.2~dev2-12.24.1 venv-openstack-neutron-x86_64-11.0.9~dev69-13.32.1 venv-openstack-nova-x86_64-16.1.9~dev76-11.30.1 venv-openstack-octavia-x86_64-1.0.6~dev3-12.29.1 venv-openstack-sahara-x86_64-7.0.5~dev4-11.28.1 venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.21.1 venv-openstack-trove-x86_64-8.0.2~dev2-11.28.1 References: https://www.suse.com/security/cve/CVE-2016-8614.html https://www.suse.com/security/cve/CVE-2016-8628.html https://www.suse.com/security/cve/CVE-2016-8647.html https://www.suse.com/security/cve/CVE-2016-9587.html https://www.suse.com/security/cve/CVE-2017-7466.html https://www.suse.com/security/cve/CVE-2017-7550.html https://www.suse.com/security/cve/CVE-2018-10875.html https://www.suse.com/security/cve/CVE-2018-11779.html https://www.suse.com/security/cve/CVE-2018-16837.html https://www.suse.com/security/cve/CVE-2018-16859.html https://www.suse.com/security/cve/CVE-2018-16876.html https://www.suse.com/security/cve/CVE-2018-18623.html https://www.suse.com/security/cve/CVE-2018-18624.html https://www.suse.com/security/cve/CVE-2018-18625.html https://www.suse.com/security/cve/CVE-2019-0202.html https://www.suse.com/security/cve/CVE-2019-10156.html https://www.suse.com/security/cve/CVE-2019-10206.html https://www.suse.com/security/cve/CVE-2019-10217.html https://www.suse.com/security/cve/CVE-2019-14846.html https://www.suse.com/security/cve/CVE-2019-14856.html https://www.suse.com/security/cve/CVE-2019-14858.html https://www.suse.com/security/cve/CVE-2019-14864.html https://www.suse.com/security/cve/CVE-2019-14904.html https://www.suse.com/security/cve/CVE-2019-14905.html https://www.suse.com/security/cve/CVE-2019-19844.html https://www.suse.com/security/cve/CVE-2019-3828.html https://www.suse.com/security/cve/CVE-2020-10177.html https://www.suse.com/security/cve/CVE-2020-10378.html https://www.suse.com/security/cve/CVE-2020-10684.html https://www.suse.com/security/cve/CVE-2020-10685.html https://www.suse.com/security/cve/CVE-2020-10691.html https://www.suse.com/security/cve/CVE-2020-10729.html https://www.suse.com/security/cve/CVE-2020-10744.html https://www.suse.com/security/cve/CVE-2020-10994.html https://www.suse.com/security/cve/CVE-2020-11110.html https://www.suse.com/security/cve/CVE-2020-14330.html https://www.suse.com/security/cve/CVE-2020-14332.html https://www.suse.com/security/cve/CVE-2020-14365.html https://www.suse.com/security/cve/CVE-2020-1733.html https://www.suse.com/security/cve/CVE-2020-1734.html https://www.suse.com/security/cve/CVE-2020-1735.html https://www.suse.com/security/cve/CVE-2020-1736.html https://www.suse.com/security/cve/CVE-2020-1737.html https://www.suse.com/security/cve/CVE-2020-17376.html https://www.suse.com/security/cve/CVE-2020-1738.html https://www.suse.com/security/cve/CVE-2020-1739.html https://www.suse.com/security/cve/CVE-2020-1740.html https://www.suse.com/security/cve/CVE-2020-1746.html https://www.suse.com/security/cve/CVE-2020-1753.html https://www.suse.com/security/cve/CVE-2020-25032.html https://www.suse.com/security/cve/CVE-2020-26137.html https://www.suse.com/security/cve/CVE-2020-7471.html https://www.suse.com/security/cve/CVE-2020-9402.html https://bugzilla.suse.com/1008037 https://bugzilla.suse.com/1008038 https://bugzilla.suse.com/1010940 https://bugzilla.suse.com/1019021 https://bugzilla.suse.com/1038785 https://bugzilla.suse.com/1056094 https://bugzilla.suse.com/1059235 https://bugzilla.suse.com/1080682 https://bugzilla.suse.com/1097775 https://bugzilla.suse.com/1102126 https://bugzilla.suse.com/1109957 https://bugzilla.suse.com/1112959 https://bugzilla.suse.com/1117080 https://bugzilla.suse.com/1118896 https://bugzilla.suse.com/1123561 https://bugzilla.suse.com/1126503 https://bugzilla.suse.com/1137479 https://bugzilla.suse.com/1137528 https://bugzilla.suse.com/1142121 https://bugzilla.suse.com/1142542 https://bugzilla.suse.com/1144453 https://bugzilla.suse.com/1153452 https://bugzilla.suse.com/1154231 https://bugzilla.suse.com/1154232 https://bugzilla.suse.com/1154830 https://bugzilla.suse.com/1157968 https://bugzilla.suse.com/1157969 https://bugzilla.suse.com/1159447 https://bugzilla.suse.com/1161919 https://bugzilla.suse.com/1164133 https://bugzilla.suse.com/1164134 https://bugzilla.suse.com/1164135 https://bugzilla.suse.com/1164136 https://bugzilla.suse.com/1164137 https://bugzilla.suse.com/1164138 https://bugzilla.suse.com/1164139 https://bugzilla.suse.com/1164140 https://bugzilla.suse.com/1165022 https://bugzilla.suse.com/1165393 https://bugzilla.suse.com/1166389 https://bugzilla.suse.com/1167440 https://bugzilla.suse.com/1167532 https://bugzilla.suse.com/1171162 https://bugzilla.suse.com/1171823 https://bugzilla.suse.com/1172450 https://bugzilla.suse.com/1173413 https://bugzilla.suse.com/1173416 https://bugzilla.suse.com/1173418 https://bugzilla.suse.com/1174006 https://bugzilla.suse.com/1174145 https://bugzilla.suse.com/1174242 https://bugzilla.suse.com/1174302 https://bugzilla.suse.com/1174583 https://bugzilla.suse.com/1175484 https://bugzilla.suse.com/1175986 https://bugzilla.suse.com/1175993 https://bugzilla.suse.com/1177120 https://bugzilla.suse.com/1177948 From sle-security-updates at lists.suse.com Thu Nov 12 13:14:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2020 21:14:52 +0100 (CET) Subject: SUSE-SU-2020:3315-1: important: Security update for openldap2 Message-ID: <20201112201452.3D583FFA8@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3315-1 Rating: important References: #1178387 Cross-References: CVE-2020-25692 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2020-3315=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3315=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3315=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3315=1 - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2020-3315=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-18.24.23.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.23.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-18.24.23.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.23.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-18.24.23.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.23.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-18.24.23.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.23.1 - SUSE Linux Enterprise Module for Legacy Software 12 (aarch64 ppc64le s390x x86_64): compat-libldap-2_3-0-2.3.37-18.24.23.1 compat-libldap-2_3-0-debuginfo-2.3.37-18.24.23.1 References: https://www.suse.com/security/cve/CVE-2020-25692.html https://bugzilla.suse.com/1178387 From sle-security-updates at lists.suse.com Thu Nov 12 13:15:57 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2020 21:15:57 +0100 (CET) Subject: SUSE-SU-2020:3313-1: important: Security update for openldap2 Message-ID: <20201112201557.7551BFFA8@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3313-1 Rating: important References: #1178387 Cross-References: CVE-2020-25692 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3313=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3313=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2020-3313=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-3313=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-3313=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-3313=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3313=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3313=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3313=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3313=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libldap-2_4-2-2.4.46-9.40.1 libldap-2_4-2-debuginfo-2.4.46-9.40.1 openldap2-2.4.46-9.40.1 openldap2-back-meta-2.4.46-9.40.1 openldap2-back-meta-debuginfo-2.4.46-9.40.1 openldap2-back-perl-2.4.46-9.40.1 openldap2-back-perl-debuginfo-2.4.46-9.40.1 openldap2-client-2.4.46-9.40.1 openldap2-client-debuginfo-2.4.46-9.40.1 openldap2-debuginfo-2.4.46-9.40.1 openldap2-debugsource-2.4.46-9.40.1 openldap2-devel-2.4.46-9.40.1 openldap2-devel-static-2.4.46-9.40.1 openldap2-ppolicy-check-password-1.2-9.40.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.40.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): libldap-data-2.4.46-9.40.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libldap-2_4-2-32bit-2.4.46-9.40.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.40.1 openldap2-devel-32bit-2.4.46-9.40.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libldap-2_4-2-2.4.46-9.40.1 libldap-2_4-2-debuginfo-2.4.46-9.40.1 openldap2-2.4.46-9.40.1 openldap2-back-meta-2.4.46-9.40.1 openldap2-back-meta-debuginfo-2.4.46-9.40.1 openldap2-back-perl-2.4.46-9.40.1 openldap2-back-perl-debuginfo-2.4.46-9.40.1 openldap2-client-2.4.46-9.40.1 openldap2-client-debuginfo-2.4.46-9.40.1 openldap2-debuginfo-2.4.46-9.40.1 openldap2-debugsource-2.4.46-9.40.1 openldap2-devel-2.4.46-9.40.1 openldap2-devel-static-2.4.46-9.40.1 openldap2-ppolicy-check-password-1.2-9.40.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.40.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): libldap-data-2.4.46-9.40.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): openldap2-2.4.46-9.40.1 openldap2-back-meta-2.4.46-9.40.1 openldap2-back-meta-debuginfo-2.4.46-9.40.1 openldap2-back-perl-2.4.46-9.40.1 openldap2-back-perl-debuginfo-2.4.46-9.40.1 openldap2-debuginfo-2.4.46-9.40.1 openldap2-debugsource-2.4.46-9.40.1 openldap2-ppolicy-check-password-1.2-9.40.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.40.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): openldap2-2.4.46-9.40.1 openldap2-back-meta-2.4.46-9.40.1 openldap2-back-meta-debuginfo-2.4.46-9.40.1 openldap2-back-perl-2.4.46-9.40.1 openldap2-back-perl-debuginfo-2.4.46-9.40.1 openldap2-debuginfo-2.4.46-9.40.1 openldap2-debugsource-2.4.46-9.40.1 openldap2-ppolicy-check-password-1.2-9.40.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.40.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (x86_64): openldap2-debugsource-2.4.46-9.40.1 openldap2-devel-32bit-2.4.46-9.40.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (x86_64): openldap2-debugsource-2.4.46-9.40.1 openldap2-devel-32bit-2.4.46-9.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.46-9.40.1 libldap-2_4-2-debuginfo-2.4.46-9.40.1 openldap2-client-2.4.46-9.40.1 openldap2-client-debuginfo-2.4.46-9.40.1 openldap2-debugsource-2.4.46-9.40.1 openldap2-devel-2.4.46-9.40.1 openldap2-devel-static-2.4.46-9.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): libldap-data-2.4.46-9.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libldap-2_4-2-32bit-2.4.46-9.40.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.46-9.40.1 libldap-2_4-2-debuginfo-2.4.46-9.40.1 openldap2-client-2.4.46-9.40.1 openldap2-client-debuginfo-2.4.46-9.40.1 openldap2-debuginfo-2.4.46-9.40.1 openldap2-debugsource-2.4.46-9.40.1 openldap2-devel-2.4.46-9.40.1 openldap2-devel-static-2.4.46-9.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libldap-2_4-2-32bit-2.4.46-9.40.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libldap-data-2.4.46-9.40.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libldap-2_4-2-2.4.46-9.40.1 libldap-2_4-2-debuginfo-2.4.46-9.40.1 openldap2-client-2.4.46-9.40.1 openldap2-client-debuginfo-2.4.46-9.40.1 openldap2-debuginfo-2.4.46-9.40.1 openldap2-debugsource-2.4.46-9.40.1 openldap2-devel-2.4.46-9.40.1 openldap2-devel-static-2.4.46-9.40.1 openldap2-ppolicy-check-password-1.2-9.40.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.40.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libldap-2_4-2-32bit-2.4.46-9.40.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.40.1 openldap2-devel-32bit-2.4.46-9.40.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): libldap-data-2.4.46-9.40.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libldap-2_4-2-2.4.46-9.40.1 libldap-2_4-2-debuginfo-2.4.46-9.40.1 openldap2-client-2.4.46-9.40.1 openldap2-client-debuginfo-2.4.46-9.40.1 openldap2-debuginfo-2.4.46-9.40.1 openldap2-debugsource-2.4.46-9.40.1 openldap2-devel-2.4.46-9.40.1 openldap2-devel-static-2.4.46-9.40.1 openldap2-ppolicy-check-password-1.2-9.40.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.40.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libldap-2_4-2-32bit-2.4.46-9.40.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.40.1 openldap2-devel-32bit-2.4.46-9.40.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): libldap-data-2.4.46-9.40.1 References: https://www.suse.com/security/cve/CVE-2020-25692.html https://bugzilla.suse.com/1178387 From sle-security-updates at lists.suse.com Thu Nov 12 13:17:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2020 21:17:02 +0100 (CET) Subject: SUSE-SU-2020:3311-1: important: Security update for MozillaFirefox Message-ID: <20201112201702.9540DFFA8@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3311-1 Rating: important References: #1178588 Cross-References: CVE-2020-26950 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.4.1 ESR * Fixed: Security fix MFSA 2020-49 (bsc#1178588) * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-3311=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.4.1-3.116.1 MozillaFirefox-debuginfo-78.4.1-3.116.1 MozillaFirefox-debugsource-78.4.1-3.116.1 MozillaFirefox-devel-78.4.1-3.116.1 MozillaFirefox-translations-common-78.4.1-3.116.1 MozillaFirefox-translations-other-78.4.1-3.116.1 References: https://www.suse.com/security/cve/CVE-2020-26950.html https://bugzilla.suse.com/1178588 From sle-security-updates at lists.suse.com Thu Nov 12 13:17:58 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2020 21:17:58 +0100 (CET) Subject: SUSE-SU-2020:3312-1: important: Security update for MozillaFirefox Message-ID: <20201112201758.C2F85FFA8@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3312-1 Rating: important References: #1178588 Cross-References: CVE-2020-26950 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.4.1 ESR * Fixed: Security fix MFSA 2020-49 (bsc#1178588) * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3312=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.4.1-8.14.1 MozillaFirefox-debuginfo-78.4.1-8.14.1 MozillaFirefox-debugsource-78.4.1-8.14.1 MozillaFirefox-devel-78.4.1-8.14.1 MozillaFirefox-translations-common-78.4.1-8.14.1 MozillaFirefox-translations-other-78.4.1-8.14.1 References: https://www.suse.com/security/cve/CVE-2020-26950.html https://bugzilla.suse.com/1178588 From sle-security-updates at lists.suse.com Thu Nov 12 13:19:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2020 21:19:02 +0100 (CET) Subject: SUSE-SU-2020:3314-1: important: Security update for openldap2 Message-ID: <20201112201902.95CB0FFA8@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3314-1 Rating: important References: #1178387 Cross-References: CVE-2020-25692 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3314=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3314=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3314=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3314=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3314=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3314=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3314=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3314=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3314=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3314=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3314=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3314=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3314=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3314=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3314=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3314=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3314=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE OpenStack Cloud 9 (x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE OpenStack Cloud 9 (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE OpenStack Cloud 8 (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE OpenStack Cloud 8 (x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE OpenStack Cloud 7 (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): openldap2-back-perl-2.4.41-18.77.1 openldap2-back-perl-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-devel-2.4.41-18.77.1 openldap2-devel-static-2.4.41-18.77.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): openldap2-doc-2.4.41-18.77.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 - SUSE Enterprise Storage 5 (x86_64): libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 - SUSE Enterprise Storage 5 (noarch): openldap2-doc-2.4.41-18.77.1 - HPE Helion Openstack 8 (noarch): openldap2-doc-2.4.41-18.77.1 - HPE Helion Openstack 8 (x86_64): libldap-2_4-2-2.4.41-18.77.1 libldap-2_4-2-32bit-2.4.41-18.77.1 libldap-2_4-2-debuginfo-2.4.41-18.77.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.77.1 openldap2-2.4.41-18.77.1 openldap2-back-meta-2.4.41-18.77.1 openldap2-back-meta-debuginfo-2.4.41-18.77.1 openldap2-client-2.4.41-18.77.1 openldap2-client-debuginfo-2.4.41-18.77.1 openldap2-debuginfo-2.4.41-18.77.1 openldap2-debugsource-2.4.41-18.77.1 openldap2-ppolicy-check-password-1.2-18.77.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.77.1 References: https://www.suse.com/security/cve/CVE-2020-25692.html https://bugzilla.suse.com/1178387 From sle-security-updates at lists.suse.com Thu Nov 12 13:20:11 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Nov 2020 21:20:11 +0100 (CET) Subject: SUSE-SU-2020:3310-1: important: Security update for java-1_7_0-openjdk Message-ID: <20201112202011.A26CAFFA8@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3310-1 Rating: important References: #1177943 Cross-References: CVE-2020-14779 CVE-2020-14781 CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14798 CVE-2020-14803 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for java-1_7_0-openjdk fixes the following issues: - Update to 2.6.24 - OpenJDK 7u281 (October 2020 CPU, bsc#1177943) * Security fixes + JDK-8233624: Enhance JNI linkage + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8240124: Better VM Interning + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Import of OpenJDK 7 u281 build 1 + JDK-8145096: Undefined behaviour in HotSpot + JDK-8215265: C2: range check elimination may allow illegal out of bound access * Backports + JDK-8250861, PR3812: Crash in MinINode::Ideal(PhaseGVN*, bool) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3310=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3310=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3310=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3310=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3310=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3310=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3310=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3310=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3310=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3310=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3310=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3310=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3310=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3310=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3310=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3310=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE OpenStack Cloud 9 (x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE OpenStack Cloud 8 (x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - SUSE Enterprise Storage 5 (aarch64 x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 - HPE Helion Openstack 8 (x86_64): java-1_7_0-openjdk-1.7.0.281-43.44.2 java-1_7_0-openjdk-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-debugsource-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-1.7.0.281-43.44.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-1.7.0.281-43.44.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-1.7.0.281-43.44.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.281-43.44.2 References: https://www.suse.com/security/cve/CVE-2020-14779.html https://www.suse.com/security/cve/CVE-2020-14781.html https://www.suse.com/security/cve/CVE-2020-14782.html https://www.suse.com/security/cve/CVE-2020-14792.html https://www.suse.com/security/cve/CVE-2020-14796.html https://www.suse.com/security/cve/CVE-2020-14797.html https://www.suse.com/security/cve/CVE-2020-14798.html https://www.suse.com/security/cve/CVE-2020-14803.html https://bugzilla.suse.com/1177943 From sle-security-updates at lists.suse.com Fri Nov 13 00:21:32 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Nov 2020 08:21:32 +0100 (CET) Subject: SUSE-CU-2020:673-1: Security update of suse/sles12sp3 Message-ID: <20201113072132.155A7FFC1@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:673-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.230 , suse/sles12sp3:latest Container Release : 24.230 Severity : important Type : security References : 1178387 CVE-2020-25692 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3314-1 Released: Thu Nov 12 16:10:36 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). From sle-security-updates at lists.suse.com Fri Nov 13 00:34:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Nov 2020 08:34:08 +0100 (CET) Subject: SUSE-CU-2020:674-1: Security update of suse/sles12sp4 Message-ID: <20201113073408.4B196FFC1@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:674-1 Container Tags : suse/sles12sp4:26.262 , suse/sles12sp4:latest Container Release : 26.262 Severity : important Type : security References : 1178387 CVE-2020-25692 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3314-1 Released: Thu Nov 12 16:10:36 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). From sle-security-updates at lists.suse.com Fri Nov 13 00:40:47 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Nov 2020 08:40:47 +0100 (CET) Subject: SUSE-CU-2020:675-1: Security update of suse/sles12sp5 Message-ID: <20201113074047.5B8D8FFC1@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:675-1 Container Tags : suse/sles12sp5:6.5.91 , suse/sles12sp5:latest Container Release : 6.5.91 Severity : important Type : security References : 1178387 CVE-2020-25692 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3314-1 Released: Thu Nov 12 16:10:36 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). From sle-security-updates at lists.suse.com Fri Nov 13 00:52:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Nov 2020 08:52:44 +0100 (CET) Subject: SUSE-CU-2020:677-1: Security update of suse/sle15 Message-ID: <20201113075244.656E0FFC1@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:677-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.344 Container Release : 6.2.344 Severity : important Type : security References : 1178387 CVE-2020-25692 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). From sle-security-updates at lists.suse.com Fri Nov 13 00:57:11 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Nov 2020 08:57:11 +0100 (CET) Subject: SUSE-CU-2020:678-1: Security update of suse/sle15 Message-ID: <20201113075711.254EDFFC1@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:678-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.8.2.787 Container Release : 8.2.787 Severity : important Type : security References : 1174232 1177998 1178387 CVE-2020-25692 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). From sle-security-updates at lists.suse.com Fri Nov 13 13:15:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Nov 2020 21:15:05 +0100 (CET) Subject: SUSE-SU-2020:3326-1: moderate: Security update for the Linux Kernel Message-ID: <20201113201505.BEBC1FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3326-1 Rating: moderate References: #1055014 #1058115 #1061843 #1065600 #1065729 #1066382 #1077428 #1112178 #1114648 #1131277 #1134760 #1157424 #1163592 #1167030 #1170415 #1171558 #1172538 #1173432 #1174748 #1175520 #1175721 #1176354 #1176485 #1176560 #1176723 #1176907 #1176946 #1177086 #1177101 #1177271 #1177281 #1177410 #1177411 #1177470 #1177719 #1177740 #1177749 #1177750 #1177753 #1177754 #1177755 #1177766 #1177855 #1177856 #1177861 #1178003 #1178027 #1178166 #1178185 #1178187 #1178188 #1178202 #1178234 #1178330 SLE-10886 Cross-References: CVE-2020-0430 CVE-2020-14351 CVE-2020-16120 CVE-2020-25285 CVE-2020-25656 CVE-2020-25705 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that solves 7 vulnerabilities, contains one feature and has 47 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-25705: A ICMP global rate limiting side-channel was removed which could lead to e.g. the SADDNS attack (bsc#1175721) The following non-security bugs were fixed: - ACPI: dock: fix enum-conversion warning (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11). - bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: remove root usage from can_overcommit (bsc#1131277). - btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234). - ceph: map snapid to anonymous bdev ID (bsc#1178234). - ceph: promote to unsigned long long before shifting (bsc#1178187). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - coredump: fix crash when umh is disabled (bsc#1177753). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - device property: Do not clear secondary pointer for shared primary firmware node (git-fixes). - device property: Keep secondary firmware node secondary by type (git-fixes). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - drm/gma500: fix error check (git-fixes). - drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - Fix use after free in get_capset_info callback (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mlx5 PPC ringsize workaround (bsc#1173432). - mlx5: remove support for ib_get_vector_affinity (bsc#1174748). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - net/mlx5e: Take common TIR context settings into a function (bsc#1177740). - net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - nvme: do not update disk info for multipathed device (bsc#1171558). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1114648). - perf/x86: Fix n_pair for cancelled txn (bsc#1114648). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rtl8xxxu: prevent potential memory leak (git-fixes). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: handle broken union descriptors (git-fixes). - usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usb: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - usb: serial: qcserial: fix altsetting probing (git-fixes). - vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202). - video: fbdev: sis: fix null ptr dereference (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101). - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). - xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027). - xfs: don't update mtime on COW faults (bsc#1167030). - xfs: limit entries returned when counting fsmap records (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-3326=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.51.2 kernel-default-debugsource-4.12.14-122.51.2 kernel-default-kgraft-4.12.14-122.51.2 kernel-default-kgraft-devel-4.12.14-122.51.2 kgraft-patch-4_12_14-122_51-default-1-8.5.2 References: https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1167030 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1171558 https://bugzilla.suse.com/1172538 https://bugzilla.suse.com/1173432 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1175520 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176560 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176946 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177101 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177740 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177753 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178027 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178187 https://bugzilla.suse.com/1178188 https://bugzilla.suse.com/1178202 https://bugzilla.suse.com/1178234 https://bugzilla.suse.com/1178330 From sle-security-updates at lists.suse.com Fri Nov 13 13:21:32 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Nov 2020 21:21:32 +0100 (CET) Subject: SUSE-SU-2020:3326-1: moderate: Security update for the Linux Kernel Message-ID: <20201113202132.255F7FFA8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3326-1 Rating: moderate References: #1055014 #1058115 #1061843 #1065600 #1065729 #1066382 #1077428 #1112178 #1114648 #1131277 #1134760 #1157424 #1163592 #1167030 #1170415 #1171558 #1172538 #1173432 #1174748 #1175520 #1175721 #1176354 #1176485 #1176560 #1176723 #1176907 #1176946 #1177086 #1177101 #1177271 #1177281 #1177410 #1177411 #1177470 #1177719 #1177740 #1177749 #1177750 #1177753 #1177754 #1177755 #1177766 #1177855 #1177856 #1177861 #1178003 #1178027 #1178166 #1178185 #1178187 #1178188 #1178202 #1178234 #1178330 SLE-10886 Cross-References: CVE-2020-0430 CVE-2020-14351 CVE-2020-16120 CVE-2020-25285 CVE-2020-25656 CVE-2020-25705 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 7 vulnerabilities, contains one feature and has 47 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-25705: A ICMP global rate limiting side-channel was removed which could lead to e.g. the SADDNS attack (bsc#1175721) The following non-security bugs were fixed: - ACPI: dock: fix enum-conversion warning (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11). - bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: remove root usage from can_overcommit (bsc#1131277). - btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234). - ceph: map snapid to anonymous bdev ID (bsc#1178234). - ceph: promote to unsigned long long before shifting (bsc#1178187). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - coredump: fix crash when umh is disabled (bsc#1177753). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - device property: Do not clear secondary pointer for shared primary firmware node (git-fixes). - device property: Keep secondary firmware node secondary by type (git-fixes). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - drm/gma500: fix error check (git-fixes). - drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - Fix use after free in get_capset_info callback (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mlx5 PPC ringsize workaround (bsc#1173432). - mlx5: remove support for ib_get_vector_affinity (bsc#1174748). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - net/mlx5e: Take common TIR context settings into a function (bsc#1177740). - net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - nvme: do not update disk info for multipathed device (bsc#1171558). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1114648). - perf/x86: Fix n_pair for cancelled txn (bsc#1114648). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rtl8xxxu: prevent potential memory leak (git-fixes). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: handle broken union descriptors (git-fixes). - usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usb: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - usb: serial: qcserial: fix altsetting probing (git-fixes). - vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202). - video: fbdev: sis: fix null ptr dereference (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101). - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). - xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027). - xfs: don't update mtime on COW faults (bsc#1167030). - xfs: limit entries returned when counting fsmap records (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-3326=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3326=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3326=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-3326=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-3326=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.51.2 kernel-default-debugsource-4.12.14-122.51.2 kernel-default-extra-4.12.14-122.51.2 kernel-default-extra-debuginfo-4.12.14-122.51.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.51.2 kernel-obs-build-debugsource-4.12.14-122.51.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.51.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.51.2 kernel-default-base-4.12.14-122.51.2 kernel-default-base-debuginfo-4.12.14-122.51.2 kernel-default-debuginfo-4.12.14-122.51.2 kernel-default-debugsource-4.12.14-122.51.2 kernel-default-devel-4.12.14-122.51.2 kernel-syms-4.12.14-122.51.2 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.51.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.51.2 kernel-macros-4.12.14-122.51.2 kernel-source-4.12.14-122.51.2 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.51.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.51.2 kernel-default-debugsource-4.12.14-122.51.2 kernel-default-kgraft-4.12.14-122.51.2 kernel-default-kgraft-devel-4.12.14-122.51.2 kgraft-patch-4_12_14-122_51-default-1-8.5.2 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.51.2 cluster-md-kmp-default-debuginfo-4.12.14-122.51.2 dlm-kmp-default-4.12.14-122.51.2 dlm-kmp-default-debuginfo-4.12.14-122.51.2 gfs2-kmp-default-4.12.14-122.51.2 gfs2-kmp-default-debuginfo-4.12.14-122.51.2 kernel-default-debuginfo-4.12.14-122.51.2 kernel-default-debugsource-4.12.14-122.51.2 ocfs2-kmp-default-4.12.14-122.51.2 ocfs2-kmp-default-debuginfo-4.12.14-122.51.2 References: https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1167030 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1171558 https://bugzilla.suse.com/1172538 https://bugzilla.suse.com/1173432 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1175520 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176560 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176946 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177101 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177740 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177753 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178027 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178187 https://bugzilla.suse.com/1178188 https://bugzilla.suse.com/1178202 https://bugzilla.suse.com/1178234 https://bugzilla.suse.com/1178330 From sle-security-updates at lists.suse.com Mon Nov 16 07:17:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Nov 2020 15:17:12 +0100 (CET) Subject: SUSE-SU-2020:3333-1: important: Security update for gdm Message-ID: <20201116141712.6B27FFFA8@maintenance.suse.de> SUSE Security Update: Security update for gdm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3333-1 Rating: important References: #1178150 Cross-References: CVE-2020-16125 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gdm fixes the following issues: - Exit with failure if loading existing users fails (bsc#1178150 CVE-2020-16125). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3333=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): gdm-3.34.1-8.9.1 gdm-debuginfo-3.34.1-8.9.1 gdm-debugsource-3.34.1-8.9.1 gdm-devel-3.34.1-8.9.1 libgdm1-3.34.1-8.9.1 libgdm1-debuginfo-3.34.1-8.9.1 typelib-1_0-Gdm-1_0-3.34.1-8.9.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch): gdm-lang-3.34.1-8.9.1 gdm-systemd-3.34.1-8.9.1 gdmflexiserver-3.34.1-8.9.1 References: https://www.suse.com/security/cve/CVE-2020-16125.html https://bugzilla.suse.com/1178150 From sle-security-updates at lists.suse.com Mon Nov 16 07:19:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Nov 2020 15:19:07 +0100 (CET) Subject: SUSE-SU-2020:3330-1: important: Security update for kernel-firmware Message-ID: <20201116141907.1C16CFFA8@maintenance.suse.de> SUSE Security Update: Security update for kernel-firmware ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3330-1 Rating: important References: #1178671 Cross-References: CVE-2020-12321 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for kernel-firmware fixes the following issue: - CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs (bsc#1178671). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3330=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3330=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): kernel-firmware-20200107-3.15.1 ucode-amd-20200107-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-firmware-20200107-3.15.1 ucode-amd-20200107-3.15.1 References: https://www.suse.com/security/cve/CVE-2020-12321.html https://bugzilla.suse.com/1178671 From sle-security-updates at lists.suse.com Mon Nov 16 07:21:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Nov 2020 15:21:16 +0100 (CET) Subject: SUSE-SU-2020:3331-1: important: Security update for MozillaFirefox Message-ID: <20201116142116.D36F6FFA8@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3331-1 Rating: important References: #1178588 Cross-References: CVE-2020-26950 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.4.1 ESR * Fixed: Security fix MFSA 2020-49 (bsc#1178588) * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3331=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3331=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3331=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3331=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3331=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3331=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3331=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3331=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3331=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3331=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3331=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3331=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3331=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3331=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3331=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3331=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3331=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE OpenStack Cloud 9 (x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-78.4.1-112.32.1 MozillaFirefox-debuginfo-78.4.1-112.32.1 MozillaFirefox-debugsource-78.4.1-112.32.1 MozillaFirefox-devel-78.4.1-112.32.1 MozillaFirefox-translations-common-78.4.1-112.32.1 References: https://www.suse.com/security/cve/CVE-2020-26950.html https://bugzilla.suse.com/1178588 From sle-security-updates at lists.suse.com Mon Nov 16 10:22:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Nov 2020 18:22:49 +0100 (CET) Subject: SUSE-SU-2020:3343-1: moderate: Security update for postgresql, postgresql96, postgresql10 and postgresql12 Message-ID: <20201116172249.2C884FFA2@maintenance.suse.de> SUSE Security Update: Security update for postgresql, postgresql96, postgresql10 and postgresql12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3343-1 Rating: moderate References: #1171924 ECO-923 PM-1472 SLE-11078 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that contains security fixes and contains three features can now be installed. Description: This update changes the internal packaging for postgresql, and so contains all currently maintained postgresql versions across our SUSE Linux Enterprise 12 products. * postgresql12 is shipped new in version 12.3 (bsc#1171924). The server and client packages only on SUSE Linux Enterprise Server 12 SP5, the libraries on SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5. + https://www.postgresql.org/about/news/2038/ + https://www.postgresql.org/docs/12/release-12-3.html * postgresql10 is updated to 10.13 (bsc#1171924). On SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5. + https://www.postgresql.org/about/news/2038/ + https://www.postgresql.org/docs/10/release-10-13.html * postgresql96 is updated to 9.6.18 (bsc#1171924): + https://www.postgresql.org/about/news/2038/ + https://www.postgresql.org/docs/9.6/release-9-6-18.html On SUSE Linux Enterprise Server 12-SP2 and 12-SP3 LTSS only. * postgresql 9.4 is updated to 9.4.26: + https://www.postgresql.org/about/news/2011/ + https://www.postgresql.org/docs/9.4/release-9-4-26.html + https://www.postgresql.org/about/news/1994/ + https://www.postgresql.org/docs/9.4/release-9-4-25.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3343=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3343=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3343=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3343=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3343=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3343=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3343=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3343=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3343=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3343=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3343=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3343=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3343=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3343=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3343=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3343=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3343=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql96-docs-9.6.19-6.4.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE OpenStack Cloud 9 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 - SUSE OpenStack Cloud 9 (x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 - SUSE OpenStack Cloud 8 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql96-docs-9.6.19-6.4.1 - SUSE OpenStack Cloud 8 (x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql94-9.4.26-24.3.1 postgresql94-contrib-9.4.26-24.3.1 postgresql94-contrib-debuginfo-9.4.26-24.3.1 postgresql94-debuginfo-9.4.26-24.3.1 postgresql94-debugsource-9.4.26-24.3.1 postgresql94-plperl-9.4.26-24.3.1 postgresql94-plperl-debuginfo-9.4.26-24.3.1 postgresql94-plpython-9.4.26-24.3.1 postgresql94-plpython-debuginfo-9.4.26-24.3.1 postgresql94-pltcl-9.4.26-24.3.1 postgresql94-pltcl-debuginfo-9.4.26-24.3.1 postgresql94-server-9.4.26-24.3.1 postgresql94-server-debuginfo-9.4.26-24.3.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE OpenStack Cloud 7 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql94-docs-9.4.26-24.3.1 postgresql96-docs-9.6.19-6.4.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): postgresql10-debugsource-10.14-4.4.1 postgresql10-devel-10.14-4.4.1 postgresql10-devel-debuginfo-10.14-4.4.1 postgresql12-debugsource-12.4-3.5.1 postgresql12-devel-12.4-3.5.1 postgresql12-devel-debuginfo-12.4-3.5.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (ppc64le s390x x86_64): postgresql12-server-devel-12.4-3.5.1 postgresql12-server-devel-debuginfo-12.4-3.5.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): postgresql-devel-12.0.1-4.4.1 postgresql-server-devel-12.0.1-4.4.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql96-docs-9.6.19-6.4.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql94-9.4.26-24.3.1 postgresql94-contrib-9.4.26-24.3.1 postgresql94-contrib-debuginfo-9.4.26-24.3.1 postgresql94-debuginfo-9.4.26-24.3.1 postgresql94-debugsource-9.4.26-24.3.1 postgresql94-plperl-9.4.26-24.3.1 postgresql94-plperl-debuginfo-9.4.26-24.3.1 postgresql94-plpython-9.4.26-24.3.1 postgresql94-plpython-debuginfo-9.4.26-24.3.1 postgresql94-pltcl-9.4.26-24.3.1 postgresql94-pltcl-debuginfo-9.4.26-24.3.1 postgresql94-server-9.4.26-24.3.1 postgresql94-server-debuginfo-9.4.26-24.3.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql94-docs-9.4.26-24.3.1 postgresql96-docs-9.6.19-6.4.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql12-12.4-3.5.1 postgresql12-contrib-12.4-3.5.1 postgresql12-contrib-debuginfo-12.4-3.5.1 postgresql12-debuginfo-12.4-3.5.1 postgresql12-debugsource-12.4-3.5.1 postgresql12-plperl-12.4-3.5.1 postgresql12-plperl-debuginfo-12.4-3.5.1 postgresql12-plpython-12.4-3.5.1 postgresql12-plpython-debuginfo-12.4-3.5.1 postgresql12-pltcl-12.4-3.5.1 postgresql12-pltcl-debuginfo-12.4-3.5.1 postgresql12-server-12.4-3.5.1 postgresql12-server-debuginfo-12.4-3.5.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql12-docs-12.4-3.5.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql96-docs-9.6.19-6.4.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql96-docs-9.6.19-6.4.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql94-9.4.26-24.3.1 postgresql94-contrib-9.4.26-24.3.1 postgresql94-contrib-debuginfo-9.4.26-24.3.1 postgresql94-debuginfo-9.4.26-24.3.1 postgresql94-debugsource-9.4.26-24.3.1 postgresql94-plperl-9.4.26-24.3.1 postgresql94-plperl-debuginfo-9.4.26-24.3.1 postgresql94-plpython-9.4.26-24.3.1 postgresql94-plpython-debuginfo-9.4.26-24.3.1 postgresql94-pltcl-9.4.26-24.3.1 postgresql94-pltcl-debuginfo-9.4.26-24.3.1 postgresql94-server-9.4.26-24.3.1 postgresql94-server-debuginfo-9.4.26-24.3.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql94-docs-9.4.26-24.3.1 postgresql96-docs-9.6.19-6.4.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql94-9.4.26-24.3.1 postgresql94-contrib-9.4.26-24.3.1 postgresql94-contrib-debuginfo-9.4.26-24.3.1 postgresql94-debuginfo-9.4.26-24.3.1 postgresql94-debugsource-9.4.26-24.3.1 postgresql94-plperl-9.4.26-24.3.1 postgresql94-plperl-debuginfo-9.4.26-24.3.1 postgresql94-plpython-9.4.26-24.3.1 postgresql94-plpython-debuginfo-9.4.26-24.3.1 postgresql94-pltcl-9.4.26-24.3.1 postgresql94-pltcl-debuginfo-9.4.26-24.3.1 postgresql94-server-9.4.26-24.3.1 postgresql94-server-debuginfo-9.4.26-24.3.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql94-docs-9.4.26-24.3.1 postgresql96-docs-9.6.19-6.4.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - SUSE Enterprise Storage 5 (x86_64): libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 - SUSE Enterprise Storage 5 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql96-docs-9.6.19-6.4.1 - HPE Helion Openstack 8 (x86_64): libecpg6-12.4-3.5.1 libecpg6-debuginfo-12.4-3.5.1 libpq5-12.4-3.5.1 libpq5-32bit-12.4-3.5.1 libpq5-debuginfo-12.4-3.5.1 libpq5-debuginfo-32bit-12.4-3.5.1 postgresql10-10.14-4.4.1 postgresql10-contrib-10.14-4.4.1 postgresql10-contrib-debuginfo-10.14-4.4.1 postgresql10-debuginfo-10.14-4.4.1 postgresql10-debugsource-10.14-4.4.1 postgresql10-plperl-10.14-4.4.1 postgresql10-plperl-debuginfo-10.14-4.4.1 postgresql10-plpython-10.14-4.4.1 postgresql10-plpython-debuginfo-10.14-4.4.1 postgresql10-pltcl-10.14-4.4.1 postgresql10-pltcl-debuginfo-10.14-4.4.1 postgresql10-server-10.14-4.4.1 postgresql10-server-debuginfo-10.14-4.4.1 postgresql96-9.6.19-6.4.1 postgresql96-contrib-9.6.19-6.4.1 postgresql96-contrib-debuginfo-9.6.19-6.4.1 postgresql96-debuginfo-9.6.19-6.4.1 postgresql96-debugsource-9.6.19-6.4.1 postgresql96-plperl-9.6.19-6.4.1 postgresql96-plperl-debuginfo-9.6.19-6.4.1 postgresql96-plpython-9.6.19-6.4.1 postgresql96-plpython-debuginfo-9.6.19-6.4.1 postgresql96-pltcl-9.6.19-6.4.1 postgresql96-pltcl-debuginfo-9.6.19-6.4.1 postgresql96-server-9.6.19-6.4.1 postgresql96-server-debuginfo-9.6.19-6.4.1 - HPE Helion Openstack 8 (noarch): postgresql-12.0.1-4.4.1 postgresql-contrib-12.0.1-4.4.1 postgresql-docs-12.0.1-4.4.1 postgresql-plperl-12.0.1-4.4.1 postgresql-plpython-12.0.1-4.4.1 postgresql-pltcl-12.0.1-4.4.1 postgresql-server-12.0.1-4.4.1 postgresql10-docs-10.14-4.4.1 postgresql96-docs-9.6.19-6.4.1 References: https://bugzilla.suse.com/1171924 From sle-security-updates at lists.suse.com Mon Nov 16 13:14:58 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Nov 2020 21:14:58 +0100 (CET) Subject: SUSE-SU-2020:3349-1: important: Security update for kernel-firmware Message-ID: <20201116201458.0DC3CFFC1@maintenance.suse.de> SUSE Security Update: Security update for kernel-firmware ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3349-1 Rating: important References: #1178671 Cross-References: CVE-2020-12321 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for kernel-firmware fixes the following issue: - CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs (bsc#1178671). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3349=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3349=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3349=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3349=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): kernel-firmware-20191118-3.34.1 ucode-amd-20191118-3.34.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): kernel-firmware-20191118-3.34.1 ucode-amd-20191118-3.34.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): kernel-firmware-20191118-3.34.1 ucode-amd-20191118-3.34.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): kernel-firmware-20191118-3.34.1 ucode-amd-20191118-3.34.1 References: https://www.suse.com/security/cve/CVE-2020-12321.html https://bugzilla.suse.com/1178671 From sle-security-updates at lists.suse.com Mon Nov 16 16:14:59 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Nov 2020 00:14:59 +0100 (CET) Subject: SUSE-SU-2020:3351-1: important: Security update for raptor Message-ID: <20201116231459.91D9CFFA2@maintenance.suse.de> SUSE Security Update: Security update for raptor ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3351-1 Rating: important References: #1178593 Cross-References: CVE-2017-18926 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for raptor fixes the following issues: - Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926). - Update raptor to version 2.0.15 * Made several fixes to Turtle / N-Triples family of parsers and serializers * Added utility functions for re-entrant sorting of objects and sequences. * Made other fixes and improvements including fixing reported issues: 0000574, 0000575, 0000576, 0000577, 0000579, 0000581 and 0000584. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3351=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3351=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3351=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3351=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3351=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-3351=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3351=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3351=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3351=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3351=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3351=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3351=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3351=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3351=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3351=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3351=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3351=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3351=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE OpenStack Cloud 9 (x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE OpenStack Cloud 8 (x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): raptor-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libraptor-devel-2.0.15-5.3.1 raptor-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 - HPE Helion Openstack 8 (x86_64): libraptor2-0-2.0.15-5.3.1 libraptor2-0-debuginfo-2.0.15-5.3.1 raptor-debuginfo-2.0.15-5.3.1 raptor-debugsource-2.0.15-5.3.1 References: https://www.suse.com/security/cve/CVE-2017-18926.html https://bugzilla.suse.com/1178593 From sle-security-updates at lists.suse.com Mon Nov 16 16:16:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Nov 2020 00:16:07 +0100 (CET) Subject: SUSE-SU-2020:3350-1: important: Security update for raptor Message-ID: <20201116231607.D57FBFFA2@maintenance.suse.de> SUSE Security Update: Security update for raptor ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3350-1 Rating: important References: #1178593 Cross-References: CVE-2017-18926 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for raptor fixes the following issues: - Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-3350=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libraptor-devel-2.0.15-3.3.1 libraptor2-0-2.0.15-3.3.1 libraptor2-0-debuginfo-2.0.15-3.3.1 raptor-2.0.15-3.3.1 raptor-debuginfo-2.0.15-3.3.1 raptor-debugsource-2.0.15-3.3.1 References: https://www.suse.com/security/cve/CVE-2017-18926.html https://bugzilla.suse.com/1178593 From sle-security-updates at lists.suse.com Tue Nov 17 07:15:59 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Nov 2020 15:15:59 +0100 (CET) Subject: SUSE-SU-2020:3353-1: important: Security update for kernel-firmware Message-ID: <20201117141559.81585FFA8@maintenance.suse.de> SUSE Security Update: Security update for kernel-firmware ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3353-1 Rating: important References: #1178671 Cross-References: CVE-2020-12321 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for kernel-firmware fixes the following issue: - CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs (bsc#1178671). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3353=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3353=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3353=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3353=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3353=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): kernel-firmware-20190618-5.14.1 ucode-amd-20190618-5.14.1 - SUSE OpenStack Cloud 9 (noarch): kernel-firmware-20190618-5.14.1 ucode-amd-20190618-5.14.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): kernel-firmware-20190618-5.14.1 ucode-amd-20190618-5.14.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-firmware-20190618-5.14.1 ucode-amd-20190618-5.14.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): kernel-firmware-20190618-5.14.1 ucode-amd-20190618-5.14.1 References: https://www.suse.com/security/cve/CVE-2020-12321.html https://bugzilla.suse.com/1178671 From sle-security-updates at lists.suse.com Tue Nov 17 07:17:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Nov 2020 15:17:00 +0100 (CET) Subject: SUSE-SU-2020:3352-1: important: Security update for raptor Message-ID: <20201117141700.455EFFFA8@maintenance.suse.de> SUSE Security Update: Security update for raptor ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3352-1 Rating: important References: #1178593 Cross-References: CVE-2017-18926 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for raptor fixes the following issues: - Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3352=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libraptor-devel-2.0.15-9.3.1 libraptor2-0-2.0.15-9.3.1 libraptor2-0-debuginfo-2.0.15-9.3.1 raptor-2.0.15-9.3.1 raptor-debuginfo-2.0.15-9.3.1 raptor-debugsource-2.0.15-9.3.1 References: https://www.suse.com/security/cve/CVE-2017-18926.html https://bugzilla.suse.com/1178593 From sle-security-updates at lists.suse.com Tue Nov 17 07:19:03 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Nov 2020 15:19:03 +0100 (CET) Subject: SUSE-SU-2020:3354-1: important: Security update for kernel-firmware Message-ID: <20201117141903.9EFC3FFA8@maintenance.suse.de> SUSE Security Update: Security update for kernel-firmware ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3354-1 Rating: important References: #1178671 Cross-References: CVE-2020-12321 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for kernel-firmware fixes the following issue: - CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs (bsc#1178671). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3354=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3354=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3354=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3354=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3354=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3354=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3354=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3354=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3354=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3354=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3354=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - SUSE OpenStack Cloud 8 (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - SUSE OpenStack Cloud 7 (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - SUSE Enterprise Storage 5 (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 - HPE Helion Openstack 8 (noarch): kernel-firmware-20170530-21.31.1 ucode-amd-20170530-21.31.1 References: https://www.suse.com/security/cve/CVE-2020-12321.html https://bugzilla.suse.com/1178671 From sle-security-updates at lists.suse.com Tue Nov 17 10:19:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Nov 2020 18:19:07 +0100 (CET) Subject: SUSE-SU-2020:3359-1: moderate: Security update for java-11-openjdk Message-ID: <20201117171907.549B3FFA2@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3359-1 Rating: moderate References: #1177943 Cross-References: CVE-2020-14779 CVE-2020-14781 CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14798 CVE-2020-14803 Affected Products: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.9-11 (October 2020 CPU, bsc#1177943) * New features + JDK-8250784: Shenandoah: A Low-Pause-Time Garbage Collector * Security fixes + JDK-8233624: Enhance JNI linkage + JDK-8236196: Improve string pooling + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8240124: Better VM Interning + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Other changes + JDK-6532025: GIF reader throws misleading exception with truncated images + JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/ /PDialogTest.java needs update by removing an infinite loop + JDK-8022535: [TEST BUG] javax/swing/text/html/parser/ /Test8017492.java fails + JDK-8062947: Fix exception message to correctly represent LDAP connection failure + JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed + JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/ /CloseServerSocket.java fails intermittently with Address already in use + JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + JDK-8172404: Tools should warn if weak algorithms are used before restricting them + JDK-8193367: Annotated type variable bounds crash javac + JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset + JDK-8203026: java.rmi.NoSuchObjectException: no such object in table + JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called + JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass + JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout + JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java + JDK-8204963: javax.swing.border.TitledBorder has a memory leak + JDK-8204994: SA might fail to attach to process with "Windbg Error: WaitForEvent failed" + JDK-8205534: Remove SymbolTable dependency from serviceability agent + JDK-8206309: Tier1 SA tests fail + JDK-8208281: java/nio/channels/ /AsynchronousSocketChannel/Basic.java timed out + JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1 + JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect + JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent! + JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful + JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout + JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2 + JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC + JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java + JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ /ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code + JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3 + JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack + JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests + JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds + JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout + JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4 + JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject + JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test + JDK-8211694: JShell: Redeclared variable should be reset + JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent + JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest + JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 + JDK-8212807: tools/jar/multiRelease/Basic.java times out + JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent) + JDK-8213214: Set -Djava.io.tmpdir= when running tests + JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found + JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes + JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface + JDK-8214074: Ghash optimization using AVX instructions + JDK-8214491: Upgrade to JLine 3.9.0 + JDK-8214797: TestJmapCoreMetaspace.java timed out + JDK-8215243: JShell tests failing intermitently with "Problem cleaning up the following threads:" + JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed + JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions) + JDK-8215438: jshell tool: Ctrl-D causes EOF + JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows + JDK-8216974: HttpConnection not returned to the pool after 204 response + JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time + JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs + JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs + JDK-8221658: aarch64: add necessary predicate for ubfx patterns + JDK-8221759: Crash when completing "java.io.File.path" + JDK-8221918: runtime/SharedArchiveFile/serviceability/ /ReplaceCriticalClasses.java fails: Shared archive not found + JDK-8222074: Enhance auto vectorization for x86 + JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command + JDK-8223688: JShell: crash on the instantiation of raw anonymous class + JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error + JDK-8223940: Private key not supported by chosen signature algorithm + JDK-8224184: jshell got IOException at exiting with AIX + JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc + JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException + JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions + JDK-8226536: Catch OOM from deopt that fails rematerializing objects + JDK-8226575: OperatingSystemMXBean should be made container aware + JDK-8226697: Several tests which need the @key headful keyword are missing it. + JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + JDK-8227059: sun/security/tools/keytool/ /DefaultSignatureAlgorithm.java timed out + JDK-8227269: Slow class loading when running with JDWP + JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to "exitValue = 6" + JDK-8228448: Jconsole can't connect to itself + JDK-8228967: Trust/Key store and SSL context utilities for tests + JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + JDK-8229815: Upgrade Jline to 3.12.1 + JDK-8230000: some httpclients testng tests run zero test + JDK-8230002: javax/xml/jaxp/unittest/transform/ /SecureProcessingTest.java runs zero test + JDK-8230010: Remove jdk8037819/BasicTest1.java + JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter + JDK-8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?" + JDK-8230767: FlightRecorderListener returns null recording + JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java + JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + JDK-8231586: enlarge encoding space for OopMapValue offsets + JDK-8231953: Wrong assumption in assertion in oop::register_oop + JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + JDK-8232083: Minimal VM is broken after JDK-8231586 + JDK-8232161: Align some one-way conversion in MS950 charset with Windows + JDK-8232855: jshell missing word in /help help + JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration + JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR + JDK-8233386: Initialize NULL fields for unused decorations + JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result + JDK-8233686: XML transformer uses excessive amount of memory + JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions + JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment + JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose + JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() + JDK-8234058: runtime/CompressedOops/ /CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr + JDK-8234149: Several regression tests do not dispose Frame at end + JDK-8234347: "Turkey" meta time zone does not generate composed localized names + JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/ /bug6980209.java fails in linux nightly + JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC + JDK-8234541: C1 emits an empty message when it inlines successfully + JDK-8234687: change javap reporting on unknown attributes + JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11 + JDK-8236548: Localized time zone name inconsistency between English and other locales + JDK-8236617: jtreg test containers/docker/ /TestMemoryAwareness.java fails after 8226575 + JDK-8237182: Update copyright header for shenandoah and epsilon files + JDK-8237888: security/infra/java/security/cert/ /CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval + JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java + JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response + JDK-8238284: [macos] Zero VM build fails due to an obvious typo + JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 + JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10 + JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 + JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code + JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "shou ld be non-static concrete method"); + JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + JDK-8240169: javadoc fails to link to non-modular api docs + JDK-8240295: hs_err elapsed time in seconds is not accurate enough + JDK-8240360: NativeLibraryEvent has wrong library name on Linux + JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + JDK-8241065: Shenandoah: remove leftover code after JDK-8231086 + JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException + JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector + JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark + JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME + JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + JDK-8241750: x86_32 build failure after JDK-8227269 + JDK-8242184: CRL generation error with RSASSA-PSS + JDK-8242283: Can't start JVM when java home path includes non-ASCII character + JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + JDK-8243029: Rewrite javax/net/ssl/compatibility/ /Compatibility.java with a flexible interop test framework + JDK-8243138: Enhance BaseLdapServer to support starttls extended request + JDK-8243320: Add SSL root certificates to Oracle Root CA program + JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + JDK-8243389: enhance os::pd_print_cpu_info on linux + JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment + JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp + JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) + JDK-8244087: 2020-04-24 public suffix list update + JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base + JDK-8244196: adjust output in os_linux + JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + JDK-8244287: JFR: Methods samples have line number 0 + JDK-8244703: "platform encoding not initialized" exceptions with debugger, JNI + JDK-8244719: CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it" + JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb + JDK-8244763: Update --release 8 symbol information after JSR 337 MR3 + JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + JDK-8245151: jarsigner should not raise duplicate warnings on verification + JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9 + JDK-8245714: "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch + JDK-8245801: StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!" + JDK-8245832: JDK build make-static-libs should build all JDK libraries + JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan + JDK-8245981: Upgrade to jQuery 3.5.1 + JDK-8246027: Minimal fastdebug build broken after JDK-8245801 + JDK-8246094: [macos] Sound Recording and playback is not working + JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode + JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ + JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError + JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN + JDK-8246330: Add TLS Tests for Legacy ECDSA curves + JDK-8246453: TestClone crashes with "all collected exceptions must come from the same place" + JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods + JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node + JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code + JDK-8247615: Initialize the bytes left for the heap sampler + JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand + JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' + JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg + JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield + JDK-8248348: Regression caused by the update to BCEL 6.0 + JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1 + JDK-8248495: [macos] zerovm is broken due to libffi headers location + JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows + JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650 + JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. + JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel + JDK-8249255: Build fails if source code in cygwin home dir + JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11 + JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList + JDK-8249560: Shenandoah: Fix racy GC request handling + JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle + JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets + JDK-8250609: C2 crash in IfNode::fold_compares + JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java + JDK-8250787: Provider.put no longer registering aliases in FIPS env + JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM + JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk + JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds + JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure + JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U + JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase + JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured" + JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility + JDK-8252258: [11u] JDK-8242154 changes the default vendor + JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011 + JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 + JDK-8253283: [11u] Test build/translations/ /VerifyTranslations.java failing after JDK-8252258 + JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes + Fix regression "8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)" introduced in jdk 11.0.9 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-3359=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-3359=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3359=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3359=1 Package List: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (noarch): java-11-openjdk-javadoc-11.0.9.0-3.48.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (noarch): java-11-openjdk-javadoc-11.0.9.0-3.48.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.9.0-3.48.1 java-11-openjdk-debuginfo-11.0.9.0-3.48.1 java-11-openjdk-debugsource-11.0.9.0-3.48.1 java-11-openjdk-demo-11.0.9.0-3.48.1 java-11-openjdk-devel-11.0.9.0-3.48.1 java-11-openjdk-headless-11.0.9.0-3.48.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.9.0-3.48.1 java-11-openjdk-debuginfo-11.0.9.0-3.48.1 java-11-openjdk-debugsource-11.0.9.0-3.48.1 java-11-openjdk-demo-11.0.9.0-3.48.1 java-11-openjdk-devel-11.0.9.0-3.48.1 java-11-openjdk-headless-11.0.9.0-3.48.1 References: https://www.suse.com/security/cve/CVE-2020-14779.html https://www.suse.com/security/cve/CVE-2020-14781.html https://www.suse.com/security/cve/CVE-2020-14782.html https://www.suse.com/security/cve/CVE-2020-14792.html https://www.suse.com/security/cve/CVE-2020-14796.html https://www.suse.com/security/cve/CVE-2020-14797.html https://www.suse.com/security/cve/CVE-2020-14798.html https://www.suse.com/security/cve/CVE-2020-14803.html https://bugzilla.suse.com/1177943 From sle-security-updates at lists.suse.com Tue Nov 17 10:21:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Nov 2020 18:21:04 +0100 (CET) Subject: SUSE-SU-2020:3360-1: moderate: Security update for tcpdump Message-ID: <20201117172104.0F53CFFA2@maintenance.suse.de> SUSE Security Update: Security update for tcpdump ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3360-1 Rating: moderate References: #1153098 #1153332 #1178466 Cross-References: CVE-2017-16808 CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16301 CVE-2018-16451 CVE-2018-16452 CVE-2019-1010220 CVE-2019-15166 CVE-2019-15167 CVE-2020-8037 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 29 vulnerabilities is now available. Description: This update for tcpdump fixes the following issues: - CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466). The previous update of tcpdump already fixed variuous Buffer overflow/overread vulnerabilities [bsc#1153098, bsc#1153332] - CVE-2017-16808 (AoE) - CVE-2018-14468 (FrameRelay) - CVE-2018-14469 (IKEv1) - CVE-2018-14470 (BABEL) - CVE-2018-14466 (AFS/RX) - CVE-2018-14461 (LDP) - CVE-2018-14462 (ICMP) - CVE-2018-14465 (RSVP) - CVE-2018-14464 (LMP) - CVE-2019-15166 (LMP) - CVE-2018-14880 (OSPF6) - CVE-2018-14882 (RPL) - CVE-2018-16227 (802.11) - CVE-2018-16229 (DCCP) - CVE-2018-14467 (BGP) - CVE-2018-14881 (BGP) - CVE-2018-16230 (BGP) - CVE-2018-16300 (BGP) - CVE-2018-14463 (VRRP) - CVE-2019-15167 (VRRP) - CVE-2018-14879 (tcpdump -V) - CVE-2018-16228 (HNCP) is a duplicate of the already fixed CVE-2019-1010220 - CVE-2018-16301 (fixed in libpcap) - CVE-2018-16451 (SMB) - CVE-2018-16452 (SMB) - CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled) - CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3360=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): tcpdump-4.9.2-14.17.1 tcpdump-debuginfo-4.9.2-14.17.1 tcpdump-debugsource-4.9.2-14.17.1 References: https://www.suse.com/security/cve/CVE-2017-16808.html https://www.suse.com/security/cve/CVE-2018-10103.html https://www.suse.com/security/cve/CVE-2018-10105.html https://www.suse.com/security/cve/CVE-2018-14461.html https://www.suse.com/security/cve/CVE-2018-14462.html https://www.suse.com/security/cve/CVE-2018-14463.html https://www.suse.com/security/cve/CVE-2018-14464.html https://www.suse.com/security/cve/CVE-2018-14465.html https://www.suse.com/security/cve/CVE-2018-14466.html https://www.suse.com/security/cve/CVE-2018-14467.html https://www.suse.com/security/cve/CVE-2018-14468.html https://www.suse.com/security/cve/CVE-2018-14469.html https://www.suse.com/security/cve/CVE-2018-14470.html https://www.suse.com/security/cve/CVE-2018-14879.html https://www.suse.com/security/cve/CVE-2018-14880.html https://www.suse.com/security/cve/CVE-2018-14881.html https://www.suse.com/security/cve/CVE-2018-14882.html https://www.suse.com/security/cve/CVE-2018-16227.html https://www.suse.com/security/cve/CVE-2018-16228.html https://www.suse.com/security/cve/CVE-2018-16229.html https://www.suse.com/security/cve/CVE-2018-16230.html https://www.suse.com/security/cve/CVE-2018-16300.html https://www.suse.com/security/cve/CVE-2018-16301.html https://www.suse.com/security/cve/CVE-2018-16451.html https://www.suse.com/security/cve/CVE-2018-16452.html https://www.suse.com/security/cve/CVE-2019-1010220.html https://www.suse.com/security/cve/CVE-2019-15166.html https://www.suse.com/security/cve/CVE-2019-15167.html https://www.suse.com/security/cve/CVE-2020-8037.html https://bugzilla.suse.com/1153098 https://bugzilla.suse.com/1153332 https://bugzilla.suse.com/1178466 From sle-security-updates at lists.suse.com Tue Nov 17 10:22:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Nov 2020 18:22:12 +0100 (CET) Subject: SUSE-SU-2020:3358-1: moderate: Security update for tcpdump Message-ID: <20201117172212.E1634FFA2@maintenance.suse.de> SUSE Security Update: Security update for tcpdump ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3358-1 Rating: moderate References: #1178466 Cross-References: CVE-2020-8037 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tcpdump fixes the following issues: - CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3358=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3358=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): tcpdump-4.9.2-3.12.1 tcpdump-debuginfo-4.9.2-3.12.1 tcpdump-debugsource-4.9.2-3.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): tcpdump-4.9.2-3.12.1 tcpdump-debuginfo-4.9.2-3.12.1 tcpdump-debugsource-4.9.2-3.12.1 References: https://www.suse.com/security/cve/CVE-2020-8037.html https://bugzilla.suse.com/1178466 From sle-security-updates at lists.suse.com Thu Nov 19 00:23:01 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 08:23:01 +0100 (CET) Subject: SUSE-CU-2020:683-1: Security update of suse/sle15 Message-ID: <20201119072301.5714FF791@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:683-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.296 Container Release : 4.22.296 Severity : important Type : security References : 1178387 CVE-2020-25692 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). From sle-security-updates at lists.suse.com Thu Nov 19 01:15:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 09:15:44 +0100 (CET) Subject: SUSE-SU-2020:3367-1: moderate: Security update for libzypp, zypper Message-ID: <20201119081544.95D6FF791@maintenance.suse.de> SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3367-1 Rating: moderate References: #1158763 #1169947 #1178038 Cross-References: CVE-2019-18900 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for libzypp, zypper fixes the following issues: libzypp fixes the following security issue: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). zypper was updated to fix the following issues: - Fixed an issue, where zypper crashed when the system language is set to Spanish and the user tried to patch their system with 'zypper patch --category security' (bsc#1178038) - Fixed a typo in man page (bsc#1169947) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3367=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3367=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3367=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3367=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): libzypp-16.21.2-27.70.1 libzypp-debuginfo-16.21.2-27.70.1 libzypp-debugsource-16.21.2-27.70.1 libzypp-devel-16.21.2-27.70.1 zypper-1.13.57-18.46.3 zypper-debuginfo-1.13.57-18.46.3 zypper-debugsource-1.13.57-18.46.3 - SUSE OpenStack Cloud 7 (noarch): zypper-log-1.13.57-18.46.3 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libzypp-16.21.2-27.70.1 libzypp-debuginfo-16.21.2-27.70.1 libzypp-debugsource-16.21.2-27.70.1 libzypp-devel-16.21.2-27.70.1 zypper-1.13.57-18.46.3 zypper-debuginfo-1.13.57-18.46.3 zypper-debugsource-1.13.57-18.46.3 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): zypper-log-1.13.57-18.46.3 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libzypp-16.21.2-27.70.1 libzypp-debuginfo-16.21.2-27.70.1 libzypp-debugsource-16.21.2-27.70.1 libzypp-devel-16.21.2-27.70.1 zypper-1.13.57-18.46.3 zypper-debuginfo-1.13.57-18.46.3 zypper-debugsource-1.13.57-18.46.3 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): zypper-log-1.13.57-18.46.3 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): zypper-log-1.13.57-18.46.3 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libzypp-16.21.2-27.70.1 libzypp-debuginfo-16.21.2-27.70.1 libzypp-debugsource-16.21.2-27.70.1 libzypp-devel-16.21.2-27.70.1 zypper-1.13.57-18.46.3 zypper-debuginfo-1.13.57-18.46.3 zypper-debugsource-1.13.57-18.46.3 References: https://www.suse.com/security/cve/CVE-2019-18900.html https://bugzilla.suse.com/1158763 https://bugzilla.suse.com/1169947 https://bugzilla.suse.com/1178038 From sle-security-updates at lists.suse.com Thu Nov 19 07:15:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:15:46 +0100 (CET) Subject: SUSE-SU-2020:3379-1: moderate: Security update for krb5 Message-ID: <20201119141546.017A6F750@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3379-1 Rating: moderate References: #1178512 Cross-References: CVE-2020-28196 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3379=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3379=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3379=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3379=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3379=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3379=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3379=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3379=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3379=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3379=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3379=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3379=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3379=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3379=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3379=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3379=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3379=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): krb5-1.12.5-40.40.2 krb5-32bit-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE OpenStack Cloud Crowbar 8 (x86_64): krb5-1.12.5-40.40.2 krb5-32bit-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE OpenStack Cloud 9 (x86_64): krb5-1.12.5-40.40.2 krb5-32bit-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE OpenStack Cloud 8 (x86_64): krb5-1.12.5-40.40.2 krb5-32bit-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE OpenStack Cloud 7 (s390x x86_64): krb5-1.12.5-40.40.2 krb5-32bit-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): krb5-debuginfo-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-devel-1.12.5-40.40.2 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): krb5-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): krb5-32bit-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): krb5-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): krb5-32bit-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): krb5-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): krb5-32bit-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): krb5-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): krb5-32bit-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): krb5-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): krb5-32bit-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): krb5-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): krb5-32bit-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): krb5-1.12.5-40.40.2 krb5-32bit-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): krb5-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): krb5-32bit-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): krb5-1.12.5-40.40.2 krb5-32bit-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Enterprise Storage 5 (aarch64 x86_64): krb5-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 - SUSE Enterprise Storage 5 (x86_64): krb5-32bit-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 - HPE Helion Openstack 8 (x86_64): krb5-1.12.5-40.40.2 krb5-32bit-1.12.5-40.40.2 krb5-client-1.12.5-40.40.2 krb5-client-debuginfo-1.12.5-40.40.2 krb5-debuginfo-1.12.5-40.40.2 krb5-debuginfo-32bit-1.12.5-40.40.2 krb5-debugsource-1.12.5-40.40.2 krb5-doc-1.12.5-40.40.2 krb5-plugin-kdb-ldap-1.12.5-40.40.2 krb5-plugin-kdb-ldap-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-otp-1.12.5-40.40.2 krb5-plugin-preauth-otp-debuginfo-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-1.12.5-40.40.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.5-40.40.2 krb5-server-1.12.5-40.40.2 krb5-server-debuginfo-1.12.5-40.40.2 References: https://www.suse.com/security/cve/CVE-2020-28196.html https://bugzilla.suse.com/1178512 From sle-security-updates at lists.suse.com Thu Nov 19 07:16:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:16:56 +0100 (CET) Subject: SUSE-SU-2020:3377-1: moderate: Security update for krb5 Message-ID: <20201119141656.726DFF750@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3377-1 Rating: moderate References: #1178512 Cross-References: CVE-2020-28196 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-3377=1 - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-3377=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3377=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3377=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): krb5-debuginfo-1.16.3-3.15.1 krb5-debugsource-1.16.3-3.15.1 krb5-plugin-kdb-ldap-1.16.3-3.15.1 krb5-plugin-kdb-ldap-debuginfo-1.16.3-3.15.1 krb5-server-1.16.3-3.15.1 krb5-server-debuginfo-1.16.3-3.15.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): krb5-debuginfo-1.16.3-3.15.1 krb5-debugsource-1.16.3-3.15.1 krb5-plugin-kdb-ldap-1.16.3-3.15.1 krb5-plugin-kdb-ldap-debuginfo-1.16.3-3.15.1 krb5-server-1.16.3-3.15.1 krb5-server-debuginfo-1.16.3-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): krb5-1.16.3-3.15.1 krb5-client-1.16.3-3.15.1 krb5-client-debuginfo-1.16.3-3.15.1 krb5-debuginfo-1.16.3-3.15.1 krb5-debugsource-1.16.3-3.15.1 krb5-devel-1.16.3-3.15.1 krb5-plugin-preauth-otp-1.16.3-3.15.1 krb5-plugin-preauth-otp-debuginfo-1.16.3-3.15.1 krb5-plugin-preauth-pkinit-1.16.3-3.15.1 krb5-plugin-preauth-pkinit-debuginfo-1.16.3-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): krb5-32bit-1.16.3-3.15.1 krb5-32bit-debuginfo-1.16.3-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): krb5-1.16.3-3.15.1 krb5-client-1.16.3-3.15.1 krb5-client-debuginfo-1.16.3-3.15.1 krb5-debuginfo-1.16.3-3.15.1 krb5-debugsource-1.16.3-3.15.1 krb5-devel-1.16.3-3.15.1 krb5-plugin-preauth-otp-1.16.3-3.15.1 krb5-plugin-preauth-otp-debuginfo-1.16.3-3.15.1 krb5-plugin-preauth-pkinit-1.16.3-3.15.1 krb5-plugin-preauth-pkinit-debuginfo-1.16.3-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): krb5-32bit-1.16.3-3.15.1 krb5-32bit-debuginfo-1.16.3-3.15.1 References: https://www.suse.com/security/cve/CVE-2020-28196.html https://bugzilla.suse.com/1178512 From sle-security-updates at lists.suse.com Thu Nov 19 07:18:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:18:00 +0100 (CET) Subject: SUSE-SU-2020:3376-1: moderate: Security update for wireshark Message-ID: <20201119141800.E469BF750@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3376-1 Rating: moderate References: #1177406 #1178291 Cross-References: CVE-2020-26575 CVE-2020-28030 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for wireshark fixes the following issues: - wireshark was updated to 3.2.8: - CVE-2020-26575: Fixed an issue where FBZERO dissector was entering in infinite loop (bsc#1177406) - CVE-2020-28030: Fixed an issue where GQUIC dissector was crashing (bsc#1178291) * Infinite memory allocation while parsing this tcp packet Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3376=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-3376=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3376=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3376=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): wireshark-debuginfo-3.2.8-3.44.1 wireshark-debugsource-3.2.8-3.44.1 wireshark-devel-3.2.8-3.44.1 wireshark-ui-qt-3.2.8-3.44.1 wireshark-ui-qt-debuginfo-3.2.8-3.44.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): wireshark-debuginfo-3.2.8-3.44.1 wireshark-debugsource-3.2.8-3.44.1 wireshark-devel-3.2.8-3.44.1 wireshark-ui-qt-3.2.8-3.44.1 wireshark-ui-qt-debuginfo-3.2.8-3.44.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libwireshark13-3.2.8-3.44.1 libwireshark13-debuginfo-3.2.8-3.44.1 libwiretap10-3.2.8-3.44.1 libwiretap10-debuginfo-3.2.8-3.44.1 libwsutil11-3.2.8-3.44.1 libwsutil11-debuginfo-3.2.8-3.44.1 wireshark-3.2.8-3.44.1 wireshark-debuginfo-3.2.8-3.44.1 wireshark-debugsource-3.2.8-3.44.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libwireshark13-3.2.8-3.44.1 libwireshark13-debuginfo-3.2.8-3.44.1 libwiretap10-3.2.8-3.44.1 libwiretap10-debuginfo-3.2.8-3.44.1 libwsutil11-3.2.8-3.44.1 libwsutil11-debuginfo-3.2.8-3.44.1 wireshark-3.2.8-3.44.1 wireshark-debuginfo-3.2.8-3.44.1 wireshark-debugsource-3.2.8-3.44.1 References: https://www.suse.com/security/cve/CVE-2020-26575.html https://www.suse.com/security/cve/CVE-2020-28030.html https://bugzilla.suse.com/1177406 https://bugzilla.suse.com/1178291 From sle-security-updates at lists.suse.com Thu Nov 19 07:19:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:19:07 +0100 (CET) Subject: SUSE-SU-2020:3384-1: moderate: Security update for perl-DBI Message-ID: <20201119141907.0D08EF750@maintenance.suse.de> SUSE Security Update: Security update for perl-DBI ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3384-1 Rating: moderate References: #1176492 Cross-References: CVE-2014-10401 CVE-2014-10402 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for perl-DBI fixes the following issues: - DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). [bsc#1176492, CVE-2014-10401, CVE-2014-10402] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3384=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): perl-DBI-1.642-3.9.1 perl-DBI-debuginfo-1.642-3.9.1 perl-DBI-debugsource-1.642-3.9.1 References: https://www.suse.com/security/cve/CVE-2014-10401.html https://www.suse.com/security/cve/CVE-2014-10402.html https://bugzilla.suse.com/1176492 From sle-security-updates at lists.suse.com Thu Nov 19 07:20:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:20:04 +0100 (CET) Subject: SUSE-SU-2020:3372-1: moderate: Security update for ucode-intel Message-ID: <20201119142004.CF394F750@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3372-1 Rating: moderate References: #1170446 #1173592 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8696 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Updated Intel CPU Microcode to 20201110 official release. - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) - CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592) - Release notes: - Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00381.html). - Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00389.html). - Update for functional issues. Refer to [Second Generation Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel?? Core??? Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel?? Core??? Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel?? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel?? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3372=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): ucode-intel-20201110-3.39.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8696.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173592 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Thu Nov 19 07:22:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:22:05 +0100 (CET) Subject: SUSE-SU-2020:3383-1: important: Security update for MozillaFirefox Message-ID: <20201119142205.186DEF750@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3383-1 Rating: important References: #1178824 Cross-References: CVE-2020-15999 CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26966 CVE-2020-26968 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.5.0 ESR (bsc#1178824) * CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953: Fullscreen could be enabled without displaying the security UI * CVE-2020-26956: XSS through paste (manual and clipboard API) * CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959: Use-after-free in WebRequestService * CVE-2020-26960: Potential use-after-free in uses of nsTArray * CVE-2020-15999: Heap buffer overflow in freetype * CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965: Software keyboards may have remembered typed passwords * CVE-2020-26966: Single-word search queries were also broadcast to local network * CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-3383=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.5.0-3.119.1 MozillaFirefox-debuginfo-78.5.0-3.119.1 MozillaFirefox-debugsource-78.5.0-3.119.1 MozillaFirefox-devel-78.5.0-3.119.1 MozillaFirefox-translations-common-78.5.0-3.119.1 MozillaFirefox-translations-other-78.5.0-3.119.1 References: https://www.suse.com/security/cve/CVE-2020-15999.html https://www.suse.com/security/cve/CVE-2020-16012.html https://www.suse.com/security/cve/CVE-2020-26951.html https://www.suse.com/security/cve/CVE-2020-26953.html https://www.suse.com/security/cve/CVE-2020-26956.html https://www.suse.com/security/cve/CVE-2020-26958.html https://www.suse.com/security/cve/CVE-2020-26959.html https://www.suse.com/security/cve/CVE-2020-26960.html https://www.suse.com/security/cve/CVE-2020-26961.html https://www.suse.com/security/cve/CVE-2020-26965.html https://www.suse.com/security/cve/CVE-2020-26966.html https://www.suse.com/security/cve/CVE-2020-26968.html https://bugzilla.suse.com/1178824 From sle-security-updates at lists.suse.com Thu Nov 19 07:24:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:24:02 +0100 (CET) Subject: SUSE-SU-2020:3389-1: important: Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP2) Message-ID: <20201119142402.E78D5F750@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3389-1 Rating: important References: #1177513 #1177727 #1177729 Cross-References: CVE-2020-12351 CVE-2020-24490 CVE-2020-25645 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 5.3.18-24_9 fixes several issues. The following security issues were fixed: - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724, bsc#1177729, bsc#1178397). - CVE-2020-24490: Fixed a heap buffer overflow when processing extended advertising report events aka "BleedingTooth" aka "BadVibes" (bsc#1177726, bsc#1177727). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2020-3389=1 SUSE-SLE-Module-Live-Patching-15-SP2-2020-3390=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-22-default-4-11.2 kernel-livepatch-5_3_18-22-default-debuginfo-4-11.2 kernel-livepatch-5_3_18-24_9-default-4-2.1 kernel-livepatch-5_3_18-24_9-default-debuginfo-4-2.1 kernel-livepatch-SLE15-SP2_Update_0-debugsource-4-11.2 kernel-livepatch-SLE15-SP2_Update_1-debugsource-4-2.1 References: https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-24490.html https://www.suse.com/security/cve/CVE-2020-25645.html https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177727 https://bugzilla.suse.com/1177729 From sle-security-updates at lists.suse.com Thu Nov 19 07:25:11 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:25:11 +0100 (CET) Subject: SUSE-SU-2020:3373-1: moderate: Security update for ucode-intel Message-ID: <20201119142511.E8809F750@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3373-1 Rating: moderate References: #1170446 #1173592 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8696 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Updated Intel CPU Microcode to 20201110 official release. - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) - CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592) - Release notes: - Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00381.html). - Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00389.html). - Update for functional issues. Refer to [Second Generation Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel?? Core??? Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel?? Core??? Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel?? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel?? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3373=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): ucode-intel-20201110-2.10.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8696.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173592 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Thu Nov 19 07:27:39 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:27:39 +0100 (CET) Subject: SUSE-SU-2020:3380-1: moderate: Security update for wpa_supplicant Message-ID: <20201119142739.C4B57F750@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3380-1 Rating: moderate References: #1131644 #1131868 #1131870 #1131871 #1131872 #1131874 #1133640 #1144443 #1150934 #1156920 #1166933 #1167331 #930077 #930078 #930079 SLE-14992 Cross-References: CVE-2015-4141 CVE-2015-4142 CVE-2015-4143 CVE-2015-8041 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 CVE-2018-14526 CVE-2019-11555 CVE-2019-13377 CVE-2019-16275 CVE-2019-9494 CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 22 vulnerabilities, contains one feature is now available. Description: This update for wpa_supplicant fixes the following issues: Security issue fixed: - CVE-2019-16275: Fixed an AP mode PMF disconnection protection bypass (bsc#1150934). Non-security issues fixed: - Enable SAE support (jsc#SLE-14992). - Limit P2P_DEVICE name to appropriate ifname size. - Fix wicked wlan (bsc#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331) - With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331) - Fix WLAN config on boot with wicked. (bsc#1166933) - Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous at realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Changed service-files for start after network (systemd-networkd). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3380=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3380=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3380=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3380=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3380=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3380=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): wpa_supplicant-2.9-4.20.1 wpa_supplicant-debuginfo-2.9-4.20.1 wpa_supplicant-debugsource-2.9-4.20.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): wpa_supplicant-2.9-4.20.1 wpa_supplicant-debuginfo-2.9-4.20.1 wpa_supplicant-debugsource-2.9-4.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-4.20.1 wpa_supplicant-debuginfo-2.9-4.20.1 wpa_supplicant-debugsource-2.9-4.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-4.20.1 wpa_supplicant-debuginfo-2.9-4.20.1 wpa_supplicant-debugsource-2.9-4.20.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): wpa_supplicant-2.9-4.20.1 wpa_supplicant-debuginfo-2.9-4.20.1 wpa_supplicant-debugsource-2.9-4.20.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): wpa_supplicant-2.9-4.20.1 wpa_supplicant-debuginfo-2.9-4.20.1 wpa_supplicant-debugsource-2.9-4.20.1 References: https://www.suse.com/security/cve/CVE-2015-4141.html https://www.suse.com/security/cve/CVE-2015-4142.html https://www.suse.com/security/cve/CVE-2015-4143.html https://www.suse.com/security/cve/CVE-2015-8041.html https://www.suse.com/security/cve/CVE-2017-13077.html https://www.suse.com/security/cve/CVE-2017-13078.html https://www.suse.com/security/cve/CVE-2017-13079.html https://www.suse.com/security/cve/CVE-2017-13080.html https://www.suse.com/security/cve/CVE-2017-13081.html https://www.suse.com/security/cve/CVE-2017-13082.html https://www.suse.com/security/cve/CVE-2017-13086.html https://www.suse.com/security/cve/CVE-2017-13087.html https://www.suse.com/security/cve/CVE-2017-13088.html https://www.suse.com/security/cve/CVE-2018-14526.html https://www.suse.com/security/cve/CVE-2019-11555.html https://www.suse.com/security/cve/CVE-2019-13377.html https://www.suse.com/security/cve/CVE-2019-16275.html https://www.suse.com/security/cve/CVE-2019-9494.html https://www.suse.com/security/cve/CVE-2019-9495.html https://www.suse.com/security/cve/CVE-2019-9497.html https://www.suse.com/security/cve/CVE-2019-9498.html https://www.suse.com/security/cve/CVE-2019-9499.html https://bugzilla.suse.com/1131644 https://bugzilla.suse.com/1131868 https://bugzilla.suse.com/1131870 https://bugzilla.suse.com/1131871 https://bugzilla.suse.com/1131872 https://bugzilla.suse.com/1131874 https://bugzilla.suse.com/1133640 https://bugzilla.suse.com/1144443 https://bugzilla.suse.com/1150934 https://bugzilla.suse.com/1156920 https://bugzilla.suse.com/1166933 https://bugzilla.suse.com/1167331 https://bugzilla.suse.com/930077 https://bugzilla.suse.com/930078 https://bugzilla.suse.com/930079 From sle-security-updates at lists.suse.com Thu Nov 19 07:30:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:30:16 +0100 (CET) Subject: SUSE-SU-2020:3375-1: moderate: Security update for krb5 Message-ID: <20201119143016.2E9DBF750@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3375-1 Rating: moderate References: #1178512 Cross-References: CVE-2020-28196 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3375=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3375=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3375=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3375=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): krb5-1.15.2-6.12.2 krb5-client-1.15.2-6.12.2 krb5-client-debuginfo-1.15.2-6.12.2 krb5-debuginfo-1.15.2-6.12.2 krb5-debugsource-1.15.2-6.12.2 krb5-devel-1.15.2-6.12.2 krb5-plugin-kdb-ldap-1.15.2-6.12.2 krb5-plugin-kdb-ldap-debuginfo-1.15.2-6.12.2 krb5-plugin-preauth-otp-1.15.2-6.12.2 krb5-plugin-preauth-otp-debuginfo-1.15.2-6.12.2 krb5-plugin-preauth-pkinit-1.15.2-6.12.2 krb5-plugin-preauth-pkinit-debuginfo-1.15.2-6.12.2 krb5-server-1.15.2-6.12.2 krb5-server-debuginfo-1.15.2-6.12.2 - SUSE Linux Enterprise Server for SAP 15 (x86_64): krb5-32bit-1.15.2-6.12.2 krb5-32bit-debuginfo-1.15.2-6.12.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): krb5-1.15.2-6.12.2 krb5-client-1.15.2-6.12.2 krb5-client-debuginfo-1.15.2-6.12.2 krb5-debuginfo-1.15.2-6.12.2 krb5-debugsource-1.15.2-6.12.2 krb5-devel-1.15.2-6.12.2 krb5-plugin-kdb-ldap-1.15.2-6.12.2 krb5-plugin-kdb-ldap-debuginfo-1.15.2-6.12.2 krb5-plugin-preauth-otp-1.15.2-6.12.2 krb5-plugin-preauth-otp-debuginfo-1.15.2-6.12.2 krb5-plugin-preauth-pkinit-1.15.2-6.12.2 krb5-plugin-preauth-pkinit-debuginfo-1.15.2-6.12.2 krb5-server-1.15.2-6.12.2 krb5-server-debuginfo-1.15.2-6.12.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): krb5-1.15.2-6.12.2 krb5-client-1.15.2-6.12.2 krb5-client-debuginfo-1.15.2-6.12.2 krb5-debuginfo-1.15.2-6.12.2 krb5-debugsource-1.15.2-6.12.2 krb5-devel-1.15.2-6.12.2 krb5-plugin-kdb-ldap-1.15.2-6.12.2 krb5-plugin-kdb-ldap-debuginfo-1.15.2-6.12.2 krb5-plugin-preauth-otp-1.15.2-6.12.2 krb5-plugin-preauth-otp-debuginfo-1.15.2-6.12.2 krb5-plugin-preauth-pkinit-1.15.2-6.12.2 krb5-plugin-preauth-pkinit-debuginfo-1.15.2-6.12.2 krb5-server-1.15.2-6.12.2 krb5-server-debuginfo-1.15.2-6.12.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): krb5-32bit-1.15.2-6.12.2 krb5-32bit-debuginfo-1.15.2-6.12.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): krb5-1.15.2-6.12.2 krb5-client-1.15.2-6.12.2 krb5-client-debuginfo-1.15.2-6.12.2 krb5-debuginfo-1.15.2-6.12.2 krb5-debugsource-1.15.2-6.12.2 krb5-devel-1.15.2-6.12.2 krb5-plugin-kdb-ldap-1.15.2-6.12.2 krb5-plugin-kdb-ldap-debuginfo-1.15.2-6.12.2 krb5-plugin-preauth-otp-1.15.2-6.12.2 krb5-plugin-preauth-otp-debuginfo-1.15.2-6.12.2 krb5-plugin-preauth-pkinit-1.15.2-6.12.2 krb5-plugin-preauth-pkinit-debuginfo-1.15.2-6.12.2 krb5-server-1.15.2-6.12.2 krb5-server-debuginfo-1.15.2-6.12.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): krb5-32bit-1.15.2-6.12.2 krb5-32bit-debuginfo-1.15.2-6.12.2 References: https://www.suse.com/security/cve/CVE-2020-28196.html https://bugzilla.suse.com/1178512 From sle-security-updates at lists.suse.com Thu Nov 19 07:32:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:32:09 +0100 (CET) Subject: SUSE-SU-2020:3400-1: important: Security update for the Linux Kernel (Live Patch 7 for SLE 15 SP1) Message-ID: <20201119143209.BCCE6F750@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 7 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3400-1 Rating: important References: #1177513 #1177729 #1178264 Cross-References: CVE-2017-1000405 CVE-2020-12351 CVE-2020-25645 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-197_26 fixes several issues. The following security issues were fixed: - CVE-2017-1000405: Fixed a bug in the THP CoW support that could have been used by local attackers to corrupt memory of other processes and cause them to crash (bsc#1178264, bsc#1069496, bsc#1070307). - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724, bsc#1177729, bsc#1178397). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-3411=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-3400=1 SUSE-SLE-Live-Patching-12-SP5-2020-3401=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_26-default-8-2.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le x86_64): kgraft-patch-4_12_14-120-default-8-21.2 kgraft-patch-4_12_14-120-default-debuginfo-8-21.2 kgraft-patch-4_12_14-122_7-default-8-2.2 kgraft-patch-SLE12-SP5_Update_0-debugsource-8-21.2 References: https://www.suse.com/security/cve/CVE-2017-1000405.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-25645.html https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177729 https://bugzilla.suse.com/1178264 From sle-security-updates at lists.suse.com Thu Nov 19 07:33:32 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:33:32 +0100 (CET) Subject: SUSE-SU-2020:3402-1: important: Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP1) Message-ID: <20201119143332.E2A78F791@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3402-1 Rating: important References: #1177513 #1177729 Cross-References: CVE-2020-12351 CVE-2020-25645 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-197_34 fixes several issues. The following security issues were fixed: - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724, bsc#1177729, bsc#1178397). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2020-3386=1 SUSE-SLE-Module-Live-Patching-15-SP2-2020-3387=1 SUSE-SLE-Module-Live-Patching-15-SP2-2020-3388=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-3402=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3403=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3404=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3405=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3406=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3407=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3408=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3409=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-3410=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-3391=1 SUSE-SLE-Live-Patching-12-SP5-2020-3392=1 SUSE-SLE-Live-Patching-12-SP5-2020-3393=1 SUSE-SLE-Live-Patching-12-SP5-2020-3394=1 SUSE-SLE-Live-Patching-12-SP5-2020-3395=1 SUSE-SLE-Live-Patching-12-SP5-2020-3396=1 SUSE-SLE-Live-Patching-12-SP5-2020-3397=1 SUSE-SLE-Live-Patching-12-SP5-2020-3398=1 SUSE-SLE-Live-Patching-12-SP5-2020-3399=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_12-default-3-2.1 kernel-livepatch-5_3_18-24_12-default-debuginfo-3-2.1 kernel-livepatch-5_3_18-24_15-default-3-2.1 kernel-livepatch-5_3_18-24_15-default-debuginfo-3-2.1 kernel-livepatch-5_3_18-24_24-default-3-2.1 kernel-livepatch-5_3_18-24_24-default-debuginfo-3-2.1 kernel-livepatch-SLE15-SP2_Update_2-debugsource-3-2.1 kernel-livepatch-SLE15-SP2_Update_3-debugsource-3-2.1 kernel-livepatch-SLE15-SP2_Update_4-debugsource-3-2.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_29-default-8-2.2 kernel-livepatch-4_12_14-197_34-default-7-2.2 kernel-livepatch-4_12_14-197_37-default-7-2.2 kernel-livepatch-4_12_14-197_40-default-6-2.2 kernel-livepatch-4_12_14-197_45-default-4-2.2 kernel-livepatch-4_12_14-197_48-default-4-2.1 kernel-livepatch-4_12_14-197_51-default-4-2.1 kernel-livepatch-4_12_14-197_56-default-3-2.1 kernel-livepatch-4_12_14-197_61-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_17-default-7-2.2 kgraft-patch-4_12_14-122_20-default-6-2.2 kgraft-patch-4_12_14-122_23-default-4-2.2 kgraft-patch-4_12_14-122_26-default-4-2.2 kgraft-patch-4_12_14-122_29-default-4-2.1 kgraft-patch-4_12_14-122_32-default-4-2.1 kgraft-patch-4_12_14-122_37-default-3-2.1 kgraft-patch-4_12_14-122_41-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le x86_64): kgraft-patch-4_12_14-122_12-default-8-2.2 References: https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-25645.html https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177729 From sle-security-updates at lists.suse.com Thu Nov 19 07:35:48 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:35:48 +0100 (CET) Subject: SUSE-SU-2020:14546-1: moderate: Security update for microcode_ctl Message-ID: <20201119143548.4BA8EF750@maintenance.suse.de> SUSE Security Update: Security update for microcode_ctl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14546-1 Rating: moderate References: #1170446 #1173592 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8696 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for microcode_ctl fixes the following issues: - Updated Intel CPU Microcode to 20201110 official release. - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) INTEL-SA-00389 (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) - CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592) - Release notes: - Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00381.html). - Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00389.html). - Update for functional issues. Refer to [Second Generation Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel?? Core??? Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel?? Core??? Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel?? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel?? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-microcode_ctl-14546=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-microcode_ctl-14546=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): microcode_ctl-1.17-102.83.62.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): microcode_ctl-1.17-102.83.62.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8696.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173592 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Thu Nov 19 07:37:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:37:02 +0100 (CET) Subject: SUSE-SU-2020:3385-1: moderate: Security update for perl-DBI Message-ID: <20201119143702.2E18AF750@maintenance.suse.de> SUSE Security Update: Security update for perl-DBI ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3385-1 Rating: moderate References: #1176492 Cross-References: CVE-2014-10401 CVE-2014-10402 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for perl-DBI fixes the following issues: - DBD::File drivers could open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). [bsc#1176492, CVE-2014-10401, CVE-2014-10402] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3385=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): perl-DBI-1.639-3.14.1 perl-DBI-debuginfo-1.639-3.14.1 perl-DBI-debugsource-1.639-3.14.1 References: https://www.suse.com/security/cve/CVE-2014-10401.html https://www.suse.com/security/cve/CVE-2014-10402.html https://bugzilla.suse.com/1176492 From sle-security-updates at lists.suse.com Thu Nov 19 07:38:03 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:38:03 +0100 (CET) Subject: SUSE-SU-2020:3368-1: moderate: Security update for go1.15 Message-ID: <20201119143803.8598CF750@maintenance.suse.de> SUSE Security Update: Security update for go1.15 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3368-1 Rating: moderate References: #1175132 #1178750 #1178752 #1178753 Cross-References: CVE-2020-28362 CVE-2020-28366 CVE-2020-28367 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for go1.15 fixes the following issues: - go1.15.5 (released 2020-11-12) includes security fixes to the cmd/go and math/big packages. * go#42553 math/big: panic during recursive division of very large numbers (bsc#1178750 CVE-2020-28362) * go#42560 cmd/go: arbitrary code can be injected into cgo generated files (bsc#1178752 CVE-2020-28367) * go#42557 cmd/go: improper validation of cgo flags can lead to remote code execution at build time (bsc#1178753 CVE-2020-28366) * go#42169 cmd/compile, runtime, reflect: pointers to go:notinheap types must be stored indirectly in interfaces * go#42151 cmd/cgo: opaque struct pointers are broken since Go 1.15.3 * go#42138 time: Location interprets wrong timezone (DST) with slim zoneinfo * go#42113 x/net/http2: the first write error on a connection will cause all subsequent write requests to fail blindly * go#41914 net/http: request.Clone doesn't deep copy TransferEncoding * go#41704 runtime: macOS syscall.Exec can get SIGILL due to preemption signal * go#41463 compress/flate: deflatefast produces corrupted output * go#41387 x/net/http2: connection-level flow control not returned if stream errors, causes server hang * go#40974 cmd/link: sectionForAddress(0xA9D67F) address not in any section file Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-3368=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-3368=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.15-1.15.5-1.11.1 go1.15-doc-1.15.5-1.11.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): go1.15-1.15.5-1.11.1 go1.15-doc-1.15.5-1.11.1 References: https://www.suse.com/security/cve/CVE-2020-28362.html https://www.suse.com/security/cve/CVE-2020-28366.html https://www.suse.com/security/cve/CVE-2020-28367.html https://bugzilla.suse.com/1175132 https://bugzilla.suse.com/1178750 https://bugzilla.suse.com/1178752 https://bugzilla.suse.com/1178753 From sle-security-updates at lists.suse.com Thu Nov 19 07:39:28 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:39:28 +0100 (CET) Subject: SUSE-SU-2020:3369-1: moderate: Security update for go1.14 Message-ID: <20201119143928.26910F750@maintenance.suse.de> SUSE Security Update: Security update for go1.14 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3369-1 Rating: moderate References: #1164903 #1178750 #1178752 #1178753 Cross-References: CVE-2020-28362 CVE-2020-28366 CVE-2020-28367 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for go1.14 fixes the following issues: - go1.14.12 (released 2020-11-12) includes security fixes to the cmd/go and math/big packages. * go#42553 math/big: panic during recursive division of very large numbers (bsc#1178750 CVE-2020-28362) * go#42560 cmd/go: arbitrary code can be injected into cgo generated files (bsc#1178752 CVE-2020-28367) * go#42557 cmd/go: improper validation of cgo flags can lead to remote code execution at build time (bsc#1178753 CVE-2020-28366) * go#42155 time: Location interprets wrong timezone (DST) with slim zoneinfo * go#42112 x/net/http2: the first write error on a connection will cause all subsequent write requests to fail blindly * go#41991 runtime: macOS-only segfault on 1.14+ with "split stack overflow" * go#41913 net/http: request.Clone doesn't deep copy TransferEncoding * go#41703 runtime: macOS syscall.Exec can get SIGILL due to preemption signal * go#41386 x/net/http2: connection-level flow control not returned if stream errors, causes server hang Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-3369=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-3369=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.14-1.14.12-1.26.1 go1.14-doc-1.14.12-1.26.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): go1.14-1.14.12-1.26.1 go1.14-doc-1.14.12-1.26.1 References: https://www.suse.com/security/cve/CVE-2020-28362.html https://www.suse.com/security/cve/CVE-2020-28366.html https://www.suse.com/security/cve/CVE-2020-28367.html https://bugzilla.suse.com/1164903 https://bugzilla.suse.com/1178750 https://bugzilla.suse.com/1178752 https://bugzilla.suse.com/1178753 From sle-security-updates at lists.suse.com Thu Nov 19 07:40:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:40:50 +0100 (CET) Subject: SUSE-SU-2020:3374-1: moderate: Security update for ucode-intel Message-ID: <20201119144050.86844F750@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3374-1 Rating: moderate References: #1170446 #1173592 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8696 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Updated Intel CPU Microcode to 20201110 official release. - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) - CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592) - Release notes: - Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00381.html). - Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00389.html). - Update for functional issues. Refer to [Second Generation Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel?? Core??? Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel?? Core??? Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel?? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel?? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3374=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3374=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3374=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): ucode-intel-20201110-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): ucode-intel-20201110-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): ucode-intel-20201110-3.55.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8696.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173592 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Thu Nov 19 07:42:03 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 15:42:03 +0100 (CET) Subject: SUSE-SU-2020:3378-1: moderate: Security update for podman Message-ID: <20201119144203.4EA63F750@maintenance.suse.de> SUSE Security Update: Security update for podman ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3378-1 Rating: moderate References: #1176804 #1178122 #1178392 Cross-References: CVE-2020-14370 Affected Products: SUSE Linux Enterprise Module for Containers 15-SP2 SUSE Linux Enterprise Module for Containers 15-SP1 SUSE Enterprise Storage 7 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for podman fixes the following issues: Security issue fixed: - This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API (bsc#1176804). Non-security issues fixed: - add dependency to timezone package or podman fails to build a container (bsc#1178122) - Install new auto-update system units - Update to v2.1.1 (bsc#1178392): * Changes - The `podman info` command now includes the cgroup manager Podman is using. * API - The REST API now includes a Server header in all responses. - Fixed a bug where the Libpod and Compat Attach endpoints could terminate early, before sending all output from the container. - Fixed a bug where the Compat Create endpoint for containers did not properly handle the Interactive parameter. - Fixed a bug where the Compat Kill endpoint for containers could continue to run after a fatal error. - Fixed a bug where the Limit parameter of the Compat List endpoint for Containers did not properly handle a limit of 0 (returning nothing, instead of all containers) [#7722]. - The Libpod Stats endpoint for containers is being deprecated and will be replaced by a similar endpoint with additional features in a future release. - Changes in v2.1.0 * Features - A new command, `podman image mount`, has been added. This allows for an image to be mounted, read-only, to inspect its contents without creating a container from it [#1433]. - The `podman save` and `podman load` commands can now create and load archives containing multiple images [#2669]. - Rootless Podman now supports all `podman network` commands, and rootless containers can now be joined to networks. - The performance of `podman build` on `ADD` and `COPY` instructions has been greatly improved, especially when a `.dockerignore` is present. - The `podman run` and `podman create` commands now support a new mode for the `--cgroups` option, `--cgroups=split`. Podman will create two cgroups under the cgroup it was launched in, one for the container and one for Conmon. This mode is useful for running Podman in a systemd unit, as it ensures that all processes are retained in systemd's cgroup hierarchy [#6400]. - The `podman run` and `podman create` commands can now specify options to slirp4netns by using the `--network` option as follows: `--net slirp4netns:opt1,opt2`. This allows for, among other things, switching the port forwarder used by slirp4netns away from rootlessport. - The `podman ps` command now features a new option, `--storage`, to show containers from Buildah, CRI-O and other applications. - The `podman run` and `podman create` commands now feature a `--sdnotify` option to control the behavior of systemd's sdnotify with containers, enabling improved support for Podman in `Type=notify` units. - The `podman run` command now features a `--preserve-fds` opton to pass file descriptors from the host into the container [#6458]. - The `podman run` and `podman create` commands can now create overlay volume mounts, by adding the `:O` option to a bind mount (e.g. `-v /test:/test:O`). Overlay volume mounts will mount a directory into a container from the host and allow changes to it, but not write those changes back to the directory on the host. - The `podman play kube` command now supports the Socket HostPath type [#7112]. - The `podman play kube` command now supports read-only mounts. - The `podman play kube` command now supports setting labels on pods from Kubernetes metadata labels. - The `podman play kube` command now supports setting container restart policy [#7656]. - The `podman play kube` command now properly handles `HostAlias` entries. - The `podman generate kube` command now adds entries to `/etc/hosts` from `--host-add` generated YAML as `HostAlias` entries. - The `podman play kube` and `podman generate kube` commands now properly support `shareProcessNamespace` to share the PID namespace in pods. - The `podman volume ls` command now supports the `dangling` filter to identify volumes that are dangling (not attached to any container). - The `podman run` and `podman create` commands now feature a `--umask` option to set the umask of the created container. - The `podman create` and `podman run` commands now feature a `--tz` option to set the timezone within the container [#5128]. - Environment variables for Podman can now be added in the `containers.conf` configuration file. - The `--mount` option of `podman run` and `podman create` now supports a new mount type, `type=devpts`, to add a `devpts` mount to the container. This is useful for containers that want to mount `/dev/` from the host into the container, but still create a terminal. - The `--security-opt` flag to `podman run` and `podman create` now supports a new option, `proc-opts`, to specify options for the container's `/proc` filesystem. - Podman with the `crun` OCI runtime now supports a new option to `podman run` and `podman create`, `--cgroup-conf`, which allows for advanced configuration of cgroups on cgroups v2 systems. - The `podman create` and `podman run` commands now support a `--override-variant` option, to override the architecture variant of the image that will be pulled and ran. - A new global option has been added to Podman, `--runtime-flags`, which allows for setting flags to use when the OCI runtime is called. - The `podman manifest add` command now supports the `--cert-dir`, `--auth-file`, `--creds`, and `--tls-verify` options. * Security - This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API. * Changes - Podman will now retry pulling an image 3 times if a pull fails due to network errors. - The `podman exec` command would previously print error messages (e.g. `exec session exited with non-zero exit code -1`) when the command run exited with a non-0 exit code. It no longer does this. The `podman exec` command will still exit with the same exit code as the command run in the container did. - Error messages when creating a container or pod with a name that is already in use have been improved. - For read-only containers running systemd init, Podman creates a tmpfs filesystem at `/run`. This was previously limited to 65k in size and mounted `noexec`, but is now unlimited size and mounted `exec`. - The `podman system reset` command no longer removes configuration files for rootless Podman. * API - The Libpod API version has been bumped to v2.0.0 due to a breaking change in the Image List API. - Docker-compatible Volume Endpoints (Create, Inspect, List, Remove, Prune) are now available! - Added an endpoint for generating systemd unit files for containers. - The `last` parameter to the Libpod container list endpoint now has an alias, `limit` [#6413]. - The Libpod image list API new returns timestamps in Unix format, as integer, as opposed to as strings - The Compat Inspect endpoint for containers now includes port information in NetworkSettings. - The Compat List endpoint for images now features limited support for the (deprecated) `filter` query parameter [#6797]. - Fixed a bug where the Compat Create endpoint for containers was not correctly handling bind mounts. - Fixed a bug where the Compat Create endpoint for containers would not return a 404 when the requested image was not present. - Fixed a bug where the Compat Create endpoint for containers did not properly handle Entrypoint and Command from images. - Fixed a bug where name history information was not properly added in the Libpod Image List endpoint. - Fixed a bug where the Libpod image search endpoint improperly populated the Description field of responses. - Added a `noTrunc` option to the Libpod image search endpoint. - Fixed a bug where the Pod List API would return null, instead of an empty array, when no pods were present [#7392]. - Fixed a bug where endpoints that hijacked would do perform the hijack too early, before being ready to send and receive data [#7195]. - Fixed a bug where Pod endpoints that can operate on multiple containers at once (e.g. Kill, Pause, Unpause, Stop) would not forward errors from individual containers that failed. - The Compat List endpoint for networks now supports filtering results [#7462]. - Fixed a bug where the Top endpoint for pods would return both a 500 and 404 when run on a non-existent pod. - Fixed a bug where Pull endpoints did not stream progress back to the client. - The Version endpoints (Libpod and Compat) now provide version in a format compatible with Docker. - All non-hijacking responses to API requests should not include headers with the version of the server. - Fixed a bug where Libpod and Compat Events endpoints did not send response headers until the first event occurred [#7263]. - Fixed a bug where the Build endpoints (Compat and Libpod) did not stream progress to the client. - Fixed a bug where the Stats endpoints (Compat and Libpod) did not properly handle clients disconnecting. - Fixed a bug where the Ignore parameter to the Libpod Stop endpoint was not performing properly. - Fixed a bug where the Compat Logs endpoint for containers did not stream its output in the correct format [#7196]. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 15-SP2: zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2020-3378=1 - SUSE Linux Enterprise Module for Containers 15-SP1: zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-3378=1 - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2020-3378=1 Package List: - SUSE Linux Enterprise Module for Containers 15-SP2 (aarch64 ppc64le s390x x86_64): podman-2.1.1-4.28.1 - SUSE Linux Enterprise Module for Containers 15-SP2 (noarch): podman-cni-config-2.1.1-4.28.1 - SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64): podman-2.1.1-4.28.1 - SUSE Linux Enterprise Module for Containers 15-SP1 (noarch): podman-cni-config-2.1.1-4.28.1 - SUSE Enterprise Storage 7 (aarch64 x86_64): podman-2.1.1-4.28.1 References: https://www.suse.com/security/cve/CVE-2020-14370.html https://bugzilla.suse.com/1176804 https://bugzilla.suse.com/1178122 https://bugzilla.suse.com/1178392 From sle-security-updates at lists.suse.com Thu Nov 19 10:15:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 18:15:19 +0100 (CET) Subject: SUSE-SU-2020:3415-1: important: Security update for xen Message-ID: <20201119171519.596C1F404@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3415-1 Rating: important References: #1177950 #1178591 Cross-References: CVE-2020-28368 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for xen fixes the following issues: Security issue fixed: - CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591). Non-security issue fixed: - Adjusted help for --max_iters, default is 5 (bsc#1177950). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3415=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3415=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3415=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3415=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): xen-4.11.4_12-2.42.1 xen-debugsource-4.11.4_12-2.42.1 xen-doc-html-4.11.4_12-2.42.1 xen-libs-32bit-4.11.4_12-2.42.1 xen-libs-4.11.4_12-2.42.1 xen-libs-debuginfo-32bit-4.11.4_12-2.42.1 xen-libs-debuginfo-4.11.4_12-2.42.1 xen-tools-4.11.4_12-2.42.1 xen-tools-debuginfo-4.11.4_12-2.42.1 xen-tools-domU-4.11.4_12-2.42.1 xen-tools-domU-debuginfo-4.11.4_12-2.42.1 - SUSE OpenStack Cloud 9 (x86_64): xen-4.11.4_12-2.42.1 xen-debugsource-4.11.4_12-2.42.1 xen-doc-html-4.11.4_12-2.42.1 xen-libs-32bit-4.11.4_12-2.42.1 xen-libs-4.11.4_12-2.42.1 xen-libs-debuginfo-32bit-4.11.4_12-2.42.1 xen-libs-debuginfo-4.11.4_12-2.42.1 xen-tools-4.11.4_12-2.42.1 xen-tools-debuginfo-4.11.4_12-2.42.1 xen-tools-domU-4.11.4_12-2.42.1 xen-tools-domU-debuginfo-4.11.4_12-2.42.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): xen-4.11.4_12-2.42.1 xen-debugsource-4.11.4_12-2.42.1 xen-doc-html-4.11.4_12-2.42.1 xen-libs-32bit-4.11.4_12-2.42.1 xen-libs-4.11.4_12-2.42.1 xen-libs-debuginfo-32bit-4.11.4_12-2.42.1 xen-libs-debuginfo-4.11.4_12-2.42.1 xen-tools-4.11.4_12-2.42.1 xen-tools-debuginfo-4.11.4_12-2.42.1 xen-tools-domU-4.11.4_12-2.42.1 xen-tools-domU-debuginfo-4.11.4_12-2.42.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): xen-4.11.4_12-2.42.1 xen-debugsource-4.11.4_12-2.42.1 xen-doc-html-4.11.4_12-2.42.1 xen-libs-32bit-4.11.4_12-2.42.1 xen-libs-4.11.4_12-2.42.1 xen-libs-debuginfo-32bit-4.11.4_12-2.42.1 xen-libs-debuginfo-4.11.4_12-2.42.1 xen-tools-4.11.4_12-2.42.1 xen-tools-debuginfo-4.11.4_12-2.42.1 xen-tools-domU-4.11.4_12-2.42.1 xen-tools-domU-debuginfo-4.11.4_12-2.42.1 References: https://www.suse.com/security/cve/CVE-2020-28368.html https://bugzilla.suse.com/1177950 https://bugzilla.suse.com/1178591 From sle-security-updates at lists.suse.com Thu Nov 19 10:17:24 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 18:17:24 +0100 (CET) Subject: SUSE-SU-2020:3416-1: important: Security update for xen Message-ID: <20201119171724.2F909F404@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3416-1 Rating: important References: #1177950 #1178591 Cross-References: CVE-2020-28368 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for xen fixes the following issues: Security issue fixed: - CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591). Non-security issue fixed: - Adjusted help for --max_iters, default is 5 (bsc#1177950). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3416=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3416=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3416=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): xen-4.10.4_20-3.47.1 xen-debugsource-4.10.4_20-3.47.1 xen-devel-4.10.4_20-3.47.1 xen-libs-4.10.4_20-3.47.1 xen-libs-debuginfo-4.10.4_20-3.47.1 xen-tools-4.10.4_20-3.47.1 xen-tools-debuginfo-4.10.4_20-3.47.1 xen-tools-domU-4.10.4_20-3.47.1 xen-tools-domU-debuginfo-4.10.4_20-3.47.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): xen-4.10.4_20-3.47.1 xen-debugsource-4.10.4_20-3.47.1 xen-devel-4.10.4_20-3.47.1 xen-libs-4.10.4_20-3.47.1 xen-libs-debuginfo-4.10.4_20-3.47.1 xen-tools-4.10.4_20-3.47.1 xen-tools-debuginfo-4.10.4_20-3.47.1 xen-tools-domU-4.10.4_20-3.47.1 xen-tools-domU-debuginfo-4.10.4_20-3.47.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): xen-4.10.4_20-3.47.1 xen-debugsource-4.10.4_20-3.47.1 xen-devel-4.10.4_20-3.47.1 xen-libs-4.10.4_20-3.47.1 xen-libs-debuginfo-4.10.4_20-3.47.1 xen-tools-4.10.4_20-3.47.1 xen-tools-debuginfo-4.10.4_20-3.47.1 xen-tools-domU-4.10.4_20-3.47.1 xen-tools-domU-debuginfo-4.10.4_20-3.47.1 References: https://www.suse.com/security/cve/CVE-2020-28368.html https://bugzilla.suse.com/1177950 https://bugzilla.suse.com/1178591 From sle-security-updates at lists.suse.com Thu Nov 19 10:18:25 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 18:18:25 +0100 (CET) Subject: SUSE-SU-2020:3418-1: moderate: Security update for MozillaThunderbird Message-ID: <20201119171825.EC3A3F404@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3418-1 Rating: moderate References: #1178611 Cross-References: CVE-2020-26950 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Workstation Extension 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 78.4.2 MFSA 2020-49 (bsc#1178611) * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for - Mozilla Thunderbird 78.4.1 * new: Thunderbird prompts for an address to use when starting an email from an address book entry with multiple addresses (bmo#84028) * fixed: Searching global search results did not work (bmo#1664761) * fixed: Link location was not focused by default when adding a hyperlink in message composer (bmo#1670660) * fixed: Advanced address book search dialog was unusable (bmo#1668147) * fixed: Encrypted draft reply emails lost "Re:" prefix (bmo#1661510) * fixed: Replying to a newsgroup message did not open the compose window (bmo#1672667) * fixed: Unable to delete multiple newsgroup messages (bmo#1657988) * fixed: Appmenu displayed visual glitches (bmo#1636243) * fixed: Visual glitches when selecting multiple messages in the message pane and using Ctrl+click (bmo#1671800) * fixed: Switching between dark and light mode could lead to unreadable text on macOS (bmo#1668989) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3418=1 - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3418=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): MozillaThunderbird-78.4.2-3.103.2 MozillaThunderbird-debuginfo-78.4.2-3.103.2 MozillaThunderbird-debugsource-78.4.2-3.103.2 MozillaThunderbird-translations-common-78.4.2-3.103.2 MozillaThunderbird-translations-other-78.4.2-3.103.2 - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): MozillaThunderbird-78.4.2-3.103.2 MozillaThunderbird-debuginfo-78.4.2-3.103.2 MozillaThunderbird-debugsource-78.4.2-3.103.2 MozillaThunderbird-translations-common-78.4.2-3.103.2 MozillaThunderbird-translations-other-78.4.2-3.103.2 References: https://www.suse.com/security/cve/CVE-2020-26950.html https://bugzilla.suse.com/1178611 From sle-security-updates at lists.suse.com Thu Nov 19 10:20:18 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 18:20:18 +0100 (CET) Subject: SUSE-SU-2020:3414-1: important: Security update for xen Message-ID: <20201119172018.95324F404@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3414-1 Rating: important References: #1027519 #1177950 #1178591 SLE-16899 Cross-References: CVE-2020-28368 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has two fixes is now available. Description: This update for xen fixes the following issues: Security issue fixed: - CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591). Non-security issues fixed: - Updated to Xen 4.12.4 bug fix release (bsc#1027519). - Fixed a panic during MSI cleanup on AMD hardware (bsc#1027519). - Adjusted help for --max_iters, default is 5 (bsc#1177950). - Improved performance of live migration to get more throughput on 10Gbs+ connections (jsc#SLE-16899). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3414=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3414=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 x86_64): xen-debugsource-4.12.4_02-3.30.1 xen-devel-4.12.4_02-3.30.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): xen-4.12.4_02-3.30.1 xen-debugsource-4.12.4_02-3.30.1 xen-doc-html-4.12.4_02-3.30.1 xen-libs-32bit-4.12.4_02-3.30.1 xen-libs-4.12.4_02-3.30.1 xen-libs-debuginfo-32bit-4.12.4_02-3.30.1 xen-libs-debuginfo-4.12.4_02-3.30.1 xen-tools-4.12.4_02-3.30.1 xen-tools-debuginfo-4.12.4_02-3.30.1 xen-tools-domU-4.12.4_02-3.30.1 xen-tools-domU-debuginfo-4.12.4_02-3.30.1 References: https://www.suse.com/security/cve/CVE-2020-28368.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1177950 https://bugzilla.suse.com/1178591 From sle-security-updates at lists.suse.com Thu Nov 19 10:21:27 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 18:21:27 +0100 (CET) Subject: SUSE-SU-2020:3412-1: important: Security update for xen Message-ID: <20201119172127.7BE09F404@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3412-1 Rating: important References: #1027519 #1177950 #1178591 Cross-References: CVE-2020-28368 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for xen fixes the following issues: Security issue fixed: - CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591). Non-security issues fixed: - Updated to Xen 4.13.2 bug fix release (bsc#1027519). - Fixed a panic during MSI cleanup on AMD hardware (bsc#1027519). - Adjusted help for --max_iters, default is 5 (bsc#1177950). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-3412=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3412=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): xen-tools-xendomains-wait-disk-4.13.2_02-3.16.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (x86_64): xen-4.13.2_02-3.16.2 xen-debugsource-4.13.2_02-3.16.2 xen-devel-4.13.2_02-3.16.2 xen-tools-4.13.2_02-3.16.2 xen-tools-debuginfo-4.13.2_02-3.16.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): xen-debugsource-4.13.2_02-3.16.2 xen-libs-4.13.2_02-3.16.2 xen-libs-debuginfo-4.13.2_02-3.16.2 xen-tools-domU-4.13.2_02-3.16.2 xen-tools-domU-debuginfo-4.13.2_02-3.16.2 References: https://www.suse.com/security/cve/CVE-2020-28368.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1177950 https://bugzilla.suse.com/1178591 From sle-security-updates at lists.suse.com Thu Nov 19 10:22:33 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 18:22:33 +0100 (CET) Subject: SUSE-SU-2020:3413-1: important: Security update for xen Message-ID: <20201119172233.760DEF404@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3413-1 Rating: important References: #1027519 #1177950 #1178591 Cross-References: CVE-2020-28368 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for xen fixes the following issues: Security issue fixed: - CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591). Non-security issues fixed: - Updated to Xen 4.12.4 bug fix release (bsc#1027519). - Fixed a panic during MSI cleanup on AMD hardware (bsc#1027519). - Adjusted help for --max_iters, default is 5 (bsc#1177950). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-3413=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3413=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (x86_64): xen-4.12.4_02-3.34.2 xen-debugsource-4.12.4_02-3.34.2 xen-devel-4.12.4_02-3.34.2 xen-tools-4.12.4_02-3.34.2 xen-tools-debuginfo-4.12.4_02-3.34.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): xen-debugsource-4.12.4_02-3.34.2 xen-libs-4.12.4_02-3.34.2 xen-libs-debuginfo-4.12.4_02-3.34.2 xen-tools-domU-4.12.4_02-3.34.2 xen-tools-domU-debuginfo-4.12.4_02-3.34.2 References: https://www.suse.com/security/cve/CVE-2020-28368.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1177950 https://bugzilla.suse.com/1178591 From sle-security-updates at lists.suse.com Thu Nov 19 13:14:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 21:14:46 +0100 (CET) Subject: SUSE-SU-2020:3449-1: important: Security update for the Linux Kernel (Live Patch 16 for SLE 15) Message-ID: <20201119201446.3150DF750@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 16 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3449-1 Rating: important References: #1177513 #1177729 #1178003 #1178264 Cross-References: CVE-2017-1000405 CVE-2020-0430 CVE-2020-12351 CVE-2020-25645 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_41 fixes several issues. The following security issues were fixed: - CVE-2017-1000405: Fixed a bug in the THP CoW support that could have been used by local attackers to corrupt memory of other processes and cause them to crash (bsc#1178264, bsc#1069496, bsc#1070307). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bsc#1176723, bsc#1178003). - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724, bsc#1177729, bsc#1178397). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-3440=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-3449=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_41-default-8-2.2 kernel-livepatch-4_12_14-150_41-default-debuginfo-8-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_40-default-8-2.2 References: https://www.suse.com/security/cve/CVE-2017-1000405.html https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-25645.html https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177729 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178264 From sle-security-updates at lists.suse.com Thu Nov 19 13:16:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 21:16:07 +0100 (CET) Subject: SUSE-SU-2020:3441-1: important: Security update for the Linux Kernel (Live Patch 19 for SLE 15) Message-ID: <20201119201607.497EBF750@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 19 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3441-1 Rating: important References: #1177513 #1177729 #1178003 Cross-References: CVE-2020-0430 CVE-2020-12351 CVE-2020-25645 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_55 fixes several issues. The following security issues were fixed: - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bsc#1176723, bsc#1178003). - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724, bsc#1177729, bsc#1178397). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-3435=1 SUSE-SLE-Module-Live-Patching-15-2020-3437=1 SUSE-SLE-Module-Live-Patching-15-2020-3438=1 SUSE-SLE-Module-Live-Patching-15-2020-3439=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-3441=1 SUSE-SLE-Live-Patching-12-SP4-2020-3442=1 SUSE-SLE-Live-Patching-12-SP4-2020-3444=1 SUSE-SLE-Live-Patching-12-SP4-2020-3446=1 SUSE-SLE-Live-Patching-12-SP4-2020-3447=1 SUSE-SLE-Live-Patching-12-SP4-2020-3448=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_47-default-8-2.2 kernel-livepatch-4_12_14-150_47-default-debuginfo-8-2.2 kernel-livepatch-4_12_14-150_52-default-4-2.2 kernel-livepatch-4_12_14-150_52-default-debuginfo-4-2.2 kernel-livepatch-4_12_14-150_55-default-4-2.1 kernel-livepatch-4_12_14-150_55-default-debuginfo-4-2.1 kernel-livepatch-4_12_14-150_58-default-3-2.1 kernel-livepatch-4_12_14-150_58-default-debuginfo-3-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_51-default-6-2.2 kgraft-patch-4_12_14-95_54-default-4-2.2 kgraft-patch-4_12_14-95_57-default-4-2.1 kgraft-patch-4_12_14-95_60-default-3-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_45-default-8-2.2 kgraft-patch-4_12_14-95_48-default-7-2.2 References: https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-25645.html https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177729 https://bugzilla.suse.com/1178003 From sle-security-updates at lists.suse.com Thu Nov 19 13:17:20 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 21:17:20 +0100 (CET) Subject: SUSE-SU-2020:3425-1: important: Security update for postgresql12 Message-ID: <20201119201720.4FAE6F750@maintenance.suse.de> SUSE Security Update: Security update for postgresql12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3425-1 Rating: important References: #1178666 #1178667 #1178668 Cross-References: CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for postgresql12 fixes the following issues: - Upgrade to version 12.5: * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries. * CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used. * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables. * Fix recently-added timetz test case so it works when the USA is not observing daylight savings time. * https://www.postgresql.org/about/news/2111/ * https://www.postgresql.org/docs/12/release-12-5.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-3425=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3425=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libecpg6-12.5-3.15.1 libecpg6-debuginfo-12.5-3.15.1 postgresql12-contrib-12.5-3.15.1 postgresql12-contrib-debuginfo-12.5-3.15.1 postgresql12-debuginfo-12.5-3.15.1 postgresql12-debugsource-12.5-3.15.1 postgresql12-devel-12.5-3.15.1 postgresql12-devel-debuginfo-12.5-3.15.1 postgresql12-plperl-12.5-3.15.1 postgresql12-plperl-debuginfo-12.5-3.15.1 postgresql12-plpython-12.5-3.15.1 postgresql12-plpython-debuginfo-12.5-3.15.1 postgresql12-pltcl-12.5-3.15.1 postgresql12-pltcl-debuginfo-12.5-3.15.1 postgresql12-server-12.5-3.15.1 postgresql12-server-debuginfo-12.5-3.15.1 postgresql12-server-devel-12.5-3.15.1 postgresql12-server-devel-debuginfo-12.5-3.15.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): postgresql12-docs-12.5-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libpq5-12.5-3.15.1 libpq5-debuginfo-12.5-3.15.1 postgresql12-12.5-3.15.1 postgresql12-debuginfo-12.5-3.15.1 postgresql12-debugsource-12.5-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libpq5-32bit-12.5-3.15.1 libpq5-32bit-debuginfo-12.5-3.15.1 References: https://www.suse.com/security/cve/CVE-2020-25694.html https://www.suse.com/security/cve/CVE-2020-25695.html https://www.suse.com/security/cve/CVE-2020-25696.html https://bugzilla.suse.com/1178666 https://bugzilla.suse.com/1178667 https://bugzilla.suse.com/1178668 From sle-security-updates at lists.suse.com Thu Nov 19 13:18:29 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 21:18:29 +0100 (CET) Subject: SUSE-SU-2020:3424-1: moderate: Security update for wpa_supplicant Message-ID: <20201119201829.6AB8DF750@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3424-1 Rating: moderate References: #1131644 #1131868 #1131870 #1131871 #1131872 #1131874 #1133640 #1144443 #1150934 #1156920 #1165266 #1166933 #1167331 SLE-14992 Cross-References: CVE-2015-8041 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 CVE-2018-14526 CVE-2019-11555 CVE-2019-13377 CVE-2019-16275 CVE-2019-9494 CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 19 vulnerabilities, contains one feature is now available. Description: This update for wpa_supplicant fixes the following issues: wpa_supplicant was updated to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous at realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Limit P2P_DEVICE name to appropriate ifname size. - Enable SAE support(jsc#SLE-14992). - CVE-2019-16275: AP mode PMF disconnection protection bypass (bsc#1150934) - Fix wicked wlan (bsc#1156920) - Still include fi.epitest.hostap.WPASupplicant.service (bsc#1167331) - Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (bsc#1166933) - Adjust the service to start after network.target wrt bsc#1165266 - Using O_WRONLY flag [http://w1.fi/security/2015-5/] (CVE-2015-8041) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3424=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-23.3.1 wpa_supplicant-debuginfo-2.9-23.3.1 wpa_supplicant-debugsource-2.9-23.3.1 References: https://www.suse.com/security/cve/CVE-2015-8041.html https://www.suse.com/security/cve/CVE-2017-13077.html https://www.suse.com/security/cve/CVE-2017-13078.html https://www.suse.com/security/cve/CVE-2017-13079.html https://www.suse.com/security/cve/CVE-2017-13080.html https://www.suse.com/security/cve/CVE-2017-13081.html https://www.suse.com/security/cve/CVE-2017-13082.html https://www.suse.com/security/cve/CVE-2017-13086.html https://www.suse.com/security/cve/CVE-2017-13087.html https://www.suse.com/security/cve/CVE-2017-13088.html https://www.suse.com/security/cve/CVE-2018-14526.html https://www.suse.com/security/cve/CVE-2019-11555.html https://www.suse.com/security/cve/CVE-2019-13377.html https://www.suse.com/security/cve/CVE-2019-16275.html https://www.suse.com/security/cve/CVE-2019-9494.html https://www.suse.com/security/cve/CVE-2019-9495.html https://www.suse.com/security/cve/CVE-2019-9497.html https://www.suse.com/security/cve/CVE-2019-9498.html https://www.suse.com/security/cve/CVE-2019-9499.html https://bugzilla.suse.com/1131644 https://bugzilla.suse.com/1131868 https://bugzilla.suse.com/1131870 https://bugzilla.suse.com/1131871 https://bugzilla.suse.com/1131872 https://bugzilla.suse.com/1131874 https://bugzilla.suse.com/1133640 https://bugzilla.suse.com/1144443 https://bugzilla.suse.com/1150934 https://bugzilla.suse.com/1156920 https://bugzilla.suse.com/1165266 https://bugzilla.suse.com/1166933 https://bugzilla.suse.com/1167331 From sle-security-updates at lists.suse.com Thu Nov 19 13:21:36 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 21:21:36 +0100 (CET) Subject: SUSE-SU-2020:3423-1: moderate: Security update for buildah Message-ID: <20201119202136.19503F750@maintenance.suse.de> SUSE Security Update: Security update for buildah ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3423-1 Rating: moderate References: #1165184 #1167864 Cross-References: CVE-2019-10214 CVE-2020-10696 Affected Products: SUSE Linux Enterprise Module for Containers 15-SP2 SUSE Linux Enterprise Module for Containers 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for buildah fixes the following issues: buildah was updated to v1.17.0 (bsc#1165184): * Handle cases where other tools mount/unmount containers * overlay.MountReadOnly: support RO overlay mounts * overlay: use fusermount for rootless umounts * overlay: fix umount * Switch default log level of Buildah to Warn. Users need to see these messages * Drop error messages about OCI/Docker format to Warning level * build(deps): bump github.com/containers/common from 0.26.0 to 0.26.2 * tests/testreport: adjust for API break in storage v1.23.6 * build(deps): bump github.com/containers/storage from 1.23.5 to 1.23.7 * build(deps): bump github.com/fsouza/go-dockerclient from 1.6.5 to 1.6.6 * copier: put: ignore Typeflag="g" * Use curl to get repo file (fix #2714) * build(deps): bump github.com/containers/common from 0.25.0 to 0.26.0 * build(deps): bump github.com/spf13/cobra from 1.0.0 to 1.1.1 * Remove docs that refer to bors, since we're not using it * Buildah bud should not use stdin by default * bump containerd, docker, and golang.org/x/sys * Makefile: cross: remove windows.386 target * copier.copierHandlerPut: don't check length when there are errors * Stop excessive wrapping * CI: require that conformance tests pass * bump(github.com/openshift/imagebuilder) to v1.1.8 * Skip tlsVerify insecure BUILD_REGISTRY_SOURCES * Fix build path wrong containers/podman#7993 * refactor pullpolicy to avoid deps * build(deps): bump github.com/containers/common from 0.24.0 to 0.25.0 * CI: run gating tasks with a lot more memory * ADD and COPY: descend into excluded directories, sometimes * copier: add more context to a couple of error messages * copier: check an error earlier * copier: log stderr output as debug on success * Update nix pin with make nixpkgs * Set directory ownership when copied with ID mapping * build(deps): bump github.com/sirupsen/logrus from 1.6.0 to 1.7.0 * build(deps): bump github.com/containers/common from 0.23.0 to 0.24.0 * Cirrus: Remove bors artifacts * Sort build flag definitions alphabetically * ADD: only expand archives at the right time * Remove configuration for bors * Shell Completion for podman build flags * Bump c/common to v0.24.0 * New CI check: xref --help vs man pages * CI: re-enable several linters * Move --userns-uid-map/--userns-gid-map description into buildah man page * add: preserve ownerships and permissions on ADDed archives * Makefile: tweak the cross-compile target * Bump containers/common to v0.23.0 * chroot: create bind mount targets 0755 instead of 0700 * Change call to Split() to safer SplitN() * chroot: fix handling of errno seccomp rules * build(deps): bump github.com/containers/image/v5 from 5.5.2 to 5.6.0 * Add In Progress section to contributing * integration tests: make sure tests run in ${topdir}/tests * Run(): ignore containers.conf's environment configuration * Warn when setting healthcheck in OCI format * Cirrus: Skip git-validate on branches * tools: update git-validation to the latest commit * tools: update golangci-lint to v1.18.0 * Add a few tests of push command * Add(): fix handling of relative paths with no ContextDir * build(deps): bump github.com/containers/common from 0.21.0 to 0.22.0 * Lint: Use same linters as podman * Validate: reference HEAD * Fix buildah mount to display container names not ids * Update nix pin with make nixpkgs * Add missing --format option in buildah from man page * Fix up code based on codespell * build(deps): bump github.com/openshift/imagebuilder from 1.1.6 to 1.1.7 * build(deps): bump github.com/containers/storage from 1.23.4 to 1.23.5 * Improve buildah completions * Cirrus: Fix validate commit epoch * Fix bash completion of manifest flags * Uniform some man pages * Update Buildah Tutorial to address BZ1867426 * Update bash completion of manifest add sub command * copier.Get(): hard link targets shouldn't be relative paths * build(deps): bump github.com/onsi/gomega from 1.10.1 to 1.10.2 * Pass timestamp down to history lines * Timestamp gets updated everytime you inspect an image * bud.bats: use absolute paths in newly-added tests * contrib/cirrus/lib.sh: don't use CN for the hostname * tests: Add some tests * Update manifest add man page * Extend flags of manifest add * build(deps): bump github.com/containers/storage from 1.23.3 to 1.23.4 * build(deps): bump github.com/onsi/ginkgo from 1.14.0 to 1.14.1 * CI: expand cross-compile checks Update to v1.16.2: * fix build on 32bit arches * containerImageRef.NewImageSource(): don't always force timestamps * Add fuse module warning to image readme * Heed our retry delay option values when retrying commit/pull/push * Switch to containers/common for seccomp * Use --timestamp rather then --omit-timestamp * docs: remove outdated notice * docs: remove outdated notice * build-using-dockerfile: add a hidden --log-rusage flag * build(deps): bump github.com/containers/image/v5 from 5.5.1 to 5.5.2 * Discard ReportWriter if user sets options.Quiet * build(deps): bump github.com/containers/common from 0.19.0 to 0.20.3 * Fix ownership of content copied using COPY --from * newTarDigester: zero out timestamps in tar headers * Update nix pin with `make nixpkgs` * bud.bats: correct .dockerignore integration tests * Use pipes for copying * run: include stdout in error message * run: use the correct error for errors.Wrapf * copier: un-export internal types * copier: add Mkdir() * in_podman: don't get tripped up by $CIRRUS_CHANGE_TITLE * docs/buildah-commit.md: tweak some wording, add a --rm example * imagebuildah: don???t blank out destination names when COPYing * Replace retry functions with common/pkg/retry * StageExecutor.historyMatches: compare timestamps using .Equal * Update vendor of containers/common * Fix errors found in coverity scan * Change namespace handling flags to better match podman commands * conformance testing: ignore buildah.BuilderIdentityAnnotation labels * Vendor in containers/storage v1.23.0 * Add buildah.IsContainer interface * Avoid feeding run_buildah to pipe * fix(buildahimage): add xz dependency in buildah image * Bump github.com/containers/common from 0.15.2 to 0.18.0 * Howto for rootless image building from OpenShift * Add --omit-timestamp flag to buildah bud * Update nix pin with `make nixpkgs` * Shutdown storage on failures * Handle COPY --from when an argument is used * Bump github.com/seccomp/containers-golang from 0.5.0 to 0.6.0 * Cirrus: Use newly built VM images * Bump github.com/opencontainers/runc from 1.0.0-rc91 to 1.0.0-rc92 * Enhance the .dockerignore man pages * conformance: add a test for COPY from subdirectory * fix bug manifest inspct * Add documentation for .dockerignore * Add BuilderIdentityAnnotation to identify buildah version * DOC: Add quay.io/containers/buildah image to README.md * Update buildahimages readme * fix spelling mistake in "info" command result display * Don't bind /etc/host and /etc/resolv.conf if network is not present * blobcache: avoid an unnecessary NewImage() * Build static binary with `buildGoModule` * copier: split StripSetidBits into StripSetuidBit/StripSetgidBit/StripStickyBit * tarFilterer: handle multiple archives * Fix a race we hit during conformance tests * Rework conformance testing * Update 02-registries-repositories.md * test-unit: invoke cmd/buildah tests with --flags * parse: fix a type mismatch in a test * Fix compilation of tests/testreport/testreport * build.sh: log the version of Go that we're using * test-unit: increase the test timeout to 40/45 minutes * Add the "copier" package * Fix & add notes regarding problematic language in codebase * Add dependency on github.com/stretchr/testify/require * CompositeDigester: add the ability to filter tar streams * BATS tests: make more robust * vendor golang.org/x/text at v0.3.3 * Switch golang 1.12 to golang 1.13 * imagebuildah: wait for stages that might not have even started yet * chroot, run: not fail on bind mounts from /sys * chroot: do not use setgroups if it is blocked * Set engine env from containers.conf * imagebuildah: return the right stage's image as the "final" image * Fix a help string * Deduplicate environment variables * switch containers/libpod to containers/podman * Bump github.com/containers/ocicrypt from 1.0.2 to 1.0.3 * Bump github.com/opencontainers/selinux from 1.5.2 to 1.6.0 * Mask out /sys/dev to prevent information leak * linux: skip errors from the runtime kill * Mask over the /sys/fs/selinux in mask branch * Add VFS additional image store to container * tests: add auth tests * Allow "readonly" as alias to "ro" in mount options * Ignore OS X specific consistency mount option * Bump github.com/onsi/ginkgo from 1.13.0 to 1.14.0 * Bump github.com/containers/common from 0.14.0 to 0.15.2 * Rootless Buildah should default to IsolationOCIRootless * imagebuildah: fix inheriting multi-stage builds * Make imagebuildah.BuildOptions.Architecture/OS optional * Make imagebuildah.BuildOptions.Jobs optional * Resolve a possible race in imagebuildah.Executor.startStage() * Switch scripts to use containers.conf * Bump openshift/imagebuilder to v1.1.6 * Bump go.etcd.io/bbolt from 1.3.4 to 1.3.5 * buildah, bud: support --jobs=N for parallel execution * executor: refactor build code inside new function * Add bud regression tests * Cirrus: Fix missing htpasswd in registry img * docs: clarify the 'triples' format * CHANGELOG.md: Fix markdown formatting * Add nix derivation for static builds * Bump to v1.16.0-dev - Update to v1.15.1 * Mask over the /sys/fs/selinux in mask branch * chroot: do not use setgroups if it is blocked * chroot, run: not fail on bind mounts from /sys * Allow "readonly" as alias to "ro" in mount options * Add VFS additional image store to container * vendor golang.org/x/text at v0.3.3 * Make imagebuildah.BuildOptions.Architecture/OS optional Update to v1.15.0: * Add CVE-2020-10696 to CHANGELOG.md and changelog.txt * fix lighttpd example * remove dependency on openshift struct * Warn on unset build arguments * vendor: update seccomp/containers-golang to v0.4.1 * Updated docs * clean up comments * update exit code for tests * Implement commit for encryption * implementation of encrypt/decrypt push/pull/bud/from * fix resolve docker image name as transport * Add preliminary profiling support to the CLI * Evaluate symlinks in build context directory * fix error info about get signatures for containerImageSource * Add Security Policy * Cirrus: Fixes from review feedback * imagebuildah: stages shouldn't count as their base images * Update containers/common v0.10.0 * Add registry to buildahimage Dockerfiles * Cirrus: Use pre-installed VM packages + F32 * Cirrus: Re-enable all distro versions * Cirrus: Update to F31 + Use cache images * golangci-lint: Disable gosimple * Lower number of golangci-lint threads * Fix permissions on containers.conf * Don't force tests to use runc * Return exit code from failed containers * cgroup_manager should be under [engine] * Use c/common/pkg/auth in login/logout * Cirrus: Temporarily disable Ubuntu 19 testing * Add containers.conf to stablebyhand build * Update gitignore to exclude test Dockerfiles * Remove warning for systemd inside of container Update to v1.14.6: * Make image history work correctly with new args handling * Don't add args to the RUN environment from the Builder Update to v1.14.5: * Revert FIPS mode change Update to v1.14.4: * Update unshare man page to fix script example * Fix compilation errors on non linux platforms * Preserve volume uid and gid through subsequent commands * Fix potential CVE in tarfile w/ symlink * Fix .dockerignore with globs and ! commands Update to v1.14.2: * Search for local runtime per values in containers.conf * Set correct ownership on working directory * Improve remote manifest retrieval * Correct a couple of incorrect format specifiers * manifest push --format: force an image type, not a list type * run: adjust the order in which elements are added to $ * getDateAndDigestAndSize(): handle creation time not being set * Make the commit id clear like Docker * Show error on copied file above context directory in build * pull/from/commit/push: retry on most failures * Repair buildah so it can use containers.conf on the server side * Fixing formatting & build instructions * Fix XDG_RUNTIME_DIR for authfile * Show validation command-line Update to v1.14.0: * getDateAndDigestAndSize(): use manifest.Digest * Touch up os/arch doc * chroot: handle slightly broken seccomp defaults * buildahimage: specify fuse-overlayfs mount options * parse: don't complain about not being able to rename something to itself * Fix build for 32bit platforms * Allow users to set OS and architecture on bud * Fix COPY in containerfile with envvar * Add --sign-by to bud/commit/push, --remove-signatures for pull/push * Add support for containers.conf * manifest push: add --format option Update to v1.13.1: * copyFileWithTar: close source files at the right time * copy: don't digest files that we ignore * Check for .dockerignore specifically * Don't setup excludes, if their is only one pattern to match * set HOME env to /root on chroot-isolation by default * docs: fix references to containers-*.5 * fix bug Add check .dockerignore COPY file * buildah bud --volume: run from tmpdir, not source dir * Fix imageNamePrefix to give consistent names in buildah-from * cpp: use -traditional and -undef flags * discard outputs coming from onbuild command on buildah-from --quiet * make --format columnizing consistent with buildah images * Fix option handling for volumes in build * Rework overlay pkg for use with libpod * Fix buildahimage builds for buildah * Add support for FIPS-Mode backends * Set the TMPDIR for pulling/pushing image to $TMPDIR Update to v1.12.0: * Allow ADD to use http src * imgtype: reset storage opts if driver overridden * Start using containers/common * overlay.bats typo: fuse-overlays should be fuse-overlayfs * chroot: Unmount with MNT_DETACH instead of UnmountMountpoints() * bind: don't complain about missing mountpoints * imgtype: check earlier for expected manifest type * Add history names support Update to v1.11.6: * Handle missing equal sign in --from and --chown flags for COPY/ADD * bud COPY does not download URL * Fix .dockerignore exclude regression * commit(docker): always set ContainerID and ContainerConfig * Touch up commit man page image parameter * Add builder identity annotations. Update to v1.11.5: * buildah: add "manifest" command * pkg/supplemented: add a package for grouping images together * pkg/manifests: add a manifest list build/manipulation API * Update for ErrUnauthorizedForCredentials API change in containers/image * Update for manifest-lists API changes in containers/image * version: also note the version of containers/image * Move to containers/image v5.0.0 * Enable --device directory as src device * Add clarification to the Tutorial for new users * Silence "using cache" to ensure -q is fully quiet * Move runtime flag to bud from common * Commit: check for storage.ErrImageUnknown using errors.Cause() * Fix crash when invalid COPY --from flag is specified. Update to v1.11.4: * buildah: add a "manifest" command * pkg/manifests: add a manifest list build/manipulation API * Update for ErrUnauthorizedForCredentials API change in containers/image * Update for manifest-lists API changes in containers/image * Move to containers/image v5.0.0 * Enable --device directory as src device * Add clarification to the Tutorial for new users * Silence "using cache" to ensure -q is fully quiet * Move runtime flag to bud from common * Commit: check for storage.ErrImageUnknown using errors.Cause() * Fix crash when invalid COPY --from flag is specified. Update to v1.11.3: * Add cgroups2 * Add support for retrieving context from stdin "-" * Added tutorial on how to include Buildah as library * Fix --build-args handling * Print build 'STEP' line to stdout, not stderr * Use Containerfile by default Update to v1.11.2: * Add some cleanup code * Move devices code to unit specific directory. Update to v1.11.1: * Add --devices flag to bud and from * Add support for /run/.containerenv * Allow mounts.conf entries for equal source and destination paths * Fix label and annotation for 1-line Dockerfiles * Preserve file and directory mount permissions * Replace --debug=false with --log-level=error * Set TMPDIR to /var/tmp by default * Truncate output of too long image names * Ignore EmptyLayer if Squash is set Update to v1.11.0: * Add --digestfile and Re-add push statement as debug * Add --log-level command line option and deprecate --debug * Add security-related volume options to validator * Allow buildah bud to be called without arguments * Allow to override build date with SOURCE_DATE_EPOCH * Correctly detect ExitError values from Run() * Disable empty logrus timestamps to reduce logger noise * Fix directory pull image names * Fix handling of /dev/null masked devices * Fix possible runtime panic on bud * Update bud/from help to contain indicator for --dns=none * Update documentation about bud * Update shebangs to take env into consideration * Use content digests in ADD/COPY history entries * add support for cgroupsV2 * add: add a DryRun flag to AddAndCopyOptions * add: handle hard links when copying with .dockerignore * add: teach copyFileWithTar() about symlinks and directories * imagebuilder: fix detection of referenced stage roots * pull/commit/push: pay attention to $BUILD_REGISTRY_SOURCES * run_linux: fix mounting /sys in a userns Update to v1.10.1: * Add automatic apparmor tag discovery * Add overlayfs to fuse-overlayfs tip * Bug fix for volume minus syntax * Bump container/storage v1.13.1 and containers/image v3.0.1 * Bump containers/image to v3.0.2 to fix keyring issue * Fix bug whereby --get-login has no effect * Bump github.com/containernetworking/cni to v0.7.1 - Add appamor-pattern requirement - Update build process to match the latest repository architecture - Update to v1.10.0 * vendor github.com/containers/image at v3.0.0 * Remove GO111MODULE in favor of -mod=vendor * Vendor in containers/storage v1.12.16 * Add '-' minus syntax for removal of config values * tests: enable overlay tests for rootless * rootless, overlay: use fuse-overlayfs * vendor github.com/containers/image at v2.0.1 * Added '-' syntax to remove volume config option * delete successfully pushed message * Add golint linter and apply fixes * vendor github.com/containers/storage at v1.12.15 * Change wait to sleep in buildahimage readme * Handle ReadOnly images when deleting images * Add support for listing read/only images * from/import: record the base image's digest, if it has one * Fix CNI version retrieval to not require network connection * Add misspell linter and apply fixes * Add goimports linter and apply fixes * Add stylecheck linter and apply fixes * Add unconvert linter and apply fixes * image: make sure we don't try to use zstd compression * run.bats: skip the "z" flag when testing --mount * Update to runc v1.0.0-rc8 * Update to match updated runtime-tools API * bump github.com/opencontainers/runtime-tools to v0.9.0 * Build e2e tests using the proper build tags * Add unparam linter and apply fixes * Run: correct a typo in the --cap-add help text * unshare: add a --mount flag * fix push check image name is not empty * add: fix slow copy with no excludes * Add errcheck linter and fix missing error check * Improve tests/tools/Makefile parallelism and abstraction * Fix response body not closed resource leak * Switch to golangci-lint * Add gomod instructions and mailing list links * On Masked path, check if /dev/null already mounted before mounting * Update to containers/storage v1.12.13 * Refactor code in package imagebuildah * Add rootless podman with NFS issue in documentation * Add --mount for buildah run * import method ValidateVolumeOpts from libpod * Fix typo * Makefile: set GO111MODULE=off * rootless: add the built-in slirp DNS server * Update docker/libnetwork to get rid of outdated sctp package * Update buildah-login.md * migrate to go modules * install.md: mention go modules * tests/tools: go module for test binaries * fix --volume splits comma delimited option * Add bud test for RUN with a priv'd command * vendor logrus v1.4.2 * pkg/cli: panic when flags can't be hidden * pkg/unshare: check all errors * pull: check error during report write * run_linux.go: ignore unchecked errors * conformance test: catch copy error * chroot/run_test.go: export funcs to actually be executed * tests/imgtype: ignore error when shutting down the store * testreport: check json error * bind/util.go: remove unused func * rm chroot/util.go * imagebuildah: remove unused dedupeStringSlice * StageExecutor: EnsureContainerPath: catch error from SecureJoin() * imagebuildah/build.go: return instead of branching * rmi: avoid redundant branching * conformance tests: nilness: allocate map * imagebuildah/build.go: avoid redundant filepath.Join() * imagebuildah/build.go: avoid redundant os.Stat() * imagebuildah: omit comparison to bool * fix "ineffectual assignment" lint errors * docker: ignore "repeats json tag" lint error * pkg/unshare: use ... instead of iterating a slice * conformance: bud test: use raw strings for regexes * conformance suite: remove unused func/var * buildah test suite: remove unused vars/funcs * testreport: fix golangci-lint errors * util: remove redundant return statement * chroot: only log clean-up errors * images_test: ignore golangci-lint error * blobcache: log error when draining the pipe * imagebuildah: check errors in deferred calls * chroot: fix error handling in deferred funcs * cmd: check all errors * chroot/run_test.go: check errors * chroot/run.go: check errors in deferred calls * imagebuildah.Executor: remove unused onbuild field * docker/types.go: remove unused struct fields * util: use strings.ContainsRune instead of index check * Cirrus: Initial implementation * buildah-run: fix-out-of-range panic (2) * Update containers/image to v2.0.0 * run: fix hang with run and --isolation=chroot * run: fix hang when using run * chroot: drop unused function call * remove --> before imgageID on build * Always close stdin pipe * Write deny to setgroups when doing single user mapping * Avoid including linux/memfd.h * Add a test for the symlink pointing to a directory * Add missing continue * Fix the handling of symlinks to absolute paths * Only set default network sysctls if not rootless * Support --dns=none like podman * fix bug --cpu-shares parsing typo * Fix validate complaint * Update vendor on containers/storage to v1.12.10 * Create directory paths for COPY thereby ensuring correct perms * imagebuildah: use a stable sort for comparing build args * imagebuildah: tighten up cache checking * bud.bats: add a test verying the order of --build-args * add -t to podman run * imagebuildah: simplify screening by top layers * imagebuildah: handle ID mappings for COPY --from * imagebuildah: apply additionalTags ourselves * bud.bats: test additional tags with cached images * bud.bats: add a test for WORKDIR and COPY with absolute destinations * Cleanup Overlay Mounts content * Add support for file secret mounts * Add ability to skip secrets in mounts file * allow 32bit builds * fix tutorial instructions * imagebuilder: pass the right contextDir to Add() * add: use fileutils.PatternMatcher for .dockerignore * bud.bats: add another .dockerignore test * unshare: fallback to single usermapping * addHelperSymlink: clear the destination on os.IsExist errors * bud.bats: test replacing symbolic links * imagebuildah: fix handling of destinations that end with '/' * bud.bats: test COPY with a final "/" in the destination * linux: add check for sysctl before using it * unshare: set _CONTAINERS_ROOTLESS_GID * Rework buildahimamges * build context: support https git repos * Add a test for ENV special chars behaviour * Check in new Dockerfiles * Apply custom SHELL during build time * config: expand variables only at the command line * SetEnv: we only need to expand v once * Add default /root if empty on chroot iso * Add support for Overlay volumes into the container. * Export buildah validate volume functions so it can share code with libpod * Bump baseline test to F30 * Fix rootless handling of /dev/shm size * Avoid fmt.Printf() in the library * imagebuildah: tighten cache checking back up * Handle WORKDIR with dangling target * Default Authfile to proper path * Make buildah run --isolation follow BUILDAH_ISOLATION environment * Vendor in latest containers/storage and containers/image * getParent/getChildren: handle layerless images * imagebuildah: recognize cache images for layerless images * bud.bats: test scratch images with --layers caching * Get CHANGELOG.md updates * Add some symlinks to test our .dockerignore logic * imagebuildah: addHelper: handle symbolic links * commit/push: use an everything-allowed policy * Correct manpage formatting in files section * Remove must be root statement from buildah doc * Change image names to stable, testing and upstream * Don't create directory on container * Replace kubernetes/pause in tests with k8s.gcr.io/pause * imagebuildah: don't remove intermediate images if we need them * Rework buildahimagegit to buildahimageupstream * Fix Transient Mounts * Handle WORKDIRs that are symlinks * allow podman to build a client for windows * Touch up 1.9-dev to 1.9.0-dev * Resolve symlink when checking container path * commit: commit on every instruction, but not always with layers * CommitOptions: drop the unused OnBuild field * makeImageRef: pass in the whole CommitOptions structure * cmd: API cleanup: stores before images * run: check if SELinux is enabled * Fix buildahimages Dockerfiles to include support for additionalimages mounted from host. * Detect changes in rootdir * Fix typo in buildah-pull(1) * Vendor in latest containers/storage * Keep track of any build-args used during buildah bud --layers * commit: always set a parent ID * imagebuildah: rework unused-argument detection * fix bug dest path when COPY .dockerignore * Move Host IDMAppings code from util to unshare * Add BUILDAH_ISOLATION rootless back * Travis CI: fail fast, upon error in any step * imagebuildah: only commit images for intermediate stages if we have to * Use errors.Cause() when checking for IsNotExist errors * auto pass http_proxy to container * imagebuildah: don't leak image structs * Add Dockerfiles for buildahimages * Bump to Replace golang 1.10 with 1.12 * add --dns* flags to buildah bud * Add hack/build_speed.sh test speeds on building container images * Create buildahimage Dockerfile for Quay * rename 'is' to 'expect_output' * squash.bats: test squashing in multi-layered builds * bud.bats: test COPY --from in a Dockerfile while using the cache * commit: make target image names optional * Fix bud-args to allow comma separation * oops, missed some tests in commit.bats * new helper: expect_line_count * New tests for #1467 (string slices in cmdline opts) * Workarounds for dealing with travis; review feedback * BATS tests - extensive but minor cleanup * imagebuildah: defer pulling images for COPY --from * imagebuildah: centralize COMMIT and image ID output * Travis: do not use traviswait * imagebuildah: only initialize imagebuilder configuration once per stage * Make cleaner error on Dockerfile build errors * unshare: move to pkg/ * unshare: move some code from cmd/buildah/unshare * Fix handling of Slices versus Arrays * imagebuildah: reorganize stage and per-stage logic * imagebuildah: add empty layers for instructions * Add missing step in installing into Ubuntu * fix bug in .dockerignore support * imagebuildah: deduplicate prepended "FROM" instructions * Touch up intro * commit: set created-by to the shell if it isn't set * commit: check that we always set a "created-by" * docs/buildah.md: add "containers-" prefixes under "SEE ALSO" Update to v1.7.2 * Updates vendored containers/storage to latest version * rootless: by default use the host network namespace - Full changelog: https://github.com/containers/buildah/releases/tag/v1.6 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 15-SP2: zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2020-3423=1 - SUSE Linux Enterprise Module for Containers 15-SP1: zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-3423=1 Package List: - SUSE Linux Enterprise Module for Containers 15-SP2 (aarch64 ppc64le s390x x86_64): buildah-1.17.0-3.6.1 - SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64): buildah-1.17.0-3.6.1 References: https://www.suse.com/security/cve/CVE-2019-10214.html https://www.suse.com/security/cve/CVE-2020-10696.html https://bugzilla.suse.com/1165184 https://bugzilla.suse.com/1167864 From sle-security-updates at lists.suse.com Thu Nov 19 13:22:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Nov 2020 21:22:49 +0100 (CET) Subject: SUSE-SU-2020:3433-1: important: Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) Message-ID: <20201119202249.1F09BF750@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3433-1 Rating: important References: #1177513 Cross-References: CVE-2020-25645 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.180-94_113 fixes one issue. The following security issue was fixed: - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3426=1 SUSE-SLE-SAP-12-SP3-2020-3427=1 SUSE-SLE-SAP-12-SP3-2020-3429=1 SUSE-SLE-SAP-12-SP3-2020-3430=1 SUSE-SLE-SAP-12-SP3-2020-3432=1 SUSE-SLE-SAP-12-SP3-2020-3433=1 SUSE-SLE-SAP-12-SP3-2020-3445=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3428=1 SUSE-SLE-SAP-12-SP2-2020-3431=1 SUSE-SLE-SAP-12-SP2-2020-3434=1 SUSE-SLE-SAP-12-SP2-2020-3436=1 SUSE-SLE-SAP-12-SP2-2020-3443=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3426=1 SUSE-SLE-SERVER-12-SP3-2020-3427=1 SUSE-SLE-SERVER-12-SP3-2020-3429=1 SUSE-SLE-SERVER-12-SP3-2020-3430=1 SUSE-SLE-SERVER-12-SP3-2020-3432=1 SUSE-SLE-SERVER-12-SP3-2020-3433=1 SUSE-SLE-SERVER-12-SP3-2020-3445=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3428=1 SUSE-SLE-SERVER-12-SP2-2020-3431=1 SUSE-SLE-SERVER-12-SP2-2020-3434=1 SUSE-SLE-SERVER-12-SP2-2020-3436=1 SUSE-SLE-SERVER-12-SP2-2020-3443=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_107-default-9-2.2 kgraft-patch-4_4_180-94_107-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_113-default-8-2.2 kgraft-patch-4_4_180-94_113-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_116-default-5-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-5-2.2 kgraft-patch-4_4_180-94_121-default-4-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-4-2.2 kgraft-patch-4_4_180-94_124-default-4-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-4-2.2 kgraft-patch-4_4_180-94_127-default-4-2.1 kgraft-patch-4_4_180-94_127-default-debuginfo-4-2.1 kgraft-patch-4_4_180-94_130-default-3-2.1 kgraft-patch-4_4_180-94_130-default-debuginfo-3-2.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_125-default-9-2.2 kgraft-patch-4_4_121-92_129-default-6-2.2 kgraft-patch-4_4_121-92_135-default-4-2.2 kgraft-patch-4_4_121-92_138-default-4-2.1 kgraft-patch-4_4_121-92_141-default-3-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_107-default-9-2.2 kgraft-patch-4_4_180-94_107-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_113-default-8-2.2 kgraft-patch-4_4_180-94_113-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_116-default-5-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-5-2.2 kgraft-patch-4_4_180-94_121-default-4-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-4-2.2 kgraft-patch-4_4_180-94_124-default-4-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-4-2.2 kgraft-patch-4_4_180-94_127-default-4-2.1 kgraft-patch-4_4_180-94_127-default-debuginfo-4-2.1 kgraft-patch-4_4_180-94_130-default-3-2.1 kgraft-patch-4_4_180-94_130-default-debuginfo-3-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_125-default-9-2.2 kgraft-patch-4_4_121-92_129-default-6-2.2 kgraft-patch-4_4_121-92_135-default-4-2.2 kgraft-patch-4_4_121-92_138-default-4-2.1 kgraft-patch-4_4_121-92_141-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2020-25645.html https://bugzilla.suse.com/1177513 From sle-security-updates at lists.suse.com Fri Nov 20 07:16:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2020 15:16:49 +0100 (CET) Subject: SUSE-SU-2020:3459-1: moderate: Security update for ceph Message-ID: <20201120141649.A10ADF750@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3459-1 Rating: moderate References: #1151612 #1158257 #1169134 #1170487 #1174591 #1175061 #1175240 #1175781 #1177843 Cross-References: CVE-2020-25660 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that solves one vulnerability and has 8 fixes is now available. Description: This update for ceph fixes the following issues: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - Major batch refactor of ceph-volume that addresses a couple of issues (bsc#1151612, bsc#1158257) - Documented Prometheus' security model (bsc#1169134) - monclient: Fixed an issue where executing several ceph commands in a short amount of time led to a segmentation fault (bsc#1170487) - Fixed an issue, where it was not possible to edit an iSCSI logged-in client (bsc#1174591) - Fixed an issue, where OSDs could not get started after they failed (bsc#1175061) - Fixed an issue with the restful module, where it aborted on execution for POST calls (bsc#1175240) - Fixed a many-to-many issue in host-details Grafana dashboard (bsc#1175585) - Fixed collection_list ordering in os/bluestore (bsc#1172546) - Fixed help output of lvmcache (bsc#1175781) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3459=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-3459=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ceph-common-14.2.13.450+g65ea1b614d-3.52.1 ceph-common-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 ceph-debugsource-14.2.13.450+g65ea1b614d-3.52.1 libcephfs-devel-14.2.13.450+g65ea1b614d-3.52.1 libcephfs2-14.2.13.450+g65ea1b614d-3.52.1 libcephfs2-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 librados-devel-14.2.13.450+g65ea1b614d-3.52.1 librados-devel-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 librados2-14.2.13.450+g65ea1b614d-3.52.1 librados2-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 libradospp-devel-14.2.13.450+g65ea1b614d-3.52.1 librbd-devel-14.2.13.450+g65ea1b614d-3.52.1 librbd1-14.2.13.450+g65ea1b614d-3.52.1 librbd1-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 librgw-devel-14.2.13.450+g65ea1b614d-3.52.1 librgw2-14.2.13.450+g65ea1b614d-3.52.1 librgw2-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 python3-ceph-argparse-14.2.13.450+g65ea1b614d-3.52.1 python3-cephfs-14.2.13.450+g65ea1b614d-3.52.1 python3-cephfs-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 python3-rados-14.2.13.450+g65ea1b614d-3.52.1 python3-rados-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 python3-rbd-14.2.13.450+g65ea1b614d-3.52.1 python3-rbd-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 python3-rgw-14.2.13.450+g65ea1b614d-3.52.1 python3-rgw-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 rados-objclass-devel-14.2.13.450+g65ea1b614d-3.52.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): ceph-14.2.13.450+g65ea1b614d-3.52.1 ceph-base-14.2.13.450+g65ea1b614d-3.52.1 ceph-base-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 ceph-common-14.2.13.450+g65ea1b614d-3.52.1 ceph-common-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 ceph-debugsource-14.2.13.450+g65ea1b614d-3.52.1 ceph-fuse-14.2.13.450+g65ea1b614d-3.52.1 ceph-fuse-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 ceph-mds-14.2.13.450+g65ea1b614d-3.52.1 ceph-mds-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 ceph-mgr-14.2.13.450+g65ea1b614d-3.52.1 ceph-mgr-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 ceph-mon-14.2.13.450+g65ea1b614d-3.52.1 ceph-mon-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 ceph-osd-14.2.13.450+g65ea1b614d-3.52.1 ceph-osd-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 ceph-radosgw-14.2.13.450+g65ea1b614d-3.52.1 ceph-radosgw-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 cephfs-shell-14.2.13.450+g65ea1b614d-3.52.1 libcephfs2-14.2.13.450+g65ea1b614d-3.52.1 libcephfs2-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 librados2-14.2.13.450+g65ea1b614d-3.52.1 librados2-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 librbd1-14.2.13.450+g65ea1b614d-3.52.1 librbd1-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 librgw2-14.2.13.450+g65ea1b614d-3.52.1 librgw2-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 python3-ceph-argparse-14.2.13.450+g65ea1b614d-3.52.1 python3-cephfs-14.2.13.450+g65ea1b614d-3.52.1 python3-cephfs-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 python3-rados-14.2.13.450+g65ea1b614d-3.52.1 python3-rados-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 python3-rbd-14.2.13.450+g65ea1b614d-3.52.1 python3-rbd-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 python3-rgw-14.2.13.450+g65ea1b614d-3.52.1 python3-rgw-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 rbd-fuse-14.2.13.450+g65ea1b614d-3.52.1 rbd-fuse-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 rbd-mirror-14.2.13.450+g65ea1b614d-3.52.1 rbd-mirror-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 rbd-nbd-14.2.13.450+g65ea1b614d-3.52.1 rbd-nbd-debuginfo-14.2.13.450+g65ea1b614d-3.52.1 - SUSE Enterprise Storage 6 (noarch): ceph-grafana-dashboards-14.2.13.450+g65ea1b614d-3.52.1 ceph-mgr-dashboard-14.2.13.450+g65ea1b614d-3.52.1 ceph-mgr-diskprediction-local-14.2.13.450+g65ea1b614d-3.52.1 ceph-mgr-rook-14.2.13.450+g65ea1b614d-3.52.1 ceph-prometheus-alerts-14.2.13.450+g65ea1b614d-3.52.1 References: https://www.suse.com/security/cve/CVE-2020-25660.html https://bugzilla.suse.com/1151612 https://bugzilla.suse.com/1158257 https://bugzilla.suse.com/1169134 https://bugzilla.suse.com/1170487 https://bugzilla.suse.com/1174591 https://bugzilla.suse.com/1175061 https://bugzilla.suse.com/1175240 https://bugzilla.suse.com/1175781 https://bugzilla.suse.com/1177843 From sle-security-updates at lists.suse.com Fri Nov 20 07:20:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2020 15:20:35 +0100 (CET) Subject: SUSE-SU-2020:3458-1: important: Security update for MozillaFirefox Message-ID: <20201120142035.770D4F750@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3458-1 Rating: important References: #1178824 Cross-References: CVE-2020-15999 CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26966 CVE-2020-26968 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.5.0 ESR (bsc#1178824) * CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953: Fullscreen could be enabled without displaying the security UI * CVE-2020-26956: XSS through paste (manual and clipboard API) * CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959: Use-after-free in WebRequestService * CVE-2020-26960: Potential use-after-free in uses of nsTArray * CVE-2020-15999: Heap buffer overflow in freetype * CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965: Software keyboards may have remembered typed passwords * CVE-2020-26966: Single-word search queries were also broadcast to local network * CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3458=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.5.0-8.17.1 MozillaFirefox-debuginfo-78.5.0-8.17.1 MozillaFirefox-debugsource-78.5.0-8.17.1 MozillaFirefox-devel-78.5.0-8.17.1 MozillaFirefox-translations-common-78.5.0-8.17.1 MozillaFirefox-translations-other-78.5.0-8.17.1 References: https://www.suse.com/security/cve/CVE-2020-15999.html https://www.suse.com/security/cve/CVE-2020-16012.html https://www.suse.com/security/cve/CVE-2020-26951.html https://www.suse.com/security/cve/CVE-2020-26953.html https://www.suse.com/security/cve/CVE-2020-26956.html https://www.suse.com/security/cve/CVE-2020-26958.html https://www.suse.com/security/cve/CVE-2020-26959.html https://www.suse.com/security/cve/CVE-2020-26960.html https://www.suse.com/security/cve/CVE-2020-26961.html https://www.suse.com/security/cve/CVE-2020-26965.html https://www.suse.com/security/cve/CVE-2020-26966.html https://www.suse.com/security/cve/CVE-2020-26968.html https://bugzilla.suse.com/1178824 From sle-security-updates at lists.suse.com Fri Nov 20 07:21:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2020 15:21:35 +0100 (CET) Subject: SUSE-SU-2020:3457-1: moderate: Security update for ucode-intel Message-ID: <20201120142135.220DCF750@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3457-1 Rating: moderate References: #1170446 #1173592 #1173594 Cross-References: CVE-2020-8695 CVE-2020-8696 CVE-2020-8698 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Updated Intel CPU Microcode to 20201110 official release. - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) INTEL-SA-00389 (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) - CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592) - Release notes: - Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00381.html). - Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00389.html). - Update for functional issues. Refer to [Second Generation Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel?? Core??? Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel?? Core??? Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel?? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel?? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3457=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): ucode-intel-20201110-3.23.1 ucode-intel-debuginfo-20201110-3.23.1 ucode-intel-debugsource-20201110-3.23.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8696.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173592 https://bugzilla.suse.com/1173594 From sle-security-updates at lists.suse.com Fri Nov 20 07:23:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2020 15:23:43 +0100 (CET) Subject: SUSE-SU-2020:14548-1: important: Security update for MozillaFirefox Message-ID: <20201120142343.43FB3F750@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14548-1 Rating: important References: #1178824 Cross-References: CVE-2020-15999 CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26966 CVE-2020-26968 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.5.0 ESR (bsc#1178824) * CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953: Fullscreen could be enabled without displaying the security UI * CVE-2020-26956: XSS through paste (manual and clipboard API) * CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959: Use-after-free in WebRequestService * CVE-2020-26960: Potential use-after-free in uses of nsTArray * CVE-2020-15999: Heap buffer overflow in freetype * CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965: Software keyboards may have remembered typed passwords * CVE-2020-26966: Single-word search queries were also broadcast to local network * CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14548=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-14548=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-78.5.0-78.105.1 MozillaFirefox-translations-common-78.5.0-78.105.1 MozillaFirefox-translations-other-78.5.0-78.105.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): MozillaFirefox-debuginfo-78.5.0-78.105.1 References: https://www.suse.com/security/cve/CVE-2020-15999.html https://www.suse.com/security/cve/CVE-2020-16012.html https://www.suse.com/security/cve/CVE-2020-26951.html https://www.suse.com/security/cve/CVE-2020-26953.html https://www.suse.com/security/cve/CVE-2020-26956.html https://www.suse.com/security/cve/CVE-2020-26958.html https://www.suse.com/security/cve/CVE-2020-26959.html https://www.suse.com/security/cve/CVE-2020-26960.html https://www.suse.com/security/cve/CVE-2020-26961.html https://www.suse.com/security/cve/CVE-2020-26965.html https://www.suse.com/security/cve/CVE-2020-26966.html https://www.suse.com/security/cve/CVE-2020-26968.html https://bugzilla.suse.com/1178824 From sle-security-updates at lists.suse.com Fri Nov 20 07:24:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2020 15:24:42 +0100 (CET) Subject: SUSE-SU-2020:3455-1: important: Security update for postgresql10 Message-ID: <20201120142442.55B9DF750@maintenance.suse.de> SUSE Security Update: Security update for postgresql10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3455-1 Rating: important References: #1178666 #1178667 #1178668 Cross-References: CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for postgresql10 fixes the following issues: - Upgrade to version 10.15: * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries. * CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used. * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables. * Fix recently-added timetz test case so it works when the USA is not observing daylight savings time. * https://www.postgresql.org/about/news/2111/ * https://www.postgresql.org/docs/10/release-10-15.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3455=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3455=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3455=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3455=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libecpg6-10.15-4.28.1 libecpg6-debuginfo-10.15-4.28.1 libpq5-10.15-4.28.1 libpq5-debuginfo-10.15-4.28.1 postgresql10-10.15-4.28.1 postgresql10-contrib-10.15-4.28.1 postgresql10-contrib-debuginfo-10.15-4.28.1 postgresql10-debuginfo-10.15-4.28.1 postgresql10-debugsource-10.15-4.28.1 postgresql10-devel-10.15-4.28.1 postgresql10-devel-debuginfo-10.15-4.28.1 postgresql10-plperl-10.15-4.28.1 postgresql10-plperl-debuginfo-10.15-4.28.1 postgresql10-plpython-10.15-4.28.1 postgresql10-plpython-debuginfo-10.15-4.28.1 postgresql10-pltcl-10.15-4.28.1 postgresql10-pltcl-debuginfo-10.15-4.28.1 postgresql10-server-10.15-4.28.1 postgresql10-server-debuginfo-10.15-4.28.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): postgresql10-docs-10.15-4.28.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libpq5-32bit-10.15-4.28.1 libpq5-32bit-debuginfo-10.15-4.28.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libecpg6-10.15-4.28.1 libecpg6-debuginfo-10.15-4.28.1 libpq5-10.15-4.28.1 libpq5-debuginfo-10.15-4.28.1 postgresql10-10.15-4.28.1 postgresql10-contrib-10.15-4.28.1 postgresql10-contrib-debuginfo-10.15-4.28.1 postgresql10-debuginfo-10.15-4.28.1 postgresql10-debugsource-10.15-4.28.1 postgresql10-devel-10.15-4.28.1 postgresql10-devel-debuginfo-10.15-4.28.1 postgresql10-plperl-10.15-4.28.1 postgresql10-plperl-debuginfo-10.15-4.28.1 postgresql10-plpython-10.15-4.28.1 postgresql10-plpython-debuginfo-10.15-4.28.1 postgresql10-pltcl-10.15-4.28.1 postgresql10-pltcl-debuginfo-10.15-4.28.1 postgresql10-server-10.15-4.28.1 postgresql10-server-debuginfo-10.15-4.28.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): postgresql10-docs-10.15-4.28.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libecpg6-10.15-4.28.1 libecpg6-debuginfo-10.15-4.28.1 libpq5-10.15-4.28.1 libpq5-debuginfo-10.15-4.28.1 postgresql10-10.15-4.28.1 postgresql10-contrib-10.15-4.28.1 postgresql10-contrib-debuginfo-10.15-4.28.1 postgresql10-debuginfo-10.15-4.28.1 postgresql10-debugsource-10.15-4.28.1 postgresql10-devel-10.15-4.28.1 postgresql10-devel-debuginfo-10.15-4.28.1 postgresql10-plperl-10.15-4.28.1 postgresql10-plperl-debuginfo-10.15-4.28.1 postgresql10-plpython-10.15-4.28.1 postgresql10-plpython-debuginfo-10.15-4.28.1 postgresql10-pltcl-10.15-4.28.1 postgresql10-pltcl-debuginfo-10.15-4.28.1 postgresql10-server-10.15-4.28.1 postgresql10-server-debuginfo-10.15-4.28.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libpq5-32bit-10.15-4.28.1 libpq5-32bit-debuginfo-10.15-4.28.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): postgresql10-docs-10.15-4.28.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libecpg6-10.15-4.28.1 libecpg6-debuginfo-10.15-4.28.1 libpq5-10.15-4.28.1 libpq5-debuginfo-10.15-4.28.1 postgresql10-10.15-4.28.1 postgresql10-contrib-10.15-4.28.1 postgresql10-contrib-debuginfo-10.15-4.28.1 postgresql10-debuginfo-10.15-4.28.1 postgresql10-debugsource-10.15-4.28.1 postgresql10-devel-10.15-4.28.1 postgresql10-devel-debuginfo-10.15-4.28.1 postgresql10-plperl-10.15-4.28.1 postgresql10-plperl-debuginfo-10.15-4.28.1 postgresql10-plpython-10.15-4.28.1 postgresql10-plpython-debuginfo-10.15-4.28.1 postgresql10-pltcl-10.15-4.28.1 postgresql10-pltcl-debuginfo-10.15-4.28.1 postgresql10-server-10.15-4.28.1 postgresql10-server-debuginfo-10.15-4.28.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libpq5-32bit-10.15-4.28.1 libpq5-32bit-debuginfo-10.15-4.28.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): postgresql10-docs-10.15-4.28.1 References: https://www.suse.com/security/cve/CVE-2020-25694.html https://www.suse.com/security/cve/CVE-2020-25695.html https://www.suse.com/security/cve/CVE-2020-25696.html https://bugzilla.suse.com/1178666 https://bugzilla.suse.com/1178667 https://bugzilla.suse.com/1178668 From sle-security-updates at lists.suse.com Fri Nov 20 10:15:03 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2020 18:15:03 +0100 (CET) Subject: SUSE-SU-2020:3466-1: moderate: Security update for SUSE Manager Server 4.0 Message-ID: <20201120171503.C7D4EF792@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3466-1 Rating: moderate References: #1144447 #1172079 #1173199 #1175739 #1175876 #1175987 #1176074 #1176172 #1177336 #1177435 #1177790 #1178060 #1178145 #1178195 Cross-References: CVE-2018-10936 CVE-2020-13692 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that solves two vulnerabilities and has 12 fixes is now available. Description: This update fixes the following issues: bind-formula: - Temporarily disable dnssec-validation as hotfix for bsc#1177790 - Update to version 0.1.1603299886.60e4bcf grafana-formula: - Use variable for product name - Add support for system groups in Client Systems dashboard postgresql-jdbc: - Address CVE-2020-13692 (bsc#1172079) - Add patch: - Major changes since 9.4-1200: * License changed to BSD-2-Clause and BSD-3-Clause and Apache-2.0 * Support PostgreSQL 9.5, 9.6, 10 11 and 12 added * Support for PostgreSQL versions below 8.2 was dropped * Support for JDK8, JDK9, JDK10, JDK11 and JDK12 * Support for JDK 1.4 and 1.5 was dropped * Support for JDBC 4.2 added * Add maxResultBuffer property * Add caller push of binary data * Read only transactions * pkcs12 key functionality * New "escapeSyntaxCallMode" connection property * Connection property to limit server error detail in exception exceptions * CancelQuery() to PGConnection public interface * Support for large update counts (JDBC 4.2) * Add Binary Support for Oid.NUMERIC and Oid.NUMERIC_ARRAY * Expose parameter status messages (GUC_REPORT) to the user * Log ignoring rollback when no transaction in progress * Map inet type to InetAddress * Change ISGENERATED to ISGENERATEDCOLUMN as per spec * Support temporary replication slots in ReplicationCreateSlotBuilder * Return function (PostgreSQL 11) columns in PgDatabaseMetaData#getFunctionColumns * Return information on create replication slot, now the snapshot_name is exported to allow a consistent snapshot in some uses cases * `ssl=true` implies `sslmode=verify-full`, that is it requires valid server certificate * Support for `sslmode=allow/prefer/require` * Added server hostname verification for non-default SSL factories in `sslmode=verify-full` (CVE-2018-10936) * PreparedStatement.setNull(int parameterIndex, int t, String typeName) no longer ignores the typeName argument if it is not setNull * Reduce the severity of the error log messages when an exception is re-thrown. The error will be thrown to caller to be dealt with so no need to log at this verbosity by pgjdbc * Deprecate Fastpath API PR 903 * Support parenthesis in {oj ...} JDBC escape syntax * socksProxyHost is ignored in case it contains empty string * Support SCRAM-SHA-256 for PostgreSQL 10 in the JDBC 4.2 version (Java 8+) using the Ongres SCRAM library * Make SELECT INTO and CREATE TABLE AS return row counts to the client in their command tags * Support Subject Alternative Names for SSL connections * Support isAutoIncrement metadata for PostgreSQL 10 IDENTITY column * Support for primitive arrays PR 887 3e0491a * Implement support for get/setNetworkTimeout() in connections * Make GSS JAAS login optional, add an option "jaasLogin" * Improve behaviour of ResultSet.getObject(int, Class) * Parse CommandComplete message using a regular expression, allows complete catch of server returned commands for INSERT, UPDATE, DELETE, SELECT, FETCH, MOVE,COPY and future commands. * Use 'time with timezone' and 'timestamp with timezone' as is and ignore the user provided Calendars, 'time' and 'timestamp' work as earlier except "00:00:00" now maps to 1970-01-01 and "24:00:00" uses the system provided Calendar ignoring the user-provided one * Change behaviour of multihost connection. The new behaviour is to try all secondaries first before trying the master * Drop support for the (insecure) crypt authentication method * slave and preferSlave values for the targetServerType connection property have been deprecated in favour of secondary and preferSecondary respectively * Statements with non-zero fetchSize no longer require server-side named handle. This might cause issues when using old PostgreSQL versions (pre-8.4)+fetchSize+interleaved ResultSet processing combo * Better logic for returning keyword detection. Previously, pgjdbc could be defeated by column names that contain returning, so pgjdbc failed to "return generated keys" as it considered statement as already having returning keyword * Use server-prepared statements for batch inserts when prepareThreshold>0. This enables batch to use server-prepared from the first executeBatch() execution (previously it waited for prepareThreshold executeBatch() calls) * Replication protocol API was added: replication API documentation * java.util.logging is now used for logging: logging documentation * Add support for PreparedStatement.setCharacterStream(int, Reader) * Ensure executeBatch() can be used with pgbouncer. Previously pgjdbc could use server-prepared statements for batch execution even with prepareThreshold=0 * Error position is displayed when SQL has unterminated literals, comments, etc * Strict handling of accepted values in getBoolean and setObject(BOOLEAN), now it follows PostgreSQL accepted values, only 1 and 0 for numeric types are acepted (previusly !=0 was true) * Deprecated PGPoolingDataSource, instead of this class you should use a fully featured connection pool like HikariCP, vibur-dbcp, commons-dbcp, c3p0, etc * 'current transaction is aborted' exception includes the original exception via caused-by chain * Better support for RETURNGENERATEDKEYS, statements with RETURNING clause * Avoid user-visible prepared-statement errors if client uses DEALLOCATE/DISCARD statements (invalidate cache when those statements detected) * Avoid user-visible prepared-statement errors if client changes searchpath (invalidate cache when set searchpath detected) * Support comments when replacing {fn ...} JDBC syntax * Support for Types.REF_CURSOR * Performance optimization for timestamps (~TimeZone.getDefault optimization) * Ability to customize socket factory (e.g. for unix domain sockets) * Ignore empty sub-queries in composite queries * Add equality support to PSQLState * Improved composite/array type support and type naming changes. - Update to version 42.2.10 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.10 - Update to version 42.2.9 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.9 - Update to version 42.2.8 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.8 - Update to version 42.2.7 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.7 - Update to version 42.2.6 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.6 - Update to version 42.2.5 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.5 - Update to version 42.2.4 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.4 - Update to version 42.2.3 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.3 - Update to version 42.2.2 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.2 - Update to version 42.2.1 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.1 - Update to version 42.2.0 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.0 - Update to version 42.1.4 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.4 - Update to version 42.1.3 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.3 - Update to version 42.1.2 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.2 - Update to version 42.1.1 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.1 - Update to version 42.1.0 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.1 - Update to version 42.2.0 * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.0 - Update to version 9.4.1211 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1211 - Update to version 9.4.1210 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1210 - Update to version 9.4.1209 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1209 - Update to version 9.4.1208 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1208 - Update to version 9.4.1207 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1207 - Update to version 9.4.1206 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1206 - Update to version 9.4.1205 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1204 - Update to version 9.4.1204 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1204 - Update to version 9.4.1203 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1203 - Update to version 9.4.1202 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1202 - Update to version 9.4.1201 * https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1201 prometheus-exporters-formula: - Fix empty directory values initialization - Disable reverse proxy on default prometheus-formula: - Update to version 0.2.3 - Disable Alertmanager clustering (bsc#1178145) - Update to version 0.2.2 - Use variable for product name salt-netapi-client: - Version 0.18.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.18.0 spacewalk-admin: - Use the license macro to mark the LICENSE in the package so that when installing without docs, it does install the LICENSE file - Prevent javax.net.ssl.SSLHandshakeException after upgrading from SUSE Manager 3.2 (bsc#1177435) spacewalk-backend: - ISS: Differentiate packages with same nevra but different checksum in the same channel (bsc#1178195) - Fix unique machine_id detection (bsc#1176074) spacewalk-java: - Revert: Sync state modules when starting action chain execution (bsc#1177336) - Sync state modules when starting action chain execution (bsc#1177336) - Fix repo url of AppStream in generated RHEL/Centos 8 kickstart file (bsc#1175739) - Log token verify errors and check for expired tokens - Execute Salt SSH actions in parallel (bsc#1173199) - Take pool and volume from Salt virt.vm_info for files and blocks disks (bsc#1175987) - Fix action chain resuming when patches updating salt-minion don't cause service to be restarted (bsc#1144447) - Renaming autoinstall distro didn't change the name of the Cobbler distro (bsc#1175876) spacewalk-web: - Fix link to documentation in Admin -> Manager Configuration -> Monitoring (bsc#1176172) - Don't allow selecting spice for Xen PV and PVH guests susemanager: - Add --force to mgr-create-bootstrap-repo to enforce generation even when some products are not synchronized susemanager-schema: - Execute Salt SSH actions in parallel (bsc#1173199) susemanager-sls: - Revert: Sync state modules when starting action chain execution (bsc#1177336) - Sync state modules when starting action chain execution (bsc#1177336) - Fix grub2 autoinstall kernel path (bsc#1178060) - Move channel token information from sources.list to auth.conf on Debian 10 and Ubuntu 18 and newer - Fix action chain resuming when patches updating salt-minion don't cause service to be restarted (bsc#1144447) - Make grub2 autoinstall kernel path relative to the boot partition root (bsc#1175876) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-3466=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64): susemanager-4.0.32-3.46.1 susemanager-tools-4.0.32-3.46.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): bind-formula-0.1.1603299886.60e4bcf-3.11.1 grafana-formula-0.2.2-4.13.1 postgresql-jdbc-42.2.10-3.3.1 prometheus-exporters-formula-0.7.5-3.16.1 prometheus-formula-0.2.3-4.16.1 python3-spacewalk-backend-libs-4.0.35-3.38.1 salt-netapi-client-0.18.0-4.12.1 spacewalk-admin-4.0.12-3.15.1 spacewalk-backend-4.0.35-3.38.1 spacewalk-backend-app-4.0.35-3.38.1 spacewalk-backend-applet-4.0.35-3.38.1 spacewalk-backend-config-files-4.0.35-3.38.1 spacewalk-backend-config-files-common-4.0.35-3.38.1 spacewalk-backend-config-files-tool-4.0.35-3.38.1 spacewalk-backend-iss-4.0.35-3.38.1 spacewalk-backend-iss-export-4.0.35-3.38.1 spacewalk-backend-package-push-server-4.0.35-3.38.1 spacewalk-backend-server-4.0.35-3.38.1 spacewalk-backend-sql-4.0.35-3.38.1 spacewalk-backend-sql-postgresql-4.0.35-3.38.1 spacewalk-backend-tools-4.0.35-3.38.1 spacewalk-backend-xml-export-libs-4.0.35-3.38.1 spacewalk-backend-xmlrpc-4.0.35-3.38.1 spacewalk-base-4.0.25-3.36.1 spacewalk-base-minimal-4.0.25-3.36.1 spacewalk-base-minimal-config-4.0.25-3.36.1 spacewalk-html-4.0.25-3.36.1 spacewalk-java-4.0.40-3.48.2 spacewalk-java-config-4.0.40-3.48.2 spacewalk-java-lib-4.0.40-3.48.2 spacewalk-java-postgresql-4.0.40-3.48.2 spacewalk-taskomatic-4.0.40-3.48.2 susemanager-schema-4.0.23-3.32.1 susemanager-sls-4.0.31-3.37.1 susemanager-web-libs-4.0.25-3.36.1 References: https://www.suse.com/security/cve/CVE-2018-10936.html https://www.suse.com/security/cve/CVE-2020-13692.html https://bugzilla.suse.com/1144447 https://bugzilla.suse.com/1172079 https://bugzilla.suse.com/1173199 https://bugzilla.suse.com/1175739 https://bugzilla.suse.com/1175876 https://bugzilla.suse.com/1175987 https://bugzilla.suse.com/1176074 https://bugzilla.suse.com/1176172 https://bugzilla.suse.com/1177336 https://bugzilla.suse.com/1177435 https://bugzilla.suse.com/1177790 https://bugzilla.suse.com/1178060 https://bugzilla.suse.com/1178145 https://bugzilla.suse.com/1178195 From sle-security-updates at lists.suse.com Fri Nov 20 10:19:34 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2020 18:19:34 +0100 (CET) Subject: SUSE-SU-2020:3464-1: important: Security update for postgresql10 Message-ID: <20201120171934.8A28AF750@maintenance.suse.de> SUSE Security Update: Security update for postgresql10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3464-1 Rating: important References: #1178666 #1178667 #1178668 Cross-References: CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for postgresql10 fixes the following issues: Upgrade to version 10.15: * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries. * CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used. * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables. * https://www.postgresql.org/about/news/2111/ * https://www.postgresql.org/docs/10/release-10-15.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3464=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3464=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3464=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3464=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3464=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3464=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3464=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3464=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3464=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3464=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3464=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3464=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3464=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3464=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3464=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3464=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3464=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): postgresql10-docs-10.15-4.9.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): postgresql10-docs-10.15-4.9.1 - SUSE OpenStack Cloud 9 (x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE OpenStack Cloud 9 (noarch): postgresql10-docs-10.15-4.9.1 - SUSE OpenStack Cloud 8 (noarch): postgresql10-docs-10.15-4.9.1 - SUSE OpenStack Cloud 8 (x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE OpenStack Cloud 7 (s390x x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE OpenStack Cloud 7 (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): postgresql10-debugsource-10.15-4.9.1 postgresql10-devel-10.15-4.9.1 postgresql10-devel-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): postgresql10-docs-10.15-4.9.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 - SUSE Enterprise Storage 5 (noarch): postgresql10-docs-10.15-4.9.1 - HPE Helion Openstack 8 (noarch): postgresql10-docs-10.15-4.9.1 - HPE Helion Openstack 8 (x86_64): postgresql10-10.15-4.9.1 postgresql10-contrib-10.15-4.9.1 postgresql10-contrib-debuginfo-10.15-4.9.1 postgresql10-debuginfo-10.15-4.9.1 postgresql10-debugsource-10.15-4.9.1 postgresql10-plperl-10.15-4.9.1 postgresql10-plperl-debuginfo-10.15-4.9.1 postgresql10-plpython-10.15-4.9.1 postgresql10-plpython-debuginfo-10.15-4.9.1 postgresql10-pltcl-10.15-4.9.1 postgresql10-pltcl-debuginfo-10.15-4.9.1 postgresql10-server-10.15-4.9.1 postgresql10-server-debuginfo-10.15-4.9.1 References: https://www.suse.com/security/cve/CVE-2020-25694.html https://www.suse.com/security/cve/CVE-2020-25695.html https://www.suse.com/security/cve/CVE-2020-25696.html https://bugzilla.suse.com/1178666 https://bugzilla.suse.com/1178667 https://bugzilla.suse.com/1178668 From sle-security-updates at lists.suse.com Fri Nov 20 10:20:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2020 18:20:50 +0100 (CET) Subject: SUSE-SU-2020:3460-1: moderate: Security update for java-1_8_0-openjdk Message-ID: <20201120172050.276BDF750@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3460-1 Rating: moderate References: #1174157 #1177943 Cross-References: CVE-2020-14556 CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14583 CVE-2020-14593 CVE-2020-14621 CVE-2020-14779 CVE-2020-14781 CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14798 CVE-2020-14803 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP1 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: - Fix regression "8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)", introduced in October 2020 CPU. - Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU, bsc#1174157, and October 2020 CPU, bsc#1177943) * New features + JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7 + PR3796: Allow the number of curves supported to be specified * Security fixes + JDK-8028431, CVE-2020-14579: NullPointerException in DerValue.equals(DerValue) + JDK-8028591, CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString() + JDK-8230613: Better ASCII conversions + JDK-8231800: Better listing of arrays + JDK-8232014: Expand DTD support + JDK-8233255: Better Swing Buttons + JDK-8233624: Enhance JNI linkage + JDK-8234032: Improve basic calendar services + JDK-8234042: Better factory production of certificates + JDK-8234418: Better parsing with CertificateFactory + JDK-8234836: Improve serialization handling + JDK-8236191: Enhance OID processing + JDK-8236196: Improve string pooling + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + JDK-8237592, CVE-2020-14577: Enhance certificate verification + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8238002, CVE-2020-14581: Better matrix operations + JDK-8238804: Enhance key handling process + JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + JDK-8238843: Enhanced font handing + JDK-8238920, CVE-2020-14583: Better Buffer support + JDK-8238925: Enhance WAV file playback + JDK-8240119, CVE-2020-14593: Less Affine Transformations + JDK-8240124: Better VM Interning + JDK-8240482: Improved WAV file playback + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8241379: Update JCEKS support + JDK-8241522: Manifest improved jar headers redux + JDK-8242136, CVE-2020-14621: Better XML namespace handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Import of OpenJDK 8 u262 build 01 + JDK-4949105: Access Bridge lacks html tags parsing + JDK-8003209: JFR events for network utilization + JDK-8030680: 292 cleanup from default method code assessment + JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java and some tests failed on windows intermittently + JDK-8041626: Shutdown tracing event + JDK-8141056: Erroneous assignment in HeapRegionSet.cpp + JDK-8149338: JVM Crash caused by Marlin renderer not handling NaN coordinates + JDK-8151582: (ch) test java/nio/channels/ /AsyncCloseAndInterrupt.java failing due to "Connection succeeded" + JDK-8165675: Trace event for thread park has incorrect unit for timeout + JDK-8176182: 4 security tests are not run + JDK-8178910: Problemlist sample tests + JDK-8183925: Decouple crash protection from watcher thread + JDK-8191393: Random crashes during cfree+0x1c + JDK-8195817: JFR.stop should require name of recording + JDK-8195818: JFR.start should increase autogenerated name by one + JDK-8195819: Remove recording=x from jcmd JFR.check output + JDK-8199712: Flight Recorder + JDK-8202578: Revisit location for class unload events + JDK-8202835: jfr/event/os/TestSystemProcess.java fails on missing events + JDK-8203287: Zero fails to build after JDK-8199712 (Flight Recorder) + JDK-8203346: JFR: Inconsistent signature of jfr_add_string_constant + JDK-8203664: JFR start failure after AppCDS archive created with JFR StartFlightRecording + JDK-8203921: JFR thread sampling is missing fixes from JDK-8194552 + JDK-8203929: Limit amount of data for JFR.dump + JDK-8205516: JFR tool + JDK-8207392: [PPC64] Implement JFR profiling + JDK-8207829: FlightRecorderMXBeanImpl is leaking the first classloader which calls it + JDK-8209960: -Xlog:jfr* doesn't work with the JFR + JDK-8210024: JFR calls virtual is_Java_thread from ~Thread() + JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD 1.0.7 + JDK-8211239: Build fails without JFR: empty JFR events signatures mismatch + JDK-8212232: Wrong metadata for the configuration of the cutoff for old object sample events + JDK-8213015: Inconsistent settings between JFR.configure and -XX:FlightRecorderOptions + JDK-8213421: Line number information for execution samples always 0 + JDK-8213617: JFR should record the PID of the recorded process + JDK-8213734: SAXParser.parse(File, ..) does not close resources when Exception occurs. + JDK-8213914: [TESTBUG] Several JFR VM events are not covered by tests + JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by test + JDK-8213966: The ZGC JFR events should be marked as experimental + JDK-8214542: JFR: Old Object Sample event slow on a deep heap in debug builds + JDK-8214750: Unnecessary

tags in jfr classes + JDK-8214896: JFR Tool left files behind + JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java fails with UnsatisfiedLinkError + JDK-8214925: JFR tool fails to execute + JDK-8215175: Inconsistencies in JFR event metadata + JDK-8215237: jdk.jfr.Recording javadoc does not compile + JDK-8215284: Reduce noise induced by periodic task getFileSize() + JDK-8215355: Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1) + JDK-8215362: JFR GTest JfrTestNetworkUtilization fails + JDK-8215771: The jfr tool should pretty print reference chains + JDK-8216064: -XX:StartFlightRecording:settings= doesn't work properly + JDK-8216486: Possibility of integer overflow in JfrThreadSampler::run() + JDK-8216528: test/jdk/java/rmi/transport/ /runtimeThreadInheritanceLeak/ /RuntimeThreadInheritanceLeak.java failing with Xcomp + JDK-8216559: [JFR] Native libraries not correctly parsed from /proc/self/maps + JDK-8216578: Remove unused/obsolete method in JFR code + JDK-8216995: Clean up JFR command line processing + JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some systems due to process surviving SIGINT + JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR TestShutdownEvent + JDK-8218935: Make jfr strncpy uses GCC 8.x friendly + JDK-8223147: JFR Backport + JDK-8223689: Add JFR Thread Sampling Support + JDK-8223690: Add JFR BiasedLock Event Support + JDK-8223691: Add JFR G1 Region Type Change Event Support + JDK-8223692: Add JFR G1 Heap Summary Event Support + JDK-8224172: assert(jfr_is_event_enabled(id)) failed: invariant + JDK-8224475: JTextPane does not show images in HTML rendering + JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden. + JDK-8226779: [TESTBUG] Test JFR API from Java agent + JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys + JDK-8227011: Starting a JFR recording in response to JVMTI VMInit and / or Java agent premain corrupts memory + JDK-8227605: Kitchensink fails "assert((((klass)->trace_id() & (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0)) failed: invariant" + JDK-8229366: JFR backport allows unchecked writing to memory + JDK-8229401: Fix JFR code cache test failures + JDK-8229708: JFR backport code does not initialize + JDK-8229873: 8229401 broke jdk8u-jfr-incubator + JDK-8230448: [test] JFRSecurityTestSuite.java is failing on Windows + JDK-8230707: JFR related tests are failing + JDK-8230782: Robot.createScreenCapture() fails if "awt.robot.gtk" is set to false + JDK-8230856: Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return + JDK-8230947: TestLookForUntestedEvents.java is failing after JDK-8230707 + JDK-8231995: two jtreg tests failed after 8229366 is fixed + JDK-8233623: Add classpath exception to copyright in EventHandlerProxyCreator.java file + JDK-8236002: CSR for JFR backport suggests not leaving out the package-info + JDK-8236008: Some backup files were accidentally left in the hotspot tree + JDK-8236074: Missed package-info + JDK-8236174: Should update javadoc since tags + JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport + JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01 + JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB + JDK-8238589: Necessary code cleanup in JFR for JDK8u + JDK-8238590: Enable JFR by default during compilation in 8u + JDK-8239055: Wrong implementation of VMState.hasListener + JDK-8239476: JDK-8238589 broke windows build by moving OrderedPair + JDK-8239479: minimal1 and zero builds are failing + JDK-8239867: correct over use of INCLUDE_JFR macro + JDK-8240375: Disable JFR by default for July 2020 release + JDK-8241444: Metaspace::_class_vsm not initialized if compressed class pointers are disabled + JDK-8241902: AIX Build broken after integration of JDK-8223147 (JFR Backport) + JDK-8242788: Non-PCH build is broken after JDK-8191393 * Import of OpenJDK 8 u262 build 02 + JDK-8130737: AffineTransformOp can't handle child raster with non-zero x-offset + JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation in java/awt/image/Raster/TestChildRasterOp.java + JDK-8230926: [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout + JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges + JDK-8242883: Incomplete backport of JDK-8078268: backport test part * Import of OpenJDK 8 u262 build 03 + JDK-8037866: Replace the Fun class in tests with lambdas + JDK-8146612: C2: Precedence edges specification violated + JDK-8150986: serviceability/sa/jmap-hprof/ /JMapHProfLargeHeapTest.java failing because expects HPROF JAVA PROFILE 1.0.1 file format + JDK-8229888: (zipfs) Updating an existing zip file does not preserve original permissions + JDK-8230597: Update GIFlib library to the 5.2.1 + JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return + JDK-8233880, PR3798: Support compilers with multi-digit major version numbers + JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed + JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set + JDK-8243059: Build fails when --with-vendor-name contains a comma + JDK-8243474: [TESTBUG] removed three tests of 0 bytes + JDK-8244461: [JDK 8u] Build fails with glibc 2.32 + JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result * Import of OpenJDK 8 u262 build 04 + JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null + JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering + JDK-8171934: ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification() does not recognize OpenJDK's HotSpot VM + JDK-8196969: JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE + JDK-8243539: Copyright info (Year) should be updated for fix of 8241638 + JDK-8244777: ClassLoaderStats VM Op uses constant hash value * Import of OpenJDK 8 u262 build 05 + JDK-7147060: com/sun/org/apache/xml/internal/security/ /transforms/ClassLoaderTest.java doesn't run in agentvm mode + JDK-8178374: Problematic ByteBuffer handling in CipherSpi.bufferCrypt method + JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds + JDK-8227269: Slow class loading when running with JDWP + JDK-8229899: Make java.io.File.isInvalid() less racy + JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing + JDK-8241750: x86_32 build failure after JDK-8227269 + JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in + JDK-8244843: JapanEraNameCompatTest fails * Import of OpenJDK 8 u262 build 06 + JDK-8246223: Windows build fails after JDK-8227269 * Import of OpenJDK 8 u262 build 07 + JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing + JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a + JDK-8245167: Top package in method profiling shows null in JMC + JDK-8246703: [TESTBUG] Add test for JDK-8233197 * Import of OpenJDK 8 u262 build 08 + JDK-8220293: Deadlock in JFR string pool + JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020 + JDK-8225069: Remove Comodo root certificate that is expiring in May 2020 * Import of OpenJDK 8 u262 build 09 + JDK-8248399: Build installs jfr binary when JFR is disabled * Import of OpenJDK 8 u262 build 10 + JDK-8248715: New JavaTimeSupplementary localisation for 'in' installed in wrong package * Import of OpenJDK 8 u265 build 01 + JDK-8249677: Regression in 8u after JDK-8237117: Better ForkJoinPool behavior + JDK-8250546: Expect changed behaviour reported in JDK-8249846 * Import of OpenJDK 8 u272 build 01 + JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY test/compiler/7177917/Test7177917.java + JDK-8035493: JVMTI PopFrame capability must instruct compilers not to prune locals + JDK-8036088: Replace strtok() with its safe equivalent strtok_s() in DefaultProxySelector.c + JDK-8039082: [TEST_BUG] Test java/awt/dnd/ /BadSerializationTest/BadSerializationTest.java fails + JDK-8075774: Small readability and performance improvements for zipfs + JDK-8132206: move ScanTest.java into OpenJDK + JDK-8132376: Add @requires os.family to the client tests with access to internal OS-specific API + JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java + JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/ /appletviewer/IOExceptionIfEncodedURLTest/ /IOExceptionIfEncodedURLTest.sh + JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/ /MTGraphicsAccessTest.java hangs on Win. 8 + JDK-8151788: NullPointerException from ntlm.Client.type3 + JDK-8151834: Test SmallPrimeExponentP.java times out intermittently + JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary public + JDK-8156169: Some sound tests rarely hangs because of incorrect synchronization + JDK-8165936: Potential Heap buffer overflow when seaching timezone info files + JDK-8166148: Fix for JDK-8165936 broke solaris builds + JDK-8167300: Scheduling failures during gcm should be fatal + JDK-8167615: Opensource unit/regression tests for JavaSound + JDK-8172012: [TEST_BUG] delays needed in javax/swing/JTree/4633594/bug4633594.java + JDK-8177628: Opensource unit/regression tests for ImageIO + JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java + JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/ /AppletContextTest/BadPluginConfigurationTest.sh + JDK-8193137: Nashorn crashes when given an empty script file + JDK-8194298: Add support for per Socket configuration of TCP keepalive + JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java throws error + JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java fails + JDK-8210147: adjust some WSAGetLastError usages in windows network coding + JDK-8211714: Need to update vm_version.cpp to recognise VS2017 minor versions + JDK-8214862: assert(proj != __null) at compile.cpp:3251 + JDK-8217606: LdapContext#reconnect always opens a new connection + JDK-8217647: JFR: recordings on 32-bit systems unreadable + JDK-8226697: Several tests which need the @key headful keyword are missing it. + JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + JDK-8230303: JDB hangs when running monitor command + JDK-8230711: ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG + JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion + JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version + JDK-8235325: build failure on Linux after 8235243 + JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink + JDK-8237951: CTW: C2 compilation fails with "malformed control flow" + JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary + JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + JDK-8239819: XToolkit: Misread of screen information memory + JDK-8240295: hs_err elapsed time in seconds is not accurate enough + JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one + JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash + JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + JDK-8246310: Clean commented-out code about ModuleEntry and PackageEntry in JFR + JDK-8246384: Enable JFR by default on supported architectures for October 2020 release + JDK-8248643: Remove extra leading space in JDK-8240295 8u backport + JDK-8249610: Make sun.security.krb5.Config.getBooleanObject(String... keys) method public * Import of OpenJDK 8 u272 build 02 + JDK-8023697: failed class resolution reports different class name in detail message for the first and subsequent times + JDK-8025886: replace [[ and == bash extensions in regtest + JDK-8046274: Removing dependency on jakarta-regexp + JDK-8048933: -XX:+TraceExceptions output should include the message + JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/ /fileaccess/FontFile.java fails + JDK-8148854: Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent + JDK-8154313: Generated javadoc scattered all over the place + JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k + JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java fails with compiler.whitebox.SimpleTestCaseHelper(int) must be compiled + JDK-8183349: Better cleanup for jdk/test/javax/imageio/ /plugins/shared/CanWriteSequence.java and WriteAfterAbort.java + JDK-8191678: [TESTBUG] Add keyword headful in java/awt FocusTransitionTest test. + JDK-8201633: Problems with AES-GCM native acceleration + JDK-8211049: Second parameter of "initialize" method is not used + JDK-8219566: JFR did not collect call stacks when MaxJavaStackTraceDepth is set to zero + JDK-8220165: Encryption using GCM results in RuntimeException- input length out of bound + JDK-8220555: JFR tool shows potentially misleading message when it cannot access a file + JDK-8224217: RecordingInfo should use textual representation of path + JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate + JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 + JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/ /SctpNet.c "multiple definition" link errors with GCC10 + JDK-8238388, PR3798: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 + JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + JDK-8250755: Better cleanup for jdk/test/javax/imageio/ /plugins/shared/CanWriteSequence.java * Import of OpenJDK 8 u272 build 03 + JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes + JDK-8148754: C2 loop unrolling fails due to unexpected graph shape + JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied + JDK-8203357: Container Metrics + JDK-8209113: Use WeakReference for lastFontStrike for created Fonts + JDK-8216283: Allow shorter method sampling interval than 10 ms + JDK-8221569: JFR tool produces incorrect output when both --categories and --events are specified + JDK-8233097: Fontmetrics for large Fonts has zero width + JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + JDK-8250875: Incorrect parameter type for update_number in JDK_Version::jdk_update * Import of OpenJDK 8 u272 build 04 + JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws IllegalArgumentException for flags of type double + JDK-8177334: Update xmldsig implementation to Apache Santuario 2.1.1 + JDK-8217878: ENVELOPING XML signature no longer works in JDK 11 + JDK-8218629: XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10 + JDK-8243138: Enhance BaseLdapServer to support starttls extended request * Import of OpenJDK 8 u272 build 05 + JDK-8026236: Add PrimeTest for BigInteger + JDK-8057003: Large reference arrays cause extremely long synchronization times + JDK-8060721: Test runtime/SharedArchiveFile/ /LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler + JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings + JDK-8168517: java/lang/ProcessBuilder/Basic.java failed + JDK-8211163: UNIX version of Java_java_io_Console_echo does not return a clean boolean + JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in docker container only works with debug JVMs + JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo + JDK-8236645: JDK 8u231 introduces a regression with incompatible handling of XML messages + JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + JDK-8249158: THREAD_START and THREAD_END event posted in primordial phase + JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + JDK-8251546: 8u backport of JDK-8194298 breaks AIX and Solaris builds + JDK-8252084: Minimal VM fails to bootcycle: undefined symbol: AgeTableTracer::is_tenuring_distribution_event_enabled * Import of OpenJDK 8 u272 build 06 + JDK-8064319: Need to enable -XX:+TraceExceptions in release builds + JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11 v2.40 support + JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions() not working + JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface license + JDK-8184762: ZapStackSegments should use optimized memset + JDK-8193234: When using -Xcheck:jni an internally allocated buffer can leak + JDK-8219919: RuntimeStub name lost with PrintFrameConverterAssembly + JDK-8220313: [TESTBUG] Update base image for Docker testing to OL 7.6 + JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + JDK-8225695: 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) + JDK-8226575: OperatingSystemMXBean should be made container aware + JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + JDK-8228835: Memory leak in PKCS11 provider when using AES GCM + JDK-8233621: Mismatch in jsse.enableMFLNExtension property name + JDK-8238898, PR3801: Missing hash characters for header on license file + JDK-8243320: Add SSL root certificates to Oracle Root CA program + JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + JDK-8245467: Remove 8u TLSv1.2 implementation files + JDK-8245469: Remove DTLS protocol implementation + JDK-8245470: Fix JDK8 compatibility issues + JDK-8245471: Revert JDK-8148188 + JDK-8245472: Backport JDK-8038893 to JDK8 + JDK-8245473: OCSP stapling support + JDK-8245474: Add TLS_KRB5 cipher suites support according to RFC-2712 + JDK-8245476: Disable TLSv1.3 protocol in the ClientHello message by default + JDK-8245477: Adjust TLS tests location + JDK-8245653: Remove 8u TLS tests + JDK-8245681: Add TLSv1.3 regression test from 11.0.7 + JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is set to either true or false + JDK-8251341: Minimal Java specification change + JDK-8251478: Backport TLSv1.3 regression tests to JDK8u * Import of OpenJDK 8 u272 build 07 + JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ * Import of OpenJDK 8 u272 build 08 + JDK-8062947: Fix exception message to correctly represent LDAP connection failure + JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + JDK-8252573: 8u: Windows build failed after 8222079 backport * Import of OpenJDK 8 u272 build 09 + JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java : Compilation failed * Import of OpenJDK 8 u272 build 10 + JDK-8254673: Call to JvmtiExport::post_vm_start() was removed by the fix for JDK-8249158 + JDK-8254937: Revert JDK-8148854 for 8u272 * Backports + JDK-8038723, PR3806: Openup some PrinterJob tests + JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when JTable contains certain string + JDK-8058779, PR3805: Faster implementation of String.replace(CharSequence, CharSequence) + JDK-8130125, PR3806: [TEST_BUG] add @modules to the several client tests unaffected by the automated bulk update + JDK-8144015, PR3806: [PIT] failures of text layout font tests + JDK-8144023, PR3806: [PIT] failure of text measurements in javax/swing/text/html/parser/Parser/6836089/bug6836089.java + JDK-8144240, PR3806: [macosx][PIT] AIOOB in closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java + JDK-8145542, PR3806: The case failed automatically and thrown java.lang.ArrayIndexOutOfBoundsException exception + JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when displaying Devanagari text in JEditorPane + JDK-8152358, PR3800: code and comment cleanups found during the hunt for 8077392 + JDK-8152545, PR3804: Use preprocessor instead of compiling a program to generate native nio constants + JDK-8152680, PR3806: Regression in GlyphVector.getGlyphCharIndex behaviour + JDK-8158924, PR3806: Incorrect i18n text document layout + JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for javax/swing/text/GlyphPainter2/6427244/bug6427244.java + JDK-8166068, PR3806: test/java/awt/font/GlyphVector/ /GetGlyphCharIndexTest.java does not compile + JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/ /GlyphPainter2/6427244/bug6427244.java - compilation failed + JDK-8191512, PR3806: T2K font rasterizer code removal + JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from JDK sources + JDK-8236512, PR3801: PKCS11 Connection closed after Cipher.doFinal and NoPadding + JDK-8254177, PR3809: (tz) Upgrade time-zone data to tzdata2020b * Bug fixes + PR3798: Fix format-overflow error on GCC 10, caused by passing NULL to a '%s' directive + PR3795: ECDSAUtils for XML digital signatures should support the same curve set as the rest of the JDK + PR3799: Adapt elliptic curve patches to JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7 + PR3808: IcedTea does not install the JFR *.jfc files + PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has fixed its use with Shenandoah + PR3811: Don't attempt to install JFR files when JFR is disabled * Shenandoah + [backport] 8221435: Shenandoah should not mark through weak roots + [backport] 8221629: Shenandoah: Cleanup class unloading logic + [backport] 8222992: Shenandoah: Pre-evacuate all roots + [backport] 8223215: Shenandoah: Support verifying subset of roots + [backport] 8223774: Shenandoah: Refactor ShenandoahRootProcessor and family + [backport] 8224210: Shenandoah: Refactor ShenandoahRootScanner to support scanning CSet codecache roots + [backport] 8224508: Shenandoah: Need to update thread roots in final mark for piggyback ref update cycle + [backport] 8224579: ResourceMark not declared in shenandoahRootProcessor.inline.hpp with --disable-precompiled-headers + [backport] 8224679: Shenandoah: Make ShenandoahParallelCodeCacheIterator noncopyable + [backport] 8224751: Shenandoah: Shenandoah Verifier should select proper roots according to current GC cycle + [backport] 8225014: Separate ShenandoahRootScanner method for object_iterate + [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't work for Shenandoah + [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to ensure roots to-space invariant + [backport] 8225590: Shenandoah: Refactor ShenandoahClassLoaderDataRoots API + [backport] 8226413: Shenandoah: Separate root scanner for SH::object_iterate() + [backport] 8230853: Shenandoah: replace leftover assert(is_in(...)) with rich asserts + [backport] 8231198: Shenandoah: heap walking should visit all roots most of the time + [backport] 8231244: Shenandoah: all-roots heap walking misses some weak roots + [backport] 8237632: Shenandoah: accept NULL fwdptr to cooperate with JVMTI and JFR + [backport] 8239786: Shenandoah: print per-cycle statistics + [backport] 8239926: Shenandoah: Shenandoah needs to mark nmethod's metadata + [backport] 8240671: Shenandoah: refactor ShenandoahPhaseTimings + [backport] 8240749: Shenandoah: refactor ShenandoahUtils + [backport] 8240750: Shenandoah: remove leftover files and mentions of ShenandoahAllocTracker + [backport] 8240868: Shenandoah: remove CM-with-UR piggybacking cycles + [backport] 8240872: Shenandoah: Avoid updating new regions from start of evacuation + [backport] 8240873: Shenandoah: Short-cut arraycopy barriers + [backport] 8240915: Shenandoah: Remove unused fields in init mark tasks + [backport] 8240948: Shenandoah: cleanup not-forwarded-objects paths after JDK-8240868 + [backport] 8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + [backport] 8241062: Shenandoah: rich asserts trigger "empty statement" inspection + [backport] 8241081: Shenandoah: Do not modify update-watermark concurrently + [backport] 8241093: Shenandoah: editorial changes in flag descriptions + [backport] 8241139: Shenandoah: distribute mark-compact work exactly to minimize fragmentation + [backport] 8241142: Shenandoah: should not use parallel reference processing with single GC thread + [backport] 8241351: Shenandoah: fragmentation metrics overhaul + [backport] 8241435: Shenandoah: avoid disabling pacing with "aggressive" + [backport] 8241520: Shenandoah: simplify region sequence numbers handling + [backport] 8241534: Shenandoah: region status should include update watermark + [backport] 8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + [backport] 8241583: Shenandoah: turn heap lock asserts into macros + [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not derive from ContiguousSpace + [backport] 8241673: Shenandoah: refactor anti-false-sharing padding + [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at shenandoahSupport.cpp:2858 with java/util/Collections/FindSubList.java + [backport] 8241692: Shenandoah: remove ShenandoahHeapRegion::_reserved + [backport] 8241700: Shenandoah: Fold ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier + [backport] 8241740: Shenandoah: remove ShenandoahHeapRegion::_heap + [backport] 8241743: Shenandoah: refactor and inline ShenandoahHeap::heap() + [backport] 8241748: Shenandoah: inline MarkingContext TAMS methods + [backport] 8241838: Shenandoah: no need to trash cset during final mark + [backport] 8241841: Shenandoah: ditch one of allocation type counters in ShenandoahHeapRegion + [backport] 8241842: Shenandoah: inline ShenandoahHeapRegion::region_number + [backport] 8241844: Shenandoah: rename ShenandoahHeapRegion::region_number + [backport] 8241845: Shenandoah: align ShenandoahHeapRegions to cache lines + [backport] 8241926: Shenandoah: only print heap changes for operations that directly affect it + [backport] 8241983: Shenandoah: simplify FreeSet logging + [backport] 8241985: Shenandoah: simplify collectable garbage logging + [backport] 8242040: Shenandoah: print allocation failure type + [backport] 8242041: Shenandoah: adaptive heuristics should account evac reserve in free target + [backport] 8242042: Shenandoah: tune down ShenandoahGarbageThreshold + [backport] 8242054: Shenandoah: New incremental-update mode + [backport] 8242075: Shenandoah: rename ShenandoahHeapRegionSize flag + [backport] 8242082: Shenandoah: Purge Traversal mode + [backport] 8242083: Shenandoah: split "Prepare Evacuation" tracking into cset/freeset counters + [backport] 8242089: Shenandoah: per-worker stats should be summed up, not averaged + [backport] 8242101: Shenandoah: coalesce and parallelise heap region walks during the pauses + [backport] 8242114: Shenandoah: remove ShenandoahHeapRegion::reset_alloc_metadata_to_shared + [backport] 8242130: Shenandoah: Simplify arraycopy-barrier dispatching + [backport] 8242211: Shenandoah: remove ShenandoahHeuristics::RegionData::_seqnum_last_alloc + [backport] 8242212: Shenandoah: initialize ShenandoahHeuristics::_region_data eagerly + [backport] 8242213: Shenandoah: remove ShenandoahHeuristics::_bytes_in_cset + [backport] 8242217: Shenandoah: Enable GC mode to be diagnostic/experimental and have a name + [backport] 8242227: Shenandoah: transit regions to cset state when adding to collection set + [backport] 8242228: Shenandoah: remove unused ShenandoahCollectionSet methods + [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion liveness-related methods + [backport] 8242267: Shenandoah: regions space needs to be aligned by os::vm_allocation_granularity() + [backport] 8242271: Shenandoah: add test to verify GC mode unlock + [backport] 8242273: Shenandoah: accept either SATB or IU barriers, but not both + [backport] 8242301: Shenandoah: Inline LRB runtime call + [backport] 8242316: Shenandoah: Turn NULL-check into assert in SATB slow-path entry + [backport] 8242353: Shenandoah: micro-optimize region liveness handling + [backport] 8242365: Shenandoah: use uint16_t instead of jushort for liveness cache + [backport] 8242375: Shenandoah: Remove ShenandoahHeuristic::record_gc_start/end methods + [backport] 8242641: Shenandoah: clear live data and update TAMS optimistically + [backport] 8243238: Shenandoah: explicit GC request should wait for a complete GC cycle + [backport] 8243301: Shenandoah: ditch ShenandoahAllowMixedAllocs + [backport] 8243307: Shenandoah: remove ShCollectionSet::live_data + [backport] 8243395: Shenandoah: demote guarantee in ShenandoahPhaseTimings::record_workers_end + [backport] 8243463: Shenandoah: ditch total_pause counters + [backport] 8243464: Shenandoah: print statistic counters in time order + [backport] 8243465: Shenandoah: ditch unused pause_other, conc_other counters + [backport] 8243487: Shenandoah: make _num_phases illegal phase type + [backport] 8243494: Shenandoah: set counters once per cycle + [backport] 8243573: Shenandoah: rename GCParPhases and related code + [backport] 8243848: Shenandoah: Windows build fails after JDK-8239786 + [backport] 8244180: Shenandoah: carry Phase to ShWorkerTimingsTracker explicitly + [backport] 8244200: Shenandoah: build breakages after JDK-8241743 + [backport] 8244226: Shenandoah: per-cycle statistics contain worker data from previous cycles + [backport] 8244326: Shenandoah: global statistics should not accept bogus samples + [backport] 8244509: Shenandoah: refactor ShenandoahBarrierC2Support::test_* methods + [backport] 8244551: Shenandoah: Fix racy update of update_watermark + [backport] 8244667: Shenandoah: SBC2Support::test_gc_state takes loop for wrong control + [backport] 8244730: Shenandoah: gc/shenandoah/options/ /TestHeuristicsUnlock.java should only verify the heuristics + [backport] 8244732: Shenandoah: move heuristics code to gc/shenandoah/heuristics + [backport] 8244737: Shenandoah: move mode code to gc/shenandoah/mode + [backport] 8244739: Shenandoah: break superclass dependency on ShenandoahNormalMode + [backport] 8244740: Shenandoah: rename ShenandoahNormalMode to ShenandoahSATBMode + [backport] 8245461: Shenandoah: refine mode name()-s + [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings constructor arguments + [backport] 8245464: Shenandoah: allocate collection set bitmap at lower addresses + [backport] 8245465: Shenandoah: test_in_cset can use more efficient encoding + [backport] 8245726: Shenandoah: lift/cleanup ShenandoahHeuristics names and properties + [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch + [backport] 8245757: Shenandoah: AlwaysPreTouch should not disable heap resizing or uncommits + [backport] 8245773: Shenandoah: Windows assertion failure after JDK-8245464 + [backport] 8245812: Shenandoah: compute root phase parallelism + [backport] 8245814: Shenandoah: reconsider format specifiers for stats + [backport] 8245825: Shenandoah: Remove diagnostic flag ShenandoahConcurrentScanCodeRoots + [backport] 8246162: Shenandoah: full GC does not mark code roots when class unloading is off + [backport] 8247310: Shenandoah: pacer should not affect interrupt status + [backport] 8247358: Shenandoah: reconsider free budget slice for marking + [backport] 8247367: Shenandoah: pacer should wait on lock instead of exponential backoff + [backport] 8247474: Shenandoah: Windows build warning after JDK-8247310 + [backport] 8247560: Shenandoah: heap iteration holds root locks all the time + [backport] 8247593: Shenandoah: should not block pacing reporters + [backport] 8247751: Shenandoah: options tests should run with smaller heaps + [backport] 8247754: Shenandoah: mxbeans tests can be shorter + [backport] 8247757: Shenandoah: split heavy tests by heuristics to improve parallelism + [backport] 8247860: Shenandoah: add update watermark line in rich assert failure message + [backport] 8248041: Shenandoah: pre-Full GC root updates may miss some roots + [backport] 8248652: Shenandoah: SATB buffer handling may assume no forwarded objects + [backport] 8249560: Shenandoah: Fix racy GC request handling + [backport] 8249649: Shenandoah: provide per-cycle pacing stats + [backport] 8249801: Shenandoah: Clear soft-refs on requested GC cycle + [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + Fix slowdebug build after JDK-8230853 backport + JDK-8252096: Shenandoah: adjust SerialPageShiftCount for x86_32 and JFR + JDK-8252366: Shenandoah: revert/cleanup changes in graphKit.cpp + Shenandoah: add JFR roots to root processor after JFR integration + Shenandoah: add root statistics for string dedup table/queues + Shenandoah: enable low-frequency STW class unloading + Shenandoah: fix build failures after JDK-8244737 backport + Shenandoah: Fix build failure with +JFR -PCH + Shenandoah: fix forceful pacer claim + Shenandoah: fix formats in ShenandoahStringSymbolTableUnlinkTask + Shenandoah: fix runtime linking failure due to non-compiled shenandoahBarrierSetC1 + Shenandoah: hook statistics printing to PrintGCDetails, not PrintGC + Shenandoah: JNI weak roots are always cleared before Full GC mark + Shenandoah: missing SystemDictionary roots in ShenandoahHeapIterationRootScanner + Shenandoah: move barrier sets to their proper locations + Shenandoah: move parallelCleaning.* to shenandoah/ + Shenandoah: pacer should use proper Atomics for intptr_t + Shenandoah: properly deallocates class loader metadata + Shenandoah: specialize String Table scans for better pause performance + Shenandoah: Zero build fails after recent Atomic cleanup in Pacer * AArch64 port + JDK-8161072, PR3797: AArch64: jtreg compiler/uncommontrap/TestDeoptOOM failure + JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java generates guarantee failure in C1 + JDK-8183925, PR3797: [AArch64] Decouple crash protection from watcher thread + JDK-8199712, PR3797: [AArch64] Flight Recorder + JDK-8203481, PR3797: Incorrect constraint for unextended_sp in frame:safe_for_sender + JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall fails with SIGILL on aarch64 + JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command + JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java fails on AArch64 + JDK-8216989, PR3797: CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier() does not check for zero length on AARCH64 + JDK-8217368, PR3797: AArch64: C2 recursive stack locking optimisation not triggered + JDK-8221658, PR3797: aarch64: add necessary predicate for ubfx patterns + JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a BufferBlob + JDK-8246482, PR3797: Build failures with +JFR -PCH + JDK-8247979, PR3797: aarch64: missing side effect of killing flags for clearArray_reg_reg + JDK-8248219, PR3797: aarch64: missing memory barrier in fast_storefield and fast_accessfield Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3460=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3460=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2020-3460=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-3460=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.272-3.42.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-debugsource-1.8.0.272-3.42.1 java-1_8_0-openjdk-demo-1.8.0.272-3.42.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-devel-1.8.0.272-3.42.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-headless-1.8.0.272-3.42.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-3.42.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): java-1_8_0-openjdk-1.8.0.272-3.42.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-debugsource-1.8.0.272-3.42.1 java-1_8_0-openjdk-demo-1.8.0.272-3.42.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-devel-1.8.0.272-3.42.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-headless-1.8.0.272-3.42.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-3.42.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.272-3.42.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-debugsource-1.8.0.272-3.42.1 java-1_8_0-openjdk-demo-1.8.0.272-3.42.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-devel-1.8.0.272-3.42.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-headless-1.8.0.272-3.42.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-3.42.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.272-3.42.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-debugsource-1.8.0.272-3.42.1 java-1_8_0-openjdk-demo-1.8.0.272-3.42.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-devel-1.8.0.272-3.42.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-3.42.1 java-1_8_0-openjdk-headless-1.8.0.272-3.42.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-3.42.1 References: https://www.suse.com/security/cve/CVE-2020-14556.html https://www.suse.com/security/cve/CVE-2020-14577.html https://www.suse.com/security/cve/CVE-2020-14578.html https://www.suse.com/security/cve/CVE-2020-14579.html https://www.suse.com/security/cve/CVE-2020-14581.html https://www.suse.com/security/cve/CVE-2020-14583.html https://www.suse.com/security/cve/CVE-2020-14593.html https://www.suse.com/security/cve/CVE-2020-14621.html https://www.suse.com/security/cve/CVE-2020-14779.html https://www.suse.com/security/cve/CVE-2020-14781.html https://www.suse.com/security/cve/CVE-2020-14782.html https://www.suse.com/security/cve/CVE-2020-14792.html https://www.suse.com/security/cve/CVE-2020-14796.html https://www.suse.com/security/cve/CVE-2020-14797.html https://www.suse.com/security/cve/CVE-2020-14798.html https://www.suse.com/security/cve/CVE-2020-14803.html https://bugzilla.suse.com/1174157 https://bugzilla.suse.com/1177943 From sle-security-updates at lists.suse.com Fri Nov 20 10:21:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 20 Nov 2020 18:21:52 +0100 (CET) Subject: SUSE-SU-2020:3463-1: important: Security update for postgresql12 Message-ID: <20201120172152.69902F750@maintenance.suse.de> SUSE Security Update: Security update for postgresql12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3463-1 Rating: important References: #1178666 #1178667 #1178668 Cross-References: CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for postgresql12 fixes the following issues: - Upgrade to version 12.5: * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries. * CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used. * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables. * Fix recently-added timetz test case so it works when the USA is not observing daylight savings time. * https://www.postgresql.org/about/news/2111/ * https://www.postgresql.org/docs/12/release-12-5.html - Stop building the mini and lib packages as they are now coming from postgresql13. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-3463=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3463=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libecpg6-12.5-8.10.1 libecpg6-debuginfo-12.5-8.10.1 postgresql12-contrib-12.5-8.10.1 postgresql12-contrib-debuginfo-12.5-8.10.1 postgresql12-debuginfo-12.5-8.10.1 postgresql12-debugsource-12.5-8.10.1 postgresql12-devel-12.5-8.10.1 postgresql12-devel-debuginfo-12.5-8.10.1 postgresql12-plperl-12.5-8.10.1 postgresql12-plperl-debuginfo-12.5-8.10.1 postgresql12-plpython-12.5-8.10.1 postgresql12-plpython-debuginfo-12.5-8.10.1 postgresql12-pltcl-12.5-8.10.1 postgresql12-pltcl-debuginfo-12.5-8.10.1 postgresql12-server-12.5-8.10.1 postgresql12-server-debuginfo-12.5-8.10.1 postgresql12-server-devel-12.5-8.10.1 postgresql12-server-devel-debuginfo-12.5-8.10.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): postgresql12-docs-12.5-8.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libpq5-12.5-8.10.1 libpq5-debuginfo-12.5-8.10.1 postgresql12-12.5-8.10.1 postgresql12-debuginfo-12.5-8.10.1 postgresql12-debugsource-12.5-8.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libpq5-32bit-12.5-8.10.1 libpq5-32bit-debuginfo-12.5-8.10.1 References: https://www.suse.com/security/cve/CVE-2020-25694.html https://www.suse.com/security/cve/CVE-2020-25695.html https://www.suse.com/security/cve/CVE-2020-25696.html https://bugzilla.suse.com/1178666 https://bugzilla.suse.com/1178667 https://bugzilla.suse.com/1178668 From sle-security-updates at lists.suse.com Sat Nov 21 04:17:11 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Nov 2020 12:17:11 +0100 (CET) Subject: SUSE-SU-2020:3474-1: important: Security update for u-boot Message-ID: <20201121111711.5A6E3F7B4@maintenance.suse.de> SUSE Security Update: Security update for u-boot ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3474-1 Rating: important References: #1134157 #1134853 #1143463 #1143777 #1143817 #1143818 #1143819 #1143820 #1143821 #1143823 #1143824 #1143825 #1143827 #1143828 #1143830 #1143831 #1167209 Cross-References: CVE-2019-11059 CVE-2019-11690 CVE-2019-13103 CVE-2019-14192 CVE-2019-14193 CVE-2019-14194 CVE-2019-14195 CVE-2019-14196 CVE-2019-14197 CVE-2019-14198 CVE-2019-14200 CVE-2019-14201 CVE-2019-14202 CVE-2019-14203 CVE-2019-14204 CVE-2019-14299 CVE-2020-10648 Affected Products: SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: This update for u-boot fixes the following issues: Work around CVE-2019-11059 by disabling 64Bit descritptor size (bsc#1134853) CVE-2019-11690 (bsc#1134157), CVE-2020-10648 (bsc#1167209), CVE-2019-13103 (bsc#1143463), CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827), CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831), CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819), CVE-2019-14196 (bsc#1143820), CVE-2019-14299 (bsc#1143824), CVE-2019-14192 (bsc#1143777), CVE-2019-14193 (bsc#1143817). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3474=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3474=1 Package List: - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64): u-boot-rpi3-2016.07-12.3.1 u-boot-tools-2016.07-12.3.1 u-boot-tools-debuginfo-2016.07-12.3.1 - SUSE Enterprise Storage 5 (aarch64): u-boot-rpi3-2016.07-12.3.1 u-boot-tools-2016.07-12.3.1 u-boot-tools-debuginfo-2016.07-12.3.1 References: https://www.suse.com/security/cve/CVE-2019-11059.html https://www.suse.com/security/cve/CVE-2019-11690.html https://www.suse.com/security/cve/CVE-2019-13103.html https://www.suse.com/security/cve/CVE-2019-14192.html https://www.suse.com/security/cve/CVE-2019-14193.html https://www.suse.com/security/cve/CVE-2019-14194.html https://www.suse.com/security/cve/CVE-2019-14195.html https://www.suse.com/security/cve/CVE-2019-14196.html https://www.suse.com/security/cve/CVE-2019-14197.html https://www.suse.com/security/cve/CVE-2019-14198.html https://www.suse.com/security/cve/CVE-2019-14200.html https://www.suse.com/security/cve/CVE-2019-14201.html https://www.suse.com/security/cve/CVE-2019-14202.html https://www.suse.com/security/cve/CVE-2019-14203.html https://www.suse.com/security/cve/CVE-2019-14204.html https://www.suse.com/security/cve/CVE-2019-14299.html https://www.suse.com/security/cve/CVE-2020-10648.html https://bugzilla.suse.com/1134157 https://bugzilla.suse.com/1134853 https://bugzilla.suse.com/1143463 https://bugzilla.suse.com/1143777 https://bugzilla.suse.com/1143817 https://bugzilla.suse.com/1143818 https://bugzilla.suse.com/1143819 https://bugzilla.suse.com/1143820 https://bugzilla.suse.com/1143821 https://bugzilla.suse.com/1143823 https://bugzilla.suse.com/1143824 https://bugzilla.suse.com/1143825 https://bugzilla.suse.com/1143827 https://bugzilla.suse.com/1143828 https://bugzilla.suse.com/1143830 https://bugzilla.suse.com/1143831 https://bugzilla.suse.com/1167209 From sle-security-updates at lists.suse.com Sat Nov 21 04:27:47 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Nov 2020 12:27:47 +0100 (CET) Subject: SUSE-SU-2020:3476-1: important: Security update for postgresql10 Message-ID: <20201121112747.CD9DDF7B4@maintenance.suse.de> SUSE Security Update: Security update for postgresql10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3476-1 Rating: important References: #1178666 #1178667 #1178668 Cross-References: CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for postgresql10 fixes the following issues: - Upgrade to version 10.15: * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries. * CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used. * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables. * Fix recently-added timetz test case so it works when the USA is not observing daylight savings time. * https://www.postgresql.org/about/news/2111/ * https://www.postgresql.org/docs/10/release-10-15.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-3476=1 - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-3476=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3476=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3476=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): postgresql10-contrib-10.15-8.22.1 postgresql10-contrib-debuginfo-10.15-8.22.1 postgresql10-debuginfo-10.15-8.22.1 postgresql10-debugsource-10.15-8.22.1 postgresql10-devel-10.15-8.22.1 postgresql10-devel-debuginfo-10.15-8.22.1 postgresql10-plperl-10.15-8.22.1 postgresql10-plperl-debuginfo-10.15-8.22.1 postgresql10-plpython-10.15-8.22.1 postgresql10-plpython-debuginfo-10.15-8.22.1 postgresql10-pltcl-10.15-8.22.1 postgresql10-pltcl-debuginfo-10.15-8.22.1 postgresql10-server-10.15-8.22.1 postgresql10-server-debuginfo-10.15-8.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): postgresql10-docs-10.15-8.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): postgresql10-contrib-10.15-8.22.1 postgresql10-contrib-debuginfo-10.15-8.22.1 postgresql10-debuginfo-10.15-8.22.1 postgresql10-debugsource-10.15-8.22.1 postgresql10-devel-10.15-8.22.1 postgresql10-devel-debuginfo-10.15-8.22.1 postgresql10-plperl-10.15-8.22.1 postgresql10-plperl-debuginfo-10.15-8.22.1 postgresql10-plpython-10.15-8.22.1 postgresql10-plpython-debuginfo-10.15-8.22.1 postgresql10-pltcl-10.15-8.22.1 postgresql10-pltcl-debuginfo-10.15-8.22.1 postgresql10-server-10.15-8.22.1 postgresql10-server-debuginfo-10.15-8.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): postgresql10-docs-10.15-8.22.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): postgresql10-10.15-8.22.1 postgresql10-debuginfo-10.15-8.22.1 postgresql10-debugsource-10.15-8.22.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): postgresql10-10.15-8.22.1 postgresql10-debuginfo-10.15-8.22.1 postgresql10-debugsource-10.15-8.22.1 References: https://www.suse.com/security/cve/CVE-2020-25694.html https://www.suse.com/security/cve/CVE-2020-25695.html https://www.suse.com/security/cve/CVE-2020-25696.html https://bugzilla.suse.com/1178666 https://bugzilla.suse.com/1178667 https://bugzilla.suse.com/1178668 From sle-security-updates at lists.suse.com Sat Nov 21 04:33:30 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Nov 2020 12:33:30 +0100 (CET) Subject: SUSE-SU-2020:3477-1: important: Security update for postgresql96 Message-ID: <20201121113330.C6D6EFBB3@maintenance.suse.de> SUSE Security Update: Security update for postgresql96 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3477-1 Rating: important References: #1178666 #1178667 #1178668 Cross-References: CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for postgresql96 fixes the following issues: Upgrade to version 9.6.20: * CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries. * CVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb. b) When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used. * CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from modifying specially-treated variables. * https://www.postgresql.org/about/news/2111/ * https://www.postgresql.org/docs/9.6/release-9-6-20.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3477=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3477=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3477=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3477=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3477=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3477=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3477=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3477=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3477=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3477=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3477=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): postgresql96-docs-9.6.20-6.8.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE OpenStack Cloud 8 (noarch): postgresql96-docs-9.6.20-6.8.1 - SUSE OpenStack Cloud 8 (x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE OpenStack Cloud 7 (s390x x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE OpenStack Cloud 7 (noarch): postgresql96-docs-9.6.20-6.8.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): postgresql96-docs-9.6.20-6.8.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): postgresql96-docs-9.6.20-6.8.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): postgresql96-docs-9.6.20-6.8.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): postgresql96-docs-9.6.20-6.8.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): postgresql96-docs-9.6.20-6.8.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): postgresql96-docs-9.6.20-6.8.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - SUSE Enterprise Storage 5 (noarch): postgresql96-docs-9.6.20-6.8.1 - HPE Helion Openstack 8 (x86_64): postgresql96-9.6.20-6.8.1 postgresql96-contrib-9.6.20-6.8.1 postgresql96-contrib-debuginfo-9.6.20-6.8.1 postgresql96-debuginfo-9.6.20-6.8.1 postgresql96-debugsource-9.6.20-6.8.1 postgresql96-plperl-9.6.20-6.8.1 postgresql96-plperl-debuginfo-9.6.20-6.8.1 postgresql96-plpython-9.6.20-6.8.1 postgresql96-plpython-debuginfo-9.6.20-6.8.1 postgresql96-pltcl-9.6.20-6.8.1 postgresql96-pltcl-debuginfo-9.6.20-6.8.1 postgresql96-server-9.6.20-6.8.1 postgresql96-server-debuginfo-9.6.20-6.8.1 - HPE Helion Openstack 8 (noarch): postgresql96-docs-9.6.20-6.8.1 References: https://www.suse.com/security/cve/CVE-2020-25694.html https://www.suse.com/security/cve/CVE-2020-25695.html https://www.suse.com/security/cve/CVE-2020-25696.html https://bugzilla.suse.com/1178666 https://bugzilla.suse.com/1178667 https://bugzilla.suse.com/1178668 From sle-security-updates at lists.suse.com Sat Nov 21 04:34:38 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Nov 2020 12:34:38 +0100 (CET) Subject: SUSE-SU-2020:3473-1: moderate: Security update for ceph Message-ID: <20201121113438.68130F7B4@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3473-1 Rating: moderate References: #1163764 #1170200 #1170498 #1173079 #1174466 #1174529 #1174644 #1175120 #1175161 #1175169 #1176451 #1176499 #1176638 #1177078 #1177151 #1177319 #1177344 #1177450 #1177643 #1177676 #1177843 #1177933 #1178073 #1178531 SES-1071 SES-185 Cross-References: CVE-2020-25660 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability, contains two features and has 23 fixes is now available. Description: This update for ceph fixes the following issues: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - Added --container-init feature (bsc#1177319, bsc#1163764) - Made journald as the logdriver again (bsc#1177933) - Fixes a condition check for copy_tree, copy_files, and move_files in cephadm (bsc#1177676) - Fixed a bug where device_health_metrics pool gets created even without any OSDs in the cluster (bsc#1173079) - Log cephadm output /var/log/ceph/cephadm.log (bsc#1174644) - Fixed a bug where the orchestrator didn't come up anymore after the deletion of OSDs (bsc#1176499) - Fixed a bug where cephadm fails to deploy all OSDs and gets stuck (bsc#1177450) - python-common will no longer skip unavailable disks (bsc#1177151) - Added snap-schedule module (jsc#SES-704) - Updated the SES7 downstream branding (bsc#1175120, bsc#1175161, bsc#1175169, bsc#1170498) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3473=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): ceph-common-15.2.5.667+g1a579d5bf2-3.5.1 ceph-common-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 ceph-debugsource-15.2.5.667+g1a579d5bf2-3.5.1 libcephfs-devel-15.2.5.667+g1a579d5bf2-3.5.1 libcephfs2-15.2.5.667+g1a579d5bf2-3.5.1 libcephfs2-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 librados-devel-15.2.5.667+g1a579d5bf2-3.5.1 librados-devel-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 librados2-15.2.5.667+g1a579d5bf2-3.5.1 librados2-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 libradospp-devel-15.2.5.667+g1a579d5bf2-3.5.1 librbd-devel-15.2.5.667+g1a579d5bf2-3.5.1 librbd1-15.2.5.667+g1a579d5bf2-3.5.1 librbd1-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 librgw-devel-15.2.5.667+g1a579d5bf2-3.5.1 librgw2-15.2.5.667+g1a579d5bf2-3.5.1 librgw2-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 python3-ceph-argparse-15.2.5.667+g1a579d5bf2-3.5.1 python3-ceph-common-15.2.5.667+g1a579d5bf2-3.5.1 python3-cephfs-15.2.5.667+g1a579d5bf2-3.5.1 python3-cephfs-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 python3-rados-15.2.5.667+g1a579d5bf2-3.5.1 python3-rados-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 python3-rbd-15.2.5.667+g1a579d5bf2-3.5.1 python3-rbd-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 python3-rgw-15.2.5.667+g1a579d5bf2-3.5.1 python3-rgw-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 rados-objclass-devel-15.2.5.667+g1a579d5bf2-3.5.1 rbd-nbd-15.2.5.667+g1a579d5bf2-3.5.1 rbd-nbd-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 References: https://www.suse.com/security/cve/CVE-2020-25660.html https://bugzilla.suse.com/1163764 https://bugzilla.suse.com/1170200 https://bugzilla.suse.com/1170498 https://bugzilla.suse.com/1173079 https://bugzilla.suse.com/1174466 https://bugzilla.suse.com/1174529 https://bugzilla.suse.com/1174644 https://bugzilla.suse.com/1175120 https://bugzilla.suse.com/1175161 https://bugzilla.suse.com/1175169 https://bugzilla.suse.com/1176451 https://bugzilla.suse.com/1176499 https://bugzilla.suse.com/1176638 https://bugzilla.suse.com/1177078 https://bugzilla.suse.com/1177151 https://bugzilla.suse.com/1177319 https://bugzilla.suse.com/1177344 https://bugzilla.suse.com/1177450 https://bugzilla.suse.com/1177643 https://bugzilla.suse.com/1177676 https://bugzilla.suse.com/1177843 https://bugzilla.suse.com/1177933 https://bugzilla.suse.com/1178073 https://bugzilla.suse.com/1178531 From sle-security-updates at lists.suse.com Mon Nov 23 00:19:28 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Nov 2020 08:19:28 +0100 (CET) Subject: SUSE-CU-2020:685-1: Security update of suse/sles12sp3 Message-ID: <20201123071928.A9426FBB3@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:685-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.233 , suse/sles12sp3:latest Container Release : 24.233 Severity : moderate Type : security References : 1178512 CVE-2020-28196 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3379-1 Released: Thu Nov 19 09:30:16 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). From sle-security-updates at lists.suse.com Mon Nov 23 00:31:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Nov 2020 08:31:44 +0100 (CET) Subject: SUSE-CU-2020:686-1: Security update of suse/sles12sp4 Message-ID: <20201123073144.65945FBB3@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:686-1 Container Tags : suse/sles12sp4:26.265 , suse/sles12sp4:latest Container Release : 26.265 Severity : moderate Type : security References : 1178512 CVE-2020-28196 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3379-1 Released: Thu Nov 19 09:30:16 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). From sle-security-updates at lists.suse.com Mon Nov 23 00:38:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Nov 2020 08:38:16 +0100 (CET) Subject: SUSE-CU-2020:687-1: Security update of suse/sles12sp5 Message-ID: <20201123073816.6236BFBB3@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:687-1 Container Tags : suse/sles12sp5:6.5.95 , suse/sles12sp5:latest Container Release : 6.5.95 Severity : moderate Type : security References : 1178512 CVE-2020-28196 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3379-1 Released: Thu Nov 19 09:30:16 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). From sle-security-updates at lists.suse.com Mon Nov 23 00:53:14 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Nov 2020 08:53:14 +0100 (CET) Subject: SUSE-CU-2020:688-1: Security update of suse/sle15 Message-ID: <20201123075314.D392AFBB3@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:688-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.302 Container Release : 4.22.302 Severity : moderate Type : security References : 1174593 1177458 1177490 1177510 1177858 1178512 1178727 CVE-2020-28196 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3375-1 Released: Thu Nov 19 09:28:25 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Mon Nov 23 07:26:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Nov 2020 15:26:04 +0100 (CET) Subject: SUSE-SU-2020:3480-1: moderate: Security update for dash Message-ID: <20201123142604.111B1FBB3@maintenance.suse.de> SUSE Security Update: Security update for dash ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3480-1 Rating: moderate References: #1178978 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for dash fixes the following issues: - Fixed an issue where code was executed even if noexec ("-n") was specified (bsc#1178978). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-3480=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-3480=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): dash-0.5.11.2-3.6.1 dash-debuginfo-0.5.11.2-3.6.1 dash-debugsource-0.5.11.2-3.6.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): dash-0.5.11.2-3.6.1 dash-debuginfo-0.5.11.2-3.6.1 dash-debugsource-0.5.11.2-3.6.1 References: https://bugzilla.suse.com/1178978 From sle-security-updates at lists.suse.com Mon Nov 23 07:28:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Nov 2020 15:28:05 +0100 (CET) Subject: SUSE-SU-2020:3478-1: moderate: Security update for c-ares Message-ID: <20201123142805.55F79FBB3@maintenance.suse.de> SUSE Security Update: Security update for c-ares ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3478-1 Rating: moderate References: #1178882 Cross-References: CVE-2020-8277 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for c-ares fixes the following issues: - Version update to 1.17.0 * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882) * For further details see https://c-ares.haxx.se/changelog.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3478=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3478=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3478=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3478=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3478=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3478=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): c-ares-debugsource-1.17.0-3.8.1 c-ares-devel-1.17.0-3.8.1 libcares2-1.17.0-3.8.1 libcares2-debuginfo-1.17.0-3.8.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): c-ares-debugsource-1.17.0-3.8.1 c-ares-devel-1.17.0-3.8.1 libcares2-1.17.0-3.8.1 libcares2-debuginfo-1.17.0-3.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): c-ares-debugsource-1.17.0-3.8.1 c-ares-devel-1.17.0-3.8.1 libcares2-1.17.0-3.8.1 libcares2-debuginfo-1.17.0-3.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): c-ares-debugsource-1.17.0-3.8.1 c-ares-devel-1.17.0-3.8.1 libcares2-1.17.0-3.8.1 libcares2-debuginfo-1.17.0-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): c-ares-debugsource-1.17.0-3.8.1 c-ares-devel-1.17.0-3.8.1 libcares2-1.17.0-3.8.1 libcares2-debuginfo-1.17.0-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): c-ares-debugsource-1.17.0-3.8.1 c-ares-devel-1.17.0-3.8.1 libcares2-1.17.0-3.8.1 libcares2-debuginfo-1.17.0-3.8.1 References: https://www.suse.com/security/cve/CVE-2020-8277.html https://bugzilla.suse.com/1178882 From sle-security-updates at lists.suse.com Mon Nov 23 10:17:32 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Nov 2020 18:17:32 +0100 (CET) Subject: SUSE-SU-2020:3484-1: important: Security update for the Linux Kernel Message-ID: <20201123171732.EF7FFF7B4@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3484-1 Rating: important References: #1055014 #1058115 #1061843 #1065600 #1065729 #1066382 #1077428 #1112178 #1131277 #1134760 #1140683 #1163592 #1167030 #1168468 #1170415 #1170446 #1170630 #1171558 #1171675 #1172538 #1172873 #1173432 #1174748 #1175306 #1175520 #1175721 #1176354 #1176381 #1176382 #1176400 #1176485 #1176560 #1176713 #1176723 #1176855 #1176907 #1176946 #1176983 #1177027 #1177086 #1177101 #1177258 #1177271 #1177281 #1177340 #1177410 #1177411 #1177470 #1177511 #1177513 #1177685 #1177687 #1177703 #1177719 #1177724 #1177725 #1177740 #1177749 #1177750 #1177753 #1177754 #1177755 #1177766 #1177819 #1177820 #1177855 #1177856 #1177861 #1178003 #1178027 #1178123 #1178166 #1178182 #1178185 #1178187 #1178188 #1178202 #1178234 #1178330 #1178393 #1178589 #1178591 #1178622 #1178686 #1178700 #1178765 #1178782 #1178838 #1178878 #927455 Cross-References: CVE-2020-0430 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-16120 CVE-2020-2521 CVE-2020-25212 CVE-2020-25285 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25669 CVE-2020-25704 CVE-2020-25705 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that solves 15 vulnerabilities and has 75 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 Azure kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-8694: Insufficient access control for some Intel(R) Processors may have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1170415). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-12351: Implemented a kABI workaround for bluetooth l2cap_ops filter addition (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25212: Fixed a TOCTOU mismatch in the NFS client code (bnc#1176381). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). The following non-security bugs were fixed: - 9P: Cast to loff_t before multiplying (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - ACPI: dock: fix enum-conversion warning (git-fixes). - ACPI / extlog: Check for RDMSR failure (git-fixes). - ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes). - ACPI: video: use ACPI backlight for HP 635 Notebook (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - amd-xgbe: Add a check for an skb in the timestamp path (git-fixes). - amd-xgbe: Add additional dynamic debug messages (git-fixes). - amd-xgbe: Add additional ethtool statistics (git-fixes). - amd-xgbe: Add ethtool show/set channels support (git-fixes). - amd-xgbe: Add ethtool show/set ring parameter support (git-fixes). - amd-xgbe: Add ethtool support to retrieve SFP module info (git-fixes). - amd-xgbe: Add hardware features debug output (git-fixes). - amd-xgbe: Add NUMA affinity support for IRQ hints (git-fixes). - amd-xgbe: Add NUMA affinity support for memory allocations (git-fixes). - amd-xgbe: Add per queue Tx and Rx statistics (git-fixes). - amd-xgbe: Advertise FEC support with the KR re-driver (git-fixes). - amd-xgbe: Always attempt link training in KR mode (git-fixes). - amd-xgbe: Be sure driver shuts down cleanly on module removal (git-fixes). - amd-xgbe: Convert to generic power management (git-fixes). - amd-xgbe: Fix debug output of max channel counts (git-fixes). - amd-xgbe: Fix error path in xgbe_mod_init() (git-fixes). - amd-xgbe: Fixes for working with PHYs that support 2.5GbE (git-fixes). - amd-xgbe: Fix SFP PHY supported/advertised settings (git-fixes). - amd-xgbe: fix spelling mistake: "avialable" -> "available" (git-fixes). - amd-xgbe: Handle return code from software reset function (git-fixes). - amd-xgbe: Improve SFP 100Mbps auto-negotiation (git-fixes). - amd-xgbe: Interrupt summary bits are h/w version dependent (git-fixes). - amd-xgbe: Limit the I2C error messages that are output (git-fixes). - amd-xgbe: Mark expected switch fall-throughs (git-fixes). - amd-xgbe: Optimize DMA channel interrupt enablement (git-fixes). - amd-xgbe: Prepare for ethtool set-channel support (git-fixes). - amd-xgbe: Read and save the port property registers during probe (git-fixes). - amd-xgbe: Remove field that indicates SFP diagnostic support (git-fixes). - amd-xgbe: remove unnecessary conversion to bool (git-fixes). - amd-xgbe: Remove use of comm_owned field (git-fixes). - amd-xgbe: Set the MDIO mode for 10000Base-T configuration (git-fixes). - amd-xgbe: Simplify the burst length settings (git-fixes). - amd-xgbe: use devm_platform_ioremap_resource() to simplify code (git-fixes). - amd-xgbe: use dma_mapping_error to check map errors (git-fixes). - amd-xgbe: Use __napi_schedule() in BH context (git-fixes). - amd-xgbe: Use the proper register during PTP initialization (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: fix VHT NSS calculation when STBC is enabled (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath10k: start recovery process when payload length exceeds max htc length for sdio (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11). - bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11). - bpf: Zero-fill re-used per-cpu map element (git-fixes). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: fix incorrect updating of log root tree (bsc#1177687). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: remove root usage from can_overcommit (bsc#1131277). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - bus/fsl_mc: Do not rely on caller to provide non NULL mc_io (git-fixes). - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (git-fixes). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (git-fixes). - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (git-fixes). - can: peak_usb: add range checking in decode operations (git-fixes). - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (git-fixes). - can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234). - ceph: map snapid to anonymous bdev ID (bsc#1178234). - ceph: promote to unsigned long long before shifting (bsc#1178187). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - clk: ti: clockdomain: fix static checker warning (git-fixes). - coredump: fix crash when umh is disabled (bsc#1177753). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - device property: Do not clear secondary pointer for shared primary firmware node (git-fixes). - device property: Keep secondary firmware node secondary by type (git-fixes). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - docs: ABI: sysfs-c2port: remove a duplicated entry (git-fixes). - drbd: code cleanup by using sendpage_ok() to check page for kernel_sendpage() (bsc#1172873). - drivers: net: add missing interrupt.h include (git-fixes). - drivers/net/ethernet/marvell/mvmdio.c: Fix non OF case (git-fixes). - drm/amd/display: Do not invoke kgdb_breakpoint() unconditionally (git-fixes). - drm/amd/display: HDMI remote sink need mode validation for Linux (git-fixes). - drm/amdgpu: do not map BO in reserved region (git-fixes). - drm/amdgpu: prevent double kfree ttm->sg (git-fixes). - drm/bridge/synopsys: dsi: add support for non-continuous HS clock (git-fixes). - drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly (git-fixes). - drm/gma500: fix error check (git-fixes). - drm/i915: Break up error capture compression loops with cond_resched() (git-fixes). - drm/i915: Force VT'd workarounds when running as a guest OS (git-fixes). - drm/imx: tve remove extraneous type qualifier (git-fixes). - drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes). - drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes). - drm/sun4i: mixer: Extend regmap max_register (git-fixes). - drm/ttm: fix eviction valuable range check (git-fixes). - drm/vc4: drv: Add error handding for bind (git-fixes). - Drop sysctl files for dropped archs, add ppc64le and arm64 (bsc#1178838). - ea43d9709f72 ("nvme: fix identify error status silent ignore") - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - efivarfs: Replace invalid slashes with exclamation marks in dentries (git-fixes). - Fix use after free in get_capset_info callback (git-fixes). - ftrace: Fix recursion check for NMI test (git-fixes). - ftrace: Handle tracing when switching between context (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - hv_netvsc: Add XDP support (bsc#1177819, bsc#1177820). - hv_netvsc: deal with bpf API differences in 4.12 (bsc#1177819, bsc#1177820). - hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177819, bsc#1177820). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - i2c: meson: fix clock setting overwrite (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - icmp: randomize the global rate limiter (git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - include/linux/swapops.h: correct guards for non_swap_entry() (git-fixes (mm/swap)). - Input: adxl34x - clean up a data type in adxl34x_probe() (git-fixes). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - kernel-binary.spec.in: Package the obj_install_dir as explicit filelist. - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled (git-fixes). - leds: bcm6328, bcm6358: use devres LED registering function (git-fixes). - leds: mt6323: move period calculation (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188). - libceph: use sendpage_ok() in ceph_tcp_sendpage() (bsc#1172873). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - livepatch: Test if -fdump-ipa-clones is really available - mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes). - mac80211: handle lack of sband->bitrates in rates (git-fixes). - macsec: avoid use-after-free in macsec_handle_frame() (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: Improve queue set up flow for bug fixing (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: tw5864: check status of tw5864_frameinterval_get (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event (bsc#1177703). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mlx5 PPC ringsize workaround (bsc#1173432). - mlx5: remove support for ib_get_vector_affinity (bsc#1174748). - mmc: core: do not set limits.discard_granularity as 0 (git-fixes). - mmc: sdhci-of-esdhc: Handle pulse width detection erratum for more SoCs (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() (git-fixes (mm/hugetlb)). - mm/ksm.c: do not WARN if page is still mapped in remove_stable_node() (git-fixes (mm/hugetlb)). - mm/memcg: fix refcount error while moving and swapping (bsc#1178686). - mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() (bsc#1177685). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/mempolicy.c: use match_string() helper to simplify the code (git-fixes (mm/mempolicy)). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (git-fixes (mm/numa)). - mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages (git-fixes (mm/debug)). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm/page-writeback.c: use div64_ul() for u64-by-unsigned-long divide (git-fixes (mm/writeback)). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix race condition in zs_destroy_pool (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely (git-fixes (mm/zsmalloc)). - Move the upstreamed bluetooth fix into sorted section - Move the upstreamed powercap fix into sorted sectio - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: 8390: Fix manufacturer name in Kconfig help text (git-fixes). - net: add WARN_ONCE in kernel_sendpage() for improper zero-copy send (bsc#1172873). - net: amd: fix return type of ndo_start_xmit function (git-fixes). - net/amd: Remove useless driver version (git-fixes). - net: amd-xgbe: fix comparison to bitshift when dealing with a mask (git-fixes). - net: amd-xgbe: Get rid of custom hex_dump_to_buffer() (git-fixes). - net: apple: Fix manufacturer name in Kconfig help text (git-fixes). - net: broadcom: Fix manufacturer name in Kconfig help text (git-fixes). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - netfilter: nat: can't use dst_hold on noref dst (bsc#1178878). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: introduce helper sendpage_ok() in include/linux/net.h (bsc#1172873). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - net/mlx5e: Take common TIR context settings into a function (bsc#1177740). - net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740). - net: mvmdio: defer probe of orion-mdio if a clock is not ready (git-fixes). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx (git-fixes). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - NFS: On fatal writeback errors, we need to call nfs_inode_remove_request() (bsc#1177340). - NFS: Revalidate the file mapping on all fatal writeback errors (bsc#1177340). - NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION (bsc#1170630). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - nvme: 59c7c3caaaf8 ("fix possible hang when ns scanning fails during error recovery") - nvme: add a Identify Namespace Identification Descriptor list quirk (bsc#1174748). - nvme: do not update disk info for multipathed device (bsc#1171558). - nvme: Fix ctrl use-after-free during sysfs deletion (bsc#1174748). - nvme: fix deadlock caused by ANA update wrong locking (bsc#1174748). - nvme: fix possible io failures when removing multipathed ns (bsc#1174748). - nvme: make nvme_identify_ns propagate errors back (bsc#1174748). - nvme: make nvme_report_ns_ids propagate error back (bsc#1174748). - nvme-multipath: do not reset on unknown status (bsc#1174748). - nvme: Namepace identification descriptor list is optional (bsc#1174748). - nvme: pass status to nvme_error_status (bsc#1174748). - nvme-rdma: Avoid double freeing of async event data (bsc#1174748). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - nvme: return error from nvme_alloc_ns() (bsc#1174748). - nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage() (bsc#1172873). - p54: avoid accessing the data mapped to streaming DMA (git-fixes). - pinctrl: intel: Set default bias in case no particular value given (git-fixes). - platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP (git-fixes). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - platform/x86: thinkpad_acpi: initialize tp_nvram_state variable (git-fixes). - platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse (git-fixes). - powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - powerpc/vnic: Extend "failover pending" window (bsc#1176855 ltc#187293). - powerpc/vnic: Extend "failover pending" window (bsc#1176855 ltc#187293). - power: supply: test_power: add missing newlines when printing parameters by sysfs (git-fixes). - pty: do tty_flip_buffer_push without port->lock in pty_write (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - regulator: defer probe when trying to get voltage from unresolved supply (git-fixes). - regulator: resolve supply after creating regulator (git-fixes). - Revert "cdc-acm: hardening against malicious devices" (git-fixes). - ring-buffer: Fix recursion protection transitions between interrupt context (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rtl8xxxu: prevent potential memory leak (git-fixes). - scsi: fnic: Do not call 'scsi_done()' for unhandled commands (bsc#1168468, bsc#1171675). - scsi: hisi_sas: Add debugfs ITCT file and add file operations (bsc#1140683). - scsi: hisi_sas: Add manual trigger for debugfs dump (bsc#1140683). - scsi: hisi_sas: Add missing seq_printf() call in hisi_sas_show_row_32() (bsc#1140683). - scsi: hisi_sas: Change return variable type in phy_up_v3_hw() (bsc#1140683). - scsi: hisi_sas: Correct memory allocation size for DQ debugfs (bsc#1140683). - scsi: hisi_sas: Do some more tidy-up (bsc#1140683). - scsi: hisi_sas: Fix a timeout race of driver internal and SMP IO (bsc#1140683). - scsi: hisi_sas: Fix type casting and missing static qualifier in debugfs code (bsc#1140683). Refresh: - scsi: hisi_sas: No need to check return value of debugfs_create functions (bsc#1140683). Update: - scsi: hisi_sas: Some misc tidy-up (bsc#1140683). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258). - scsi: libiscsi: use sendpage_ok() in iscsi_tcp_segment_map() (bsc#1172873). - scsi: qla2xxx: Add IOCB resource tracking (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Add rport fields in debugfs (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Add SLER and PI control support (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix memory size truncation (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix MPI reset needed message (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Fix reset of MPI firmware (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Performance tweak (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1176946 bsc#1175520 bsc#1172538). - scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1176946 bsc#1175520 bsc#1172538). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice (git-fixes). - staging: octeon: Drop on uncorrectable alignment or FCS error (git-fixes). - staging: octeon: repair "fixed-link" support (git-fixes). - tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11). - thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() (git-fixes). - time: Prevent undefined behaviour in timespec64_to_ns() (git-fixes). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: earlycon dependency (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - Update patches.suse/vfs-add-super_operations-get_inode_dev (bsc#927455 bsc#1176983). - USB: Add NO_LPM quirk for Kingston flash drive (git-fixes). - USB: adutux: fix debugging (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - USB: cdc-acm: fix cooldown mechanism (git-fixes). - usb: cdc-acm: handle broken union descriptors (git-fixes). - usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - USB: core: driver: fix stray tabs in error messages (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - USB: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - USB: mtu3: fix panic in mtu3_gadget_stop() (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes). - USB: serial: option: add Cellient MPL200 card (git-fixes). - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 (git-fixes). - USB: serial: option: add Quectel EC200T module support (git-fixes). - USB: serial: option: add Telit FN980 composition 0x1055 (git-fixes). - USB: serial: option: Add Telit FT980-KS composition (git-fixes). - USB: serial: pl2303: add device-id for HP GC device (git-fixes). - usb: serial: qcserial: fix altsetting probing (git-fixes). - USB: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart (git-fixes). - USB: typec: tcpm: reset hard_reset_count for any disconnect (git-fixes). - vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202). - video: fbdev: pvr2fb: initialize variables (git-fixes). - video: fbdev: sis: fix null ptr dereference (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - vmxnet3: fix cksum offload issues for non-udp tunnels (git-fixes). - vt: Disable KD_FONT_OP_COPY (bsc#1178589). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101). - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178). - x86, fakenuma: Fix invalid starting node ID (git-fixes (mm/x86/fakenuma)). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). - xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027). - xfs: do not update mtime on COW faults (bsc#1167030). - xfs: fix a missing unlock on error in xfs_fs_map_blocks (git-fixes). - xfs: fix flags argument to rmap lookup when converting shared file rmaps (git-fixes). - xfs: fix rmap key and record comparison functions (git-fixes). - xfs: flush new eof page on truncate to avoid post-eof corruption (git-fixes). - xfs: limit entries returned when counting fsmap records (git-fixes). - xgbe: no need to check return value of debugfs_create functions (git-fixes). - xgbe: switch to more generic VxLAN detection (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-3484=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): kernel-devel-azure-4.12.14-8.52.1 kernel-source-azure-4.12.14-8.52.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (x86_64): kernel-azure-4.12.14-8.52.1 kernel-azure-base-4.12.14-8.52.1 kernel-azure-base-debuginfo-4.12.14-8.52.1 kernel-azure-debuginfo-4.12.14-8.52.1 kernel-azure-devel-4.12.14-8.52.1 kernel-syms-azure-4.12.14-8.52.1 References: https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-2521.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25669.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1140683 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1167030 https://bugzilla.suse.com/1168468 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1170630 https://bugzilla.suse.com/1171558 https://bugzilla.suse.com/1171675 https://bugzilla.suse.com/1172538 https://bugzilla.suse.com/1172873 https://bugzilla.suse.com/1173432 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175520 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176382 https://bugzilla.suse.com/1176400 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176560 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176946 https://bugzilla.suse.com/1176983 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177101 https://bugzilla.suse.com/1177258 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177340 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177685 https://bugzilla.suse.com/1177687 https://bugzilla.suse.com/1177703 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177740 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177753 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177819 https://bugzilla.suse.com/1177820 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178027 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178182 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178187 https://bugzilla.suse.com/1178188 https://bugzilla.suse.com/1178202 https://bugzilla.suse.com/1178234 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178589 https://bugzilla.suse.com/1178591 https://bugzilla.suse.com/1178622 https://bugzilla.suse.com/1178686 https://bugzilla.suse.com/1178700 https://bugzilla.suse.com/1178765 https://bugzilla.suse.com/1178782 https://bugzilla.suse.com/1178838 https://bugzilla.suse.com/1178878 https://bugzilla.suse.com/927455 From sle-security-updates at lists.suse.com Mon Nov 23 13:17:25 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Nov 2020 21:17:25 +0100 (CET) Subject: SUSE-SU-2020:3491-1: important: Security update for the Linux Kernel Message-ID: <20201123201725.1AD20FBB3@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3491-1 Rating: important References: #1055014 #1055186 #1061843 #1065600 #1065729 #1066382 #1077428 #1129923 #1134760 #1149032 #1152489 #1155798 #1163592 #1164648 #1165692 #1168468 #1171675 #1171688 #1174003 #1174098 #1174748 #1174969 #1175052 #1175599 #1175621 #1175718 #1175721 #1175749 #1175807 #1175898 #1176019 #1176354 #1176381 #1176400 #1176485 #1176588 #1176713 #1176907 #1176979 #1177027 #1177086 #1177090 #1177109 #1177121 #1177193 #1177194 #1177206 #1177258 #1177271 #1177281 #1177283 #1177284 #1177285 #1177286 #1177297 #1177353 #1177384 #1177410 #1177411 #1177470 #1177511 #1177617 #1177681 #1177683 #1177687 #1177694 #1177697 #1177719 #1177724 #1177725 #1177726 #1177739 #1177749 #1177750 #1177754 #1177755 #1177765 #1177766 #1177799 #1177801 #1177814 #1177817 #1177854 #1177855 #1177856 #1177861 #1178002 #1178079 #1178166 #1178173 #1178175 #1178176 #1178177 #1178183 #1178184 #1178185 #1178186 #1178190 #1178191 #1178246 #1178255 #1178307 #1178330 #1178395 Cross-References: CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-16120 CVE-2020-24490 CVE-2020-25212 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25705 CVE-2020-27673 CVE-2020-27675 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP2 ______________________________________________________________________________ An update that solves 14 vulnerabilities and has 90 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel Azure was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-12351: Implemented a kABI workaround for bluetooth l2cap_ops filter addition (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25212: Fixed a TOCTOU mismatch in the NFS client code (bnc#1176381). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). - CVE-2020-24490: Fixed a heap buffer overflow when processing extended advertising report events aka "BleedingTooth" aka "BadVibes" (bsc#1177726). - CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121). - CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). - CVE-2020-25705: A ICMP global rate limiting side-channel was removed which could lead to e.g. the SADDNS attack (bsc#1175721) The following non-security bugs were fixed: - 9p: Fix memory leak in v9fs_mount (git-fixes). - ACPI: Always build evged in (git-fixes). - ACPI: button: fix handling lid state changes when input device closed (git-fixes). - ACPI: configfs: Add missing config_item_put() to fix refcount leak (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - ACPI: EC: Reference count query handlers under lock (git-fixes). - act_ife: load meta modules before tcf_idr_check_alloc() (networking-stable-20_09_24). - Add CONFIG_CHECK_CODESIGN_EKU - airo: Fix read overflows sending packets (git-fixes). - ALSA: ac97: (cosmetic) align argument names (git-fixes). - ALSA: aoa: i2sbus: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: asihpi: fix spellint typo in comments (git-fixes). - ALSA: atmel: ac97: clarify operator precedence (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: fireworks: use semicolons rather than commas to separate statements (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda: (cosmetic) align function parameters (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - set mic to auto detect on a HP AIO machine (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: hdspm: Fix typo arbitary (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: portman2x4: fix repeated word 'if' (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: sparc: dbri: fix repeated word 'the' (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ALSA: usb-audio: Line6 Pod Go interface requires static clock rate quirk (git-fixes). - ALSA: usb: scarless_gen2: fix endianness issue (git-fixes). - ALSA: vx: vx_core: clarify operator precedence (git-fixes). - ALSA: vx: vx_pcm: remove redundant assignment (git-fixes). - ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter (git-fixes). - arm64: Enable PCI write-combine resources under sysfs (bsc#1175807). - ASoC: fsl: imx-es8328: add missing put_device() call in imx_es8328_probe() (git-fixes). - ASoC: fsl_sai: Instantiate snd_soc_dai_driver (git-fixes). - ASoC: img-i2s-out: Fix runtime PM imbalance on error (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 (git-fixes). - ASoC: kirkwood: fix IRQ error handling (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ASoC: sun50i-codec-analog: Fix duplicate use of ADC enable bits (git-fixes). - ASoC: tlv320aic32x4: Fix bdiv clock rate derivation (git-fixes). - ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions (git-fixes). - ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 (git-fixes). - ata: ahci: mvebu: Make SATA PHY optional for Armada 3720 (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: fix array out-of-bounds access (git-fixes). - ath10k: fix memory leak for tpc_stats_final (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - ath9k_htc: Use appropriate rs_datalen type (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - block: Fix page_is_mergeable() for compound pages (bsc#1177814). - block: Set same_page to false in __bio_try_merge_page if ret is false (git-fixes). - Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb (git-fixes). - Bluetooth: Fix refcount use-after-free issue (git-fixes). - Bluetooth: guard against controllers sending zero'd events (git-fixes). - Bluetooth: Handle Inquiry Cancel error after Inquiry Complete (git-fixes). - Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes). - Bluetooth: L2CAP: handle l2cap config request during open state (git-fixes). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - Bluetooth: prefetch channel before killing sock (git-fixes). - bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex (git-fixes). - bonding: show saner speed for broadcast mode (networking-stable-20_08_24). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmfmac: Fix double freeing in the fmac usb data path (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: add owner and fs_info to alloc_state io_tree (bsc#1177854). - btrfs: allocate scrub workqueues outside of locks (bsc#1178183). - btrfs: block-group: do not set the wrong READA flag for btrfs_read_block_groups() (bsc#1176019). - btrfs: block-group: fix free-space bitmap threshold (bsc#1176019). - btrfs: block-group: refactor how we delete one block group item (bsc#1176019). - btrfs: block-group: refactor how we insert a block group item (bsc#1176019). - btrfs: block-group: refactor how we read one block group item (bsc#1176019). - btrfs: block-group: rename write_one_cache_group() (bsc#1176019). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: do not take an extra root ref at allocation time (bsc#1176019). - btrfs: drop logs when we've aborted a transaction (bsc#1176019). - btrfs: drop path before adding new uuid tree entry (bsc#1178176). - btrfs: fix a race between scrub and block group removal/allocation (bsc#1176019). - btrfs: fix crash during unmount due to race with delayed inode workers (bsc#1176019). - btrfs: fix filesystem corruption after a device replace (bsc#1178395). - btrfs: fix NULL pointer dereference after failure to create snapshot (bsc#1178190). - btrfs: fix overflow when copying corrupt csums for a message (bsc#1178191). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: fix space cache memory leak after transaction abort (bsc#1178173). - btrfs: free block groups after free'ing fs trees (bsc#1176019). - btrfs: hold a ref on the root on the dead roots list (bsc#1176019). - btrfs: kill the subvol_srcu (bsc#1176019). - btrfs: make btrfs_cleanup_fs_roots use the radix tree lock (bsc#1176019). - btrfs: make inodes hold a ref on their roots (bsc#1176019). - btrfs: make the extent buffer leak check per fs info (bsc#1176019). - btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks (bsc#1178395). - btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing (bsc#1178395). - btrfs: move ino_cache_inode dropping out of btrfs_free_fs_root (bsc#1176019). - btrfs: move the block group freeze/unfreeze helpers into block-group.c (bsc#1176019). - btrfs: move the root freeing stuff into btrfs_put_root (bsc#1176019). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer necessary chunk mutex locking cases (bsc#1176019). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: rename member 'trimming' of block group to a more generic name (bsc#1176019). - btrfs: scrub, only lookup for csums if we are dealing with a data extent (bsc#1176019). - btrfs: set the correct lockdep class for new nodes (bsc#1178184). - btrfs: set the lockdep class for log tree extent buffers (bsc#1178186). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal (git-fixes). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: flexcan: remove ack_grp and ack_bit handling from driver (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: promote to unsigned long long before shifting (bsc#1178175). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - clk: keystone: sci-clk: fix parsing assigned-clock data during probe (git-fixes). - clk: meson: g12a: mark fclk_div2 as critical (git-fixes). - clk: qcom: gcc-sdm660: Fix wrong parent_map (git-fixes). - clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED (git-fixes). - clk: socfpga: stratix10: fix the divider for the emac_ptp_free_clk (git-fixes). - clk: tegra: Always program PLL_E when enabled (git-fixes). - clk/ti/adpll: allocate room for terminating null (git-fixes). - clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() (git-fixes). - clocksource/drivers/timer-gx6605s: Fixup counter reload (git-fixes). - cpuidle: Poll for a minimum of 30ns and poll for a tick if lower c-states are disabled (bnc#1176588). - create Storage / NVMe subsection - crypto: algif_aead - Do not set MAY_BACKLOG on the async path (git-fixes). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: dh - check validity of Z before export (bsc#1175718). - crypto: dh - SP800-56A rev 3 local public key validation (bsc#1175718). - crypto: ecc - SP800-56A rev 3 local public key validation (bsc#1175718). - crypto: ecdh - check validity of Z before export (bsc#1175718). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - crypto: picoxcell - Fix potential race condition bug (git-fixes). - crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA (git-fixes). - cxgb4: fix memory leak during module unload (networking-stable-20_09_24). - cxgb4: Fix offset when clearing filter byte counters (networking-stable-20_09_24). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - dax: Fix compilation for CONFIG_DAX && !CONFIG_FS_DAX (bsc#1177817). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - Disable module compression on SLE15 SP2 (bsc#1178307) - dma-direct: add missing set_memory_decrypted() for coherent mapping (bsc#1175898, ECO-2743). - dma-direct: always align allocation size in dma_direct_alloc_pages() (bsc#1175898, ECO-2743). - dma-direct: atomic allocations must come from atomic coherent pools (bsc#1175898, ECO-2743). - dma-direct: check return value when encrypting or decrypting memory (bsc#1175898, ECO-2743). - dma-direct: consolidate the error handling in dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dma-direct: make uncached_kernel_address more general (bsc#1175898, ECO-2743). - dma-direct: provide function to check physical memory area validity (bsc#1175898, ECO-2743). - dma-direct: provide mmap and get_sgtable method overrides (bsc#1175898, ECO-2743). - dma-direct: re-encrypt memory if dma_direct_alloc_pages() fails (bsc#1175898, ECO-2743). - dma-direct: remove __dma_direct_free_pages (bsc#1175898, ECO-2743). - dma-direct: remove the dma_handle argument to __dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - dmaengine: dmatest: Check list for emptiness before access its last entry (git-fixes). - dmaengine: dw: Activate FIFO-mode for memory peripherals only (git-fixes). - dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails (git-fixes). - dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all (git-fixes). - dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all (git-fixes). - dmaengine: tegra-apb: Prevent race conditions on channel's freeing (git-fixes). - dmaengine: zynqmp_dma: fix burst length configuration (git-fixes). - dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) (git-fixes). - dma-mapping: add a dma_can_mmap helper (bsc#1175898, ECO-2743). - dma-mapping: always use VM_DMA_COHERENT for generic DMA remap (bsc#1175898, ECO-2743). - dma-mapping: DMA_COHERENT_POOL should select GENERIC_ALLOCATOR (bsc#1175898, ECO-2743). - dma-mapping: make dma_atomic_pool_init self-contained (bsc#1175898, ECO-2743). - dma-mapping: merge the generic remapping helpers into dma-direct (bsc#1175898, ECO-2743). - dma-mapping: remove arch_dma_mmap_pgprot (bsc#1175898, ECO-2743). - dma-mapping: warn when coherent pool is depleted (bsc#1175898, ECO-2743). - dma-pool: add additional coherent pools to map to gfp mask (bsc#1175898, ECO-2743). - dma-pool: add pool sizes to debugfs (bsc#1175898, ECO-2743). - dma-pool: decouple DMA_REMAP from DMA_COHERENT_POOL (bsc#1175898, ECO-2743). - dma-pool: do not allocate pool memory from CMA (bsc#1175898, ECO-2743). - dma-pool: dynamically expanding atomic pools (bsc#1175898, ECO-2743). - dma-pool: Fix an uninitialized variable bug in atomic_pool_expand() (bsc#1175898, ECO-2743). - dma-pool: fix coherent pool allocations for IOMMU mappings (bsc#1175898, ECO-2743). - dma-pool: fix too large DMA pools on medium memory size systems (bsc#1175898, ECO-2743). - dma-pool: get rid of dma_in_atomic_pool() (bsc#1175898, ECO-2743). - dma-pool: introduce dma_guess_pool() (bsc#1175898, ECO-2743). - dma-pool: make sure atomic pool suits device (bsc#1175898, ECO-2743). - dma-pool: Only allocate from CMA when in same memory zone (bsc#1175898, ECO-2743). - dma-pool: scale the default DMA coherent pool size with memory capacity (bsc#1175898, ECO-2743). - dma-remap: separate DMA atomic pools from direct remap code (bsc#1175898, ECO-2743). - dm: Call proper helper to determine dax support (bsc#1177817). - dm/dax: Fix table reference counts (bsc#1178246). - docs: driver-api: remove a duplicated index entry (git-fixes). - drivers: char: tlclk.c: Avoid data race between init and interrupt handler (git-fixes). - drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config (git-fixes). - drm/radeon: revert "Prefer lower feedback dividers" (bsc#1177384). - drop Storage / bsc#1171688 subsection No effect on expanded tree. - e1000: Do not perform reset in reset_task if we are already down (git-fixes). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1152489). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - extcon: ptn5150: Fix usage of atomic GPIO with sleeping GPIO chips (git-fixes). - ftrace: Move RCU is watching check after recursion check (git-fixes). - fuse: do not ignore errors from fuse_writepages_fill() (bsc#1177193). - futex: Adjust absolute futex timeouts with per time namespace offset (bsc#1164648). - futex: Consistently use fshared as boolean (bsc#1149032). - futex: Fix incorrect should_fail_futex() handling (bsc#1149032). - futex: Remove put_futex_key() (bsc#1149032). - futex: Remove unused or redundant includes (bsc#1149032). - gpio: mockup: fix resource leak in error path (git-fixes). - gpio: rcar: Fix runtime PM imbalance on error (git-fixes). - gpio: siox: explicitly support only threaded irqs (git-fixes). - gpio: sprd: Clear interrupt when setting the type as edge (git-fixes). - gpio: tc35894: fix up tc35894 interrupt configuration (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: hid-input: fix stylus battery reporting (git-fixes). - HID: ite: Add USB id match for Acer One S1003 keyboard dock (git-fixes). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - hwmon: (applesmc) check status earlier (git-fixes). - hwmon: (mlxreg-fan) Fix double "Mellanox" (git-fixes). - hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61} (git-fixes). - i2c: aspeed: Mask IRQ status to relevant bits (git-fixes). - i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() (git-fixes). - i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs (git-fixes). - i2c: cpm: Fix i2c_ram structure (git-fixes). - i2c: i801: Exclude device from suspend direct complete optimization (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - i2c: meson: fix clock setting overwrite (git-fixes). - i2c: meson: fixup rate calculation with filter delay (git-fixes). - i2c: owl: Clear NACK and BUS error bits (git-fixes). - i2c: rcar: Auto select RESET_CONTROLLER (git-fixes). - i2c: tegra: Prevent interrupt triggering after transfer timeout (git-fixes). - i2c: tegra: Restore pinmux on system resume (git-fixes). - i3c: master add i3c_master_attach_boardinfo to preserve boardinfo (git-fixes). - i3c: master: Fix error return in cdns_i3c_master_probe() (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - ibmvnic: set up 200GBPS speed (bsc#1129923 git-fixes). - icmp: randomize the global rate limiter (git-fixes). - ida: Free allocated bitmap in error path (git-fixes). - ieee802154/adf7242: check status of adf7242_read_reg (git-fixes). - ieee802154: fix one possible memleak in ca8210_dev_com_init (git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio: adc: gyroadc: fix leak of device node iterator (git-fixes). - iio: adc: qcom-spmi-adc5: fix driver name (git-fixes). - iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: extend boot_aggregate with kernel measurements (bsc#1177617). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - Input: ati_remote2 - add missing newlines when printing module parameters (git-fixes). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (bsc#954532). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: stmfts - fix a & vs && typo (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: trackpoint - enable Synaptics trackpoints (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - iommu/amd: Fix IOMMU AVIC not properly update the is_run bit in IRTE (bsc#1177297). - iommu/amd: Fix potential @entry null deref (bsc#1177283). - iommu/amd: Re-factor guest virtual APIC (de-)activation code (bsc#1177284). - iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode (bsc#1177285). - iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() (bsc#1177286). - iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400). - iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1177739). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipmi_si: Fix wrong return value in try_smi_init() (git-fixes). - ipv4: Initialize flowi4_multipath_hash in data path (networking-stable-20_09_24). - ipv4: Update exception handling for multipath routes via same device (networking-stable-20_09_24). - ipv6: avoid lockdep issue in fib6_del() (networking-stable-20_09_24). - ipv6: Fix sysctl max for fib_multipath_hash_policy (networking-stable-20_09_11). - ipvlan: fix device features (networking-stable-20_08_24). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kABI fix for NFS: Fix flexfiles read failover (git-fixes). - kABI: Fix kABI after add CodeSigning extended key usage (bsc#1177353). - kABI: Fix kABI for 12856e7acde4 PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979). - kabi/severities: ignore kABI for target_core_rbd Match behaviour for all other Ceph specific modules. - kallsyms: Refactor kallsyms_show_value() to take cred (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (git-fixes). - leds: mlxreg: Fix possible buffer overflow (git-fixes). - leds: mt6323: move period calculation (git-fixes). - libceph-add-support-for-CMPEXT-compare-extent-reques.patch: (bsc#1177090). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178177). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - lib/mpi: Add mpi_sub_ui() (bsc#1175718). - locking/rwsem: Disable reader optimistic spinning (bnc#1176588). - mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes). - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mac80211: skip mpath lookup also for control port tx (git-fixes). - mac802154: tx: fix use-after-free (git-fixes). - macsec: avoid use-after-free in macsec_handle_frame() (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: camss: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: i2c: ov5640: Enable data pins on poweron for DVP mode (git-fixes). - media: i2c: ov5640: Remain in power down for DVP mode unless streaming (git-fixes). - media: i2c: ov5640: Separate out mipi configuration from s_power (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: mc-device.c: fix memleak in media_device_register_entity (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: mx2_emmaprp: Fix memleak in emmaprp_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: ov5640: Correct Bit Div register in clock tree diagram (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: rcar-csi2: Allocate v4l2_async_subdev dynamically (git-fixes). - media: rcar_drif: Allocate v4l2_async_subdev dynamically (git-fixes). - media: rcar_drif: Fix fwnode reference leak when parsing DT (git-fixes). - media: rcar-vin: Fix a reference count leak (git-fixes). - media: rc: do not access device via sysfs after rc_unregister_device() (git-fixes). - media: rc: uevent sysfs file races with rc_unregister_device() (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: rockchip/rga: Fix a reference count leak (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: smiapp: Fix error handling at NVM reading (git-fixes). - media: staging/intel-ipu3: css: Correctly reset some memory (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: stm32-dcmi: Fix a reference count leak (git-fixes). - media: tc358743: cleanup tc358743_cec_isr (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: cal: Restrict DMA to avoid memory corruption (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: uvcvideo: Set media controller entity functions (git-fixes). - media: uvcvideo: Silence shift-out-of-bounds warning (git-fixes). - media: v4l2-async: Document asd allocation requirements (git-fixes). - media: venus: core: Fix runtime PM imbalance in venus_probe (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - memory: omap-gpmc: Fix build error without CONFIG_OF (git-fixes). - mfd: mfd-core: Protect against NULL call-back function pointer (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mm: call cond_resched() from deferred_init_memmap() (git fixes (mm/init), bsc#1177697). - mmc: core: do not set limits.discard_granularity as 0 (git-fixes). - mmc: core: Rework wp-gpio handling (git-fixes). - mm, compaction: fully assume capture is not NULL in compact_zone_order() (git fixes (mm/compaction), bsc#1177681). - mm, compaction: make capture control handling safe wrt interrupts (git fixes (mm/compaction), bsc#1177681). - mmc: sdhci-acpi: AMDI0040: Set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes). - mmc: sdhci: Add LTR support for some Intel BYT based controllers (git-fixes). - mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS models (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - mm/debug.c: always print flags in dump_page() (git fixes (mm/debug)). - mm: do not panic when links can't be created in sysfs (bsc#1178002). - mm: do not rely on system state to detect hot-plug operations (bsc#1178002). - mm: fix a race during THP splitting (bsc#1178255). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm: initialize deferred pages with interrupts enabled (git fixes (mm/init), bsc#1177697). - mm: madvise: fix vma user-after-free (git-fixes). - mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps() (bsc#1177694). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/migrate.c: also overwrite error when it is bigger than zero (git fixes (mm/move_pages), bsc#1177683). - mm: move_pages: report the number of non-attempted pages (git fixes (mm/move_pages), bsc#1177683). - mm: move_pages: return valid node id in status if the page is already on the target node (git fixes (mm/move_pages), bsc#1177683). - mm/pagealloc.c: call touch_nmi_watchdog() on max order boundaries in deferred init (git fixes (mm/init), bsc#1177697). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm: replace memmap_context by meminit_context (bsc#1178002). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm, slab/slub: move and improve cache_from_obj() (mm/slub bsc#1165692). mm, slab/slub: improve error reporting and overhead of cache_from_obj() (mm/slub bsc#1165692). - mm, slub: extend checks guarded by slub_debug static key (mm/slub bsc#1165692). - mm, slub: extend slub_debug syntax for multiple blocks (mm/slub bsc#1165692). - mm, slub: introduce kmem_cache_debug_flags() (mm/slub bsc#1165692). - mm, slub: introduce static key for slub_debug() (mm/slub bsc#1165692). - mm, slub: make reclaim_account attribute read-only (mm/slub bsc#1165692). - mm, slub: make remaining slub_debug related attributes read-only (mm/slub bsc#1165692). - mm, slub: make some slub_debug related attributes read-only (mm/slub bsc#1165692). - mm, slub: remove runtime allocation order changes (mm/slub bsc#1165692). - mm, slub: restore initial kmem_cache flags (mm/slub bsc#1165692). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - module: Correctly truncate sysfs sections output (git-fixes). - module: Do not expose section addresses to non-CAP_SYSLOG (git-fixes). - module: Refactor section attr into bin attribute (git-fixes). - module: statically initialize init section freeing data (git-fixes). - mt76: add missing locking around ampdu action (git-fixes). - mt76: clear skb pointers from rx aggregation reorder buffer during cleanup (git-fixes). - mt76: do not use devm API for led classdev (git-fixes). - mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw (git-fixes). - mt76: fix LED link time failure (git-fixes). - mtd: cfi_cmdset_0002: do not free cfi->cfiq in error path of cfi_amdstd_setup() (git-fixes). - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mtd: rawnand: gpmi: Fix runtime PM imbalance on error (git-fixes). - mtd: rawnand: omap_elm: Fix runtime PM imbalance on error (git-fixes). - mtd: rawnand: stm32_fmc2: fix a buffer overflow (git-fixes). - mtd: rawnand: vf610: disable clk on error handling path in probe (git-fixes). - mtd: spinand: gigadevice: Add QE Bit (git-fixes). - mtd: spinand: gigadevice: Only one dummy byte in QUADIO (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU (networking-stable-20_09_24). - net/core: check length before updating Ethertype in skb_mpls_{push,pop} (git-fixes). - net: DCB: Validate DCB_ATTR_DCB_BUFFER argument (networking-stable-20_09_24). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: dsa: b53: check for timeout (networking-stable-20_08_24). - net: dsa: rtl8366: Properly clear member config (networking-stable-20_09_24). - net: fec: correct the error path for regulator disable in probe (networking-stable-20_08_24). - net: Fix bridge enslavement failure (networking-stable-20_09_24). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - net: lantiq: Disable IRQs only if NAPI gets scheduled (networking-stable-20_09_24). - net: lantiq: Use napi_complete_done() (networking-stable-20_09_24). - net: lantiq: use netif_tx_napi_add() for TX NAPI (networking-stable-20_09_24). - net: lantiq: Wake TX queue again (networking-stable-20_09_24). - net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported (networking-stable-20_09_24). - net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported (networking-stable-20_09_24). - net/mlx5: Fix FTE cleanup (networking-stable-20_09_24). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: phy: Do not warn in phy_stop() on PHY_DOWN (networking-stable-20_09_24). - net: phy: realtek: fix rtl8211e rx/tx delay config (git-fixes). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow (networking-stable-20_08_24). - net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant (networking-stable-20_09_24). - net: sctp: Fix negotiation of the number of data streams (networking-stable-20_08_24). - net/smc: Prevent kernel-infoleak in __smc_diag_dump() (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nfp: use correct define to return NONE fec (networking-stable-20_09_24). - nfsd4: fix NULL dereference in nfsd/clients display code (git-fixes). - NFS: Do not move layouts to plh_return_segs list while in use (git-fixes). - NFS: Do not return layout segments that are in use (git-fixes). - NFS: ensure correct writeback errors are returned on close() (git-fixes). - NFS: Fix flexfiles read failover (git-fixes). - NFS: Fix security label length not being reset (bsc#1176381). - NFS: nfs_file_write() should check for writeback errors (git-fixes). - NFSv4.2: fix client's attribute cache management for copy_file_range (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - ntb: intel: Fix memleak in intel_ntb_pci_probe (git-fixes). - nvme-multipath: retry commands for dying queues (bsc#1171688). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - overflow: Include header file with SIZE_MAX declaration (git-fixes). - PCI: aardvark: Check for errors from pci_bridge_emul_init() call (git-fixes). - PCI: Avoid double hpmemsize MMIO window assignment (git-fixes). - PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979). - PCI: tegra194: Fix runtime PM imbalance on error (git-fixes). - PCI: tegra: Fix runtime PM imbalance on error (git-fixes). - percpu: fix first chunk size calculation for populated bitmap (git-fixes (mm/percpu)). - perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1152489). - perf/x86: Fix n_pair for cancelled txn (bsc#1152489). - phy: ti: am654: Fix a leak in serdes_am654_probe() (git-fixes). - pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB (git-fixes). - pinctrl: mcp23s08: Fix mcp23x17 precious range (git-fixes). - pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser (git-fixes). - pinctrl: mvebu: Fix i2c sda definition for 98DX3236 (git-fixes). - PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification. - PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification (bsc#1177353). - Platform: OLPC: Fix memleak in olpc_ec_probe (git-fixes). - platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP (git-fixes). - platform/x86: fix kconfig dependency warning for LG_LAPTOP (git-fixes). - platform/x86: intel_pmc_core: do not create a static struct device (git-fixes). - platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting (bsc#1175599). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - platform/x86: thinkpad_acpi: initialize tp_nvram_state variable (git-fixes). - platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse (git-fixes). - PM: hibernate: Batch hibernate and resume IO requests (bsc#1178079). - PM: hibernate: remove the bogus call to get_gendisk() in software_resume() (git-fixes). - pNFS/flexfiles: Ensure we initialise the mirror bsizes correctly on read (git-fixes). - powerpc/book3s64/radix: Make radix_mem_block_size 64bit (bsc#1055186 ltc#153436 git-fixes). - powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/papr_scm: Fix warning triggered by perf_stats_show() (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: Avoid using addr_to_pfn in real mode (jsc#SLE-9246 git-fixes). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - power: supply: max17040: Correct voltage reading (git-fixes). - pwm: img: Fix null pointer access in probe (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - qla2xxx: Return EBUSY on fcport deletion (bsc#1171688). - qtnfmac: fix resource leaks on unsupported iftype error return path (git-fixes). - r8169: fix data corruption issue on RTL8402 (bsc#1174098). - r8169: fix issue with forced threading in combination with shared interrupts (git-fixes). - r8169: fix operation under forced interrupt threading (git-fixes). - rapidio: fix the missed put_device() for rio_mport_add_riodev (git-fixes). - rbd-add-rbd_img_fill_cmp_and_write_from_bvecs.patch: (bsc#1177090). - rbd-add-support-for-COMPARE_AND_WRITE-CMPEXT.patch: (bsc#1177090). - RDMA/hfi1: Correct an interlock issue for TID RDMA WRITE request (bsc#1175621). - Refresh patches.suse/fnic-to-not-call-scsi_done-for-unhandled-commands.patch (bsc#1168468, bsc#1171675). - regulator: axp20x: fix LDO2/4 description (git-fixes). - regulator: resolve supply after creating regulator (git-fixes). - rename Other drivers / Intel IOMMU subsection to IOMMU - reset: sti: reset-syscfg: fix struct description warnings (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) The in-tree KMP that is built with SLE kernels have a different scriptlet that is embedded in kernel-binary.spec.in rather than *.sh files. - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rtc: ds1374: fix possible race condition (git-fixes). - rtc: rx8010: do not modify the global rtc ops (git-fixes). - rtc: sa1100: fix possible race condition (git-fixes). - rtl8xxxu: prevent potential memory leak (git-fixes). - rtw88: increse the size of rx buffer size (git-fixes). - s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177799 LTC#188733). - s390/dasd: Fix zero write for FBA devices (bsc#1177801 LTC#188735). - s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979). - sched/fair: Ignore cache hotness for SMT migration (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/fair: Use dst group while checking imbalance for NUMA balancer (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/numa: Avoid creating large imbalances at task creation time (bnc#1176588). - sched/numa: Check numa balancing information only when enabled (bnc#1176588). - sched/numa: Use runnable_avg to classify node (bnc#1155798 (CPU scheduler functional and performance backports)). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258). - scsi: mptfusion: Do not use GFP_ATOMIC for larger DMA allocations (bsc#1175898, ECO-2743). - scsi: qla2xxx: Add IOCB resource tracking (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Add rport fields in debugfs (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Add SLER and PI control support (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix memory size truncation (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix MPI reset needed message (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix reset of MPI firmware (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Performance tweak (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1171688 bsc#1174003). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - selftests/timers: Turn off timeout setting (git-fixes). - serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout (git-fixes). - serial: 8250_omap: Fix sleeping function called from invalid context during probe (git-fixes). - serial: 8250_port: Do not service RX FIFO if throttled (git-fixes). - serial: uartps: Wait for tx_empty in console setup (git-fixes). - slimbus: core: check get_addr before removing laddr ida (git-fixes). - slimbus: core: do not enter to clock pause mode in core (git-fixes). - slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback (git-fixes). - soc: fsl: qbman: Fix return value on success (git-fixes). - spi: dw-pci: free previously allocated IRQs if desc->setup() fails (git-fixes). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - spi: omap2-mcspi: Improve performance waiting for CHSTAT (git-fixes). - spi: spi-s3c64xx: Check return values (git-fixes). - spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() (git-fixes). - spi: sprd: Release DMA channel also on probe deferral (git-fixes). - spi: stm32: Rate-limit the 'Communication suspended' message (git-fixes). - staging: comedi: check validity of wMaxPacketSize of usb endpoints found (git-fixes). - staging:r8188eu: avoid skb_clone for amsdu to msdu conversion (git-fixes). - staging: rtl8192u: Do not use GFP_KERNEL in atomic context (git-fixes). - SUNRPC: Revert 241b1f419f0e ("SUNRPC: Remove xdr_buf_trim()") (git-fixes). - svcrdma: Fix page leak in svc_rdma_recv_read_chunk() (git-fixes). - taprio: Fix allowing too small intervals (networking-stable-20_09_24). - target-compare-and-write-backend-driver-sense-handli.patch: (bsc#1177719). - target-rbd-add-emulate_legacy_capacity-dev-attribute.patch: (bsc#1177109). - target-rbd-add-WRITE-SAME-support.patch: (bsc#1177090). - target-rbd-conditionally-fix-off-by-one-bug-in-get_b.patch: (bsc#1177109). - target-rbd-detect-stripe_unit-SCSI-block-size-misali.patch: (bsc#1177090). - target-rbd-fix-unmap-discard-block-size-conversion.patch: (bsc#1177271). - target-rbd-fix-unmap-handling-with-unmap_zeroes_data.patch: (bsc#1177271). - target-rbd-support-COMPARE_AND_WRITE.patch: (bsc#1177090). - thermal: rcar_thermal: Handle probe error gracefully (git-fixes). - time: Prevent undefined behaviour in timespec64_to_ns() (bsc#1164648). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: Fix memory leak in tipc_group_create_member() (networking-stable-20_09_24). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tracing: Check return value of __create_val_fields() before using its result (git-fixes). - tracing: Save normal string variables (git-fixes). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - Update config files. Enable ACPI_PCI_SLOT and HOTPLUG_PCI_ACPI (bsc#1177194). - USB: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - USB: cdc-acm: handle broken union descriptors (git-fixes). - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - USB: core: Solve race condition in anchor cleanup functions (git-fixes). - USB: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - USB: dwc2: Fix parameter type in function pointer prototype (git-fixes). - USB: dwc3: core: add phy cleanup for probe error handling (git-fixes). - USB: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - USB: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - USB: dwc3: gadget: Resume pending requests after CLEAR_STALL (git-fixes). - USB: dwc3: Increase timeout for CmdAct cleared by device controller (git-fixes). - USB: dwc3: pci: Allow Elkhart Lake to utilize DSM method for PM functionality (git-fixes). - USB: dwc3: simple: add support for Hikey 970 (git-fixes). - USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() (git-fixes). - USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int (git-fixes). - USB: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - USB: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - USB: gadget: f_ncm: Fix NDP16 datagram validation (git-fixes). - USB: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - USB: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usblp: fix race between disconnect() and read() (git-fixes). - USB: ohci: Default to per-port over-current protection (git-fixes). - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes). - USB: serial: option: add Cellient MPL200 card (git-fixes). - USB: serial: option: Add Telit FT980-KS composition (git-fixes). - USB: serial: pl2303: add device-id for HP GC device (git-fixes). - USB: serial: qcserial: fix altsetting probing (git-fixes). - USB: xhci-mtk: Fix typo (git-fixes). - vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn (bsc#1176979). - virtio-net: do not disable guest csum when disable LRO (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - vmxnet3: fix cksum offload issues for non-udp tunnels (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: Fix memleak in watchdog_cdev_register (git-fixes). - watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 (git-fixes). - watchdog: Use put_device on error (git-fixes). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - whitespace cleanup - wlcore: fix runtime pm imbalance in wl1271_tx_work (git-fixes). - wlcore: fix runtime pm imbalance in wlcore_regdomain_config (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - X.509: Add CodeSigning extended key usage parsing (bsc#1177353). - x86/alternative: Do not call text_poke() in lazy TLB mode (bsc#1175749). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1152489). - x86/ioapic: Unbreak check_timer() (bsc#1152489). - x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1177765). - x86/mm: unencrypted non-blocking DMA allocations use coherent pools (bsc#1175898, ECO-2743). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1176907). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pvcallsback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xfs: fix high key handling in the rt allocator's query_range function (git-fixes). - xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files (git-fixes). - xfs: force the log after remapping a synchronous-writes file (git-fixes). - xfs: limit entries returned when counting fsmap records (git-fixes). - xhci: do not create endpoint debugfs entry before ring buffer is set (git-fixes). - xprtrdma: fix incorrect header size calculations (git-fixes). - yam: fix possible memory leak in yam_init_driver (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2020-3491=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (noarch): kernel-devel-azure-5.3.18-18.24.1 kernel-source-azure-5.3.18-18.24.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (x86_64): kernel-azure-5.3.18-18.24.1 kernel-azure-debuginfo-5.3.18-18.24.1 kernel-azure-debugsource-5.3.18-18.24.1 kernel-azure-devel-5.3.18-18.24.1 kernel-azure-devel-debuginfo-5.3.18-18.24.1 kernel-syms-azure-5.3.18-18.24.1 References: https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-24490.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25641.html https://www.suse.com/security/cve/CVE-2020-25643.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27675.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1129923 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1149032 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1155798 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1165692 https://bugzilla.suse.com/1168468 https://bugzilla.suse.com/1171675 https://bugzilla.suse.com/1171688 https://bugzilla.suse.com/1174003 https://bugzilla.suse.com/1174098 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1174969 https://bugzilla.suse.com/1175052 https://bugzilla.suse.com/1175599 https://bugzilla.suse.com/1175621 https://bugzilla.suse.com/1175718 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1175749 https://bugzilla.suse.com/1175807 https://bugzilla.suse.com/1175898 https://bugzilla.suse.com/1176019 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176400 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176588 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176979 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177090 https://bugzilla.suse.com/1177109 https://bugzilla.suse.com/1177121 https://bugzilla.suse.com/1177193 https://bugzilla.suse.com/1177194 https://bugzilla.suse.com/1177206 https://bugzilla.suse.com/1177258 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177283 https://bugzilla.suse.com/1177284 https://bugzilla.suse.com/1177285 https://bugzilla.suse.com/1177286 https://bugzilla.suse.com/1177297 https://bugzilla.suse.com/1177353 https://bugzilla.suse.com/1177384 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177617 https://bugzilla.suse.com/1177681 https://bugzilla.suse.com/1177683 https://bugzilla.suse.com/1177687 https://bugzilla.suse.com/1177694 https://bugzilla.suse.com/1177697 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177726 https://bugzilla.suse.com/1177739 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177765 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177799 https://bugzilla.suse.com/1177801 https://bugzilla.suse.com/1177814 https://bugzilla.suse.com/1177817 https://bugzilla.suse.com/1177854 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178002 https://bugzilla.suse.com/1178079 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178173 https://bugzilla.suse.com/1178175 https://bugzilla.suse.com/1178176 https://bugzilla.suse.com/1178177 https://bugzilla.suse.com/1178183 https://bugzilla.suse.com/1178184 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178186 https://bugzilla.suse.com/1178190 https://bugzilla.suse.com/1178191 https://bugzilla.suse.com/1178246 https://bugzilla.suse.com/1178255 https://bugzilla.suse.com/1178307 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178395 From sle-security-updates at lists.suse.com Tue Nov 24 07:17:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2020 15:17:17 +0100 (CET) Subject: SUSE-SU-2020:3497-1: moderate: Security update for mariadb Message-ID: <20201124141717.04C37FBB4@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3497-1 Rating: moderate References: #1172399 #1175596 #1177472 #1178428 Cross-References: CVE-2020-14765 CVE-2020-14776 CVE-2020-14789 CVE-2020-14812 CVE-2020-15180 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for mariadb and mariadb-connector-c fixes the following issues: - Update mariadb to 10.2.36 GA [bsc#1177472, bsc#1178428] fixing for the following security vulnerabilities: CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789 CVE-2020-15180 - Update mariadb-connector-c to 3.1.11 [bsc#1177472 and bsc#1178428] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3497=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3497=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3497=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3497=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3497=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libmariadb3-3.1.11-2.19.1 libmariadb3-debuginfo-3.1.11-2.19.1 libmariadb_plugins-3.1.11-2.19.1 libmariadb_plugins-debuginfo-3.1.11-2.19.1 mariadb-10.2.36-3.33.1 mariadb-client-10.2.36-3.33.1 mariadb-client-debuginfo-10.2.36-3.33.1 mariadb-connector-c-debugsource-3.1.11-2.19.1 mariadb-debuginfo-10.2.36-3.33.1 mariadb-debugsource-10.2.36-3.33.1 mariadb-galera-10.2.36-3.33.1 mariadb-tools-10.2.36-3.33.1 mariadb-tools-debuginfo-10.2.36-3.33.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): mariadb-errormessages-10.2.36-3.33.1 - SUSE OpenStack Cloud 9 (noarch): mariadb-errormessages-10.2.36-3.33.1 - SUSE OpenStack Cloud 9 (x86_64): libmariadb3-3.1.11-2.19.1 libmariadb3-debuginfo-3.1.11-2.19.1 libmariadb_plugins-3.1.11-2.19.1 libmariadb_plugins-debuginfo-3.1.11-2.19.1 mariadb-10.2.36-3.33.1 mariadb-client-10.2.36-3.33.1 mariadb-client-debuginfo-10.2.36-3.33.1 mariadb-connector-c-debugsource-3.1.11-2.19.1 mariadb-debuginfo-10.2.36-3.33.1 mariadb-debugsource-10.2.36-3.33.1 mariadb-galera-10.2.36-3.33.1 mariadb-tools-10.2.36-3.33.1 mariadb-tools-debuginfo-10.2.36-3.33.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libmariadb3-3.1.11-2.19.1 libmariadb3-debuginfo-3.1.11-2.19.1 libmariadb_plugins-3.1.11-2.19.1 libmariadb_plugins-debuginfo-3.1.11-2.19.1 mariadb-10.2.36-3.33.1 mariadb-client-10.2.36-3.33.1 mariadb-client-debuginfo-10.2.36-3.33.1 mariadb-connector-c-debugsource-3.1.11-2.19.1 mariadb-debuginfo-10.2.36-3.33.1 mariadb-debugsource-10.2.36-3.33.1 mariadb-tools-10.2.36-3.33.1 mariadb-tools-debuginfo-10.2.36-3.33.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): mariadb-errormessages-10.2.36-3.33.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libmariadb3-3.1.11-2.19.1 libmariadb3-debuginfo-3.1.11-2.19.1 libmariadb_plugins-3.1.11-2.19.1 libmariadb_plugins-debuginfo-3.1.11-2.19.1 mariadb-10.2.36-3.33.1 mariadb-client-10.2.36-3.33.1 mariadb-client-debuginfo-10.2.36-3.33.1 mariadb-connector-c-debugsource-3.1.11-2.19.1 mariadb-debuginfo-10.2.36-3.33.1 mariadb-debugsource-10.2.36-3.33.1 mariadb-tools-10.2.36-3.33.1 mariadb-tools-debuginfo-10.2.36-3.33.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): mariadb-errormessages-10.2.36-3.33.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libmariadb3-3.1.11-2.19.1 libmariadb3-debuginfo-3.1.11-2.19.1 libmariadb_plugins-3.1.11-2.19.1 libmariadb_plugins-debuginfo-3.1.11-2.19.1 mariadb-10.2.36-3.33.1 mariadb-client-10.2.36-3.33.1 mariadb-client-debuginfo-10.2.36-3.33.1 mariadb-connector-c-debugsource-3.1.11-2.19.1 mariadb-debuginfo-10.2.36-3.33.1 mariadb-debugsource-10.2.36-3.33.1 mariadb-tools-10.2.36-3.33.1 mariadb-tools-debuginfo-10.2.36-3.33.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): mariadb-errormessages-10.2.36-3.33.1 References: https://www.suse.com/security/cve/CVE-2020-14765.html https://www.suse.com/security/cve/CVE-2020-14776.html https://www.suse.com/security/cve/CVE-2020-14789.html https://www.suse.com/security/cve/CVE-2020-14812.html https://www.suse.com/security/cve/CVE-2020-15180.html https://bugzilla.suse.com/1172399 https://bugzilla.suse.com/1175596 https://bugzilla.suse.com/1177472 https://bugzilla.suse.com/1178428 From sle-security-updates at lists.suse.com Tue Nov 24 10:16:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2020 18:16:00 +0100 (CET) Subject: SUSE-SU-2020:3500-1: moderate: Security update for mariadb Message-ID: <20201124171600.AAEB7FBB4@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3500-1 Rating: moderate References: #1175596 #1177472 #1178428 Cross-References: CVE-2020-14765 CVE-2020-14776 CVE-2020-14789 CVE-2020-14812 CVE-2020-15180 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for mariadb and mariadb-connector-c fixes the following issues: - Update mariadb to 10.2.36 GA [bsc#1177472, bsc#1178428] fixing for the following security vulnerabilities: CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789 CVE-2020-15180 - Update mariadb-connector-c to 3.1.11 [bsc#1177472 and bsc#1178428] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3500=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3500=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-3500=1 - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-3500=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3500=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3500=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3500=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3500=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libmariadb-devel-3.1.11-3.22.2 libmariadb-devel-debuginfo-3.1.11-3.22.2 libmariadb3-3.1.11-3.22.2 libmariadb3-debuginfo-3.1.11-3.22.2 libmariadb_plugins-3.1.11-3.22.2 libmariadb_plugins-debuginfo-3.1.11-3.22.2 libmariadbprivate-3.1.11-3.22.2 libmariadbprivate-debuginfo-3.1.11-3.22.2 libmysqld-devel-10.2.36-3.34.4 libmysqld19-10.2.36-3.34.4 libmysqld19-debuginfo-10.2.36-3.34.4 mariadb-10.2.36-3.34.4 mariadb-client-10.2.36-3.34.4 mariadb-client-debuginfo-10.2.36-3.34.4 mariadb-connector-c-debugsource-3.1.11-3.22.2 mariadb-debuginfo-10.2.36-3.34.4 mariadb-debugsource-10.2.36-3.34.4 mariadb-tools-10.2.36-3.34.4 mariadb-tools-debuginfo-10.2.36-3.34.4 - SUSE Linux Enterprise Server for SAP 15 (noarch): mariadb-errormessages-10.2.36-3.34.4 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libmariadb-devel-3.1.11-3.22.2 libmariadb-devel-debuginfo-3.1.11-3.22.2 libmariadb3-3.1.11-3.22.2 libmariadb3-debuginfo-3.1.11-3.22.2 libmariadb_plugins-3.1.11-3.22.2 libmariadb_plugins-debuginfo-3.1.11-3.22.2 libmariadbprivate-3.1.11-3.22.2 libmariadbprivate-debuginfo-3.1.11-3.22.2 libmysqld-devel-10.2.36-3.34.4 libmysqld19-10.2.36-3.34.4 libmysqld19-debuginfo-10.2.36-3.34.4 mariadb-10.2.36-3.34.4 mariadb-client-10.2.36-3.34.4 mariadb-client-debuginfo-10.2.36-3.34.4 mariadb-connector-c-debugsource-3.1.11-3.22.2 mariadb-debuginfo-10.2.36-3.34.4 mariadb-debugsource-10.2.36-3.34.4 mariadb-tools-10.2.36-3.34.4 mariadb-tools-debuginfo-10.2.36-3.34.4 - SUSE Linux Enterprise Server 15-LTSS (noarch): mariadb-errormessages-10.2.36-3.34.4 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libmariadb-devel-3.1.11-3.22.2 libmariadb-devel-debuginfo-3.1.11-3.22.2 libmariadb_plugins-3.1.11-3.22.2 libmariadb_plugins-debuginfo-3.1.11-3.22.2 mariadb-connector-c-debugsource-3.1.11-3.22.2 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libmariadb-devel-3.1.11-3.22.2 libmariadb-devel-debuginfo-3.1.11-3.22.2 libmariadb_plugins-3.1.11-3.22.2 libmariadb_plugins-debuginfo-3.1.11-3.22.2 libmysqld-devel-10.2.36-3.34.4 libmysqld19-10.2.36-3.34.4 libmysqld19-debuginfo-10.2.36-3.34.4 mariadb-10.2.36-3.34.4 mariadb-client-10.2.36-3.34.4 mariadb-client-debuginfo-10.2.36-3.34.4 mariadb-connector-c-debugsource-3.1.11-3.22.2 mariadb-debuginfo-10.2.36-3.34.4 mariadb-debugsource-10.2.36-3.34.4 mariadb-tools-10.2.36-3.34.4 mariadb-tools-debuginfo-10.2.36-3.34.4 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): mariadb-errormessages-10.2.36-3.34.4 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libmariadb3-3.1.11-3.22.2 libmariadb3-debuginfo-3.1.11-3.22.2 libmariadbprivate-3.1.11-3.22.2 libmariadbprivate-debuginfo-3.1.11-3.22.2 mariadb-connector-c-debugsource-3.1.11-3.22.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libmariadb3-3.1.11-3.22.2 libmariadb3-debuginfo-3.1.11-3.22.2 libmariadbprivate-3.1.11-3.22.2 libmariadbprivate-debuginfo-3.1.11-3.22.2 mariadb-connector-c-debugsource-3.1.11-3.22.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libmariadb-devel-3.1.11-3.22.2 libmariadb-devel-debuginfo-3.1.11-3.22.2 libmariadb3-3.1.11-3.22.2 libmariadb3-debuginfo-3.1.11-3.22.2 libmariadb_plugins-3.1.11-3.22.2 libmariadb_plugins-debuginfo-3.1.11-3.22.2 libmariadbprivate-3.1.11-3.22.2 libmariadbprivate-debuginfo-3.1.11-3.22.2 libmysqld-devel-10.2.36-3.34.4 libmysqld19-10.2.36-3.34.4 libmysqld19-debuginfo-10.2.36-3.34.4 mariadb-10.2.36-3.34.4 mariadb-client-10.2.36-3.34.4 mariadb-client-debuginfo-10.2.36-3.34.4 mariadb-connector-c-debugsource-3.1.11-3.22.2 mariadb-debuginfo-10.2.36-3.34.4 mariadb-debugsource-10.2.36-3.34.4 mariadb-tools-10.2.36-3.34.4 mariadb-tools-debuginfo-10.2.36-3.34.4 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): mariadb-errormessages-10.2.36-3.34.4 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libmariadb-devel-3.1.11-3.22.2 libmariadb-devel-debuginfo-3.1.11-3.22.2 libmariadb3-3.1.11-3.22.2 libmariadb3-debuginfo-3.1.11-3.22.2 libmariadb_plugins-3.1.11-3.22.2 libmariadb_plugins-debuginfo-3.1.11-3.22.2 libmariadbprivate-3.1.11-3.22.2 libmariadbprivate-debuginfo-3.1.11-3.22.2 libmysqld-devel-10.2.36-3.34.4 libmysqld19-10.2.36-3.34.4 libmysqld19-debuginfo-10.2.36-3.34.4 mariadb-10.2.36-3.34.4 mariadb-client-10.2.36-3.34.4 mariadb-client-debuginfo-10.2.36-3.34.4 mariadb-connector-c-debugsource-3.1.11-3.22.2 mariadb-debuginfo-10.2.36-3.34.4 mariadb-debugsource-10.2.36-3.34.4 mariadb-tools-10.2.36-3.34.4 mariadb-tools-debuginfo-10.2.36-3.34.4 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): mariadb-errormessages-10.2.36-3.34.4 References: https://www.suse.com/security/cve/CVE-2020-14765.html https://www.suse.com/security/cve/CVE-2020-14776.html https://www.suse.com/security/cve/CVE-2020-14789.html https://www.suse.com/security/cve/CVE-2020-14812.html https://www.suse.com/security/cve/CVE-2020-15180.html https://bugzilla.suse.com/1175596 https://bugzilla.suse.com/1177472 https://bugzilla.suse.com/1178428 From sle-security-updates at lists.suse.com Tue Nov 24 10:18:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2020 18:18:17 +0100 (CET) Subject: SUSE-SU-2020:3501-1: important: Security update for the Linux Kernel Message-ID: <20201124171817.30082FBB4@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3501-1 Rating: important References: #1065600 #1083244 #1131277 #1170415 #1175721 #1175749 #1176011 #1176235 #1176253 #1176278 #1176381 #1176382 #1176423 #1176482 #1176721 #1176722 #1176725 #1176896 #1176922 #1176990 #1177027 #1177086 #1177165 #1177206 #1177226 #1177410 #1177411 #1177511 #1177513 #1177725 #1177766 #1178782 Cross-References: CVE-2017-18204 CVE-2020-0404 CVE-2020-0427 CVE-2020-0431 CVE-2020-0432 CVE-2020-12352 CVE-2020-14351 CVE-2020-14381 CVE-2020-14390 CVE-2020-25212 CVE-2020-25284 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25705 CVE-2020-26088 CVE-2020-8694 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that solves 17 vulnerabilities and has 15 fixes is now available. Description: The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381). - CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235). - CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206). - CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990). - CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721). - CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722). - CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725). - CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423). - CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482). The following non-security bugs were fixed: - btrfs: fix race with relocation recovery and fs_root setup (bsc#1131277). - btrfs: flush_space always takes fs_info->fs_root (bsc#1131277). - btrfs: btrfs_init_new_device should use fs_info->dev_root (bsc#1131277, bsc#1176922). - btrfs: btrfs_test_opt and friends should take a btrfs_fs_info (bsc#1131277, bsc#1176922). - btrfs: call functions that always use the same root with fs_info instead (bsc#1131277, bsc#1176922). - btrfs: call functions that overwrite their root parameter with fs_info (bsc#1131277, bsc#1176922). - btrfs: flush_space always takes fs_info->fs_root (bsc#1131277, bsc#1176922). - btrfs: pull node/sector/stripe sizes out of root and into fs_info (bsc#1131277, bsc#1176922). - btrfs: Remove fs_info argument of btrfs_write_and_wait_transaction (bsc#1131277, bsc#1176922). - btrfs: remove root parameter from transaction commit/end routines (bsc#1131277, bsc#1176922). - btrfs: remove root usage from can_overcommit (bsc#1131277, bsc#1176922). - btrfs: root->fs_info cleanup, access fs_info->delayed_root directly (bsc#1131277, bsc#1176922). - btrfs: root->fs_info cleanup, add fs_info convenience variables (bsc#1131277, bsc#1176922). - btrfs: root->fs_info cleanup, btrfs_calc_{trans,trunc}_metadata_size (bsc#1131277, bsc#1176922). - btrfs: root->fs_info cleanup, update_block_group{,flags} (bsc#1131277, bsc#1176922). - btrfs: root->fs_info cleanup, use fs_info->dev_root everywhere (bsc#1131277, bsc#1176922). - btrfs: split btrfs_wait_marked_extents into normal and tree log functions (bsc#1131277, bsc#1176922). - btrfs: struct btrfsic_state->root should be an fs_info (bsc#1131277, bsc#1176922). - btrfs: take an fs_info directly when the root is not used otherwise (bsc#1131277, bsc#1176922). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: do not reschedule in preemption off sections (bsc#1175749). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3501=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3501=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3501=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3501=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2020-3501=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): kernel-default-4.4.121-92.146.1 kernel-default-base-4.4.121-92.146.1 kernel-default-base-debuginfo-4.4.121-92.146.1 kernel-default-debuginfo-4.4.121-92.146.1 kernel-default-debugsource-4.4.121-92.146.1 kernel-default-devel-4.4.121-92.146.1 kernel-syms-4.4.121-92.146.1 - SUSE OpenStack Cloud 7 (noarch): kernel-devel-4.4.121-92.146.1 kernel-macros-4.4.121-92.146.1 kernel-source-4.4.121-92.146.1 - SUSE OpenStack Cloud 7 (x86_64): kgraft-patch-4_4_121-92_146-default-1-3.5.1 - SUSE OpenStack Cloud 7 (s390x): kernel-default-man-4.4.121-92.146.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kernel-default-4.4.121-92.146.1 kernel-default-base-4.4.121-92.146.1 kernel-default-base-debuginfo-4.4.121-92.146.1 kernel-default-debuginfo-4.4.121-92.146.1 kernel-default-debugsource-4.4.121-92.146.1 kernel-default-devel-4.4.121-92.146.1 kernel-syms-4.4.121-92.146.1 kgraft-patch-4_4_121-92_146-default-1-3.5.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): kernel-devel-4.4.121-92.146.1 kernel-macros-4.4.121-92.146.1 kernel-source-4.4.121-92.146.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): kernel-default-4.4.121-92.146.1 kernel-default-base-4.4.121-92.146.1 kernel-default-base-debuginfo-4.4.121-92.146.1 kernel-default-debuginfo-4.4.121-92.146.1 kernel-default-debugsource-4.4.121-92.146.1 kernel-default-devel-4.4.121-92.146.1 kernel-syms-4.4.121-92.146.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_146-default-1-3.5.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): kernel-devel-4.4.121-92.146.1 kernel-macros-4.4.121-92.146.1 kernel-source-4.4.121-92.146.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x): kernel-default-man-4.4.121-92.146.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): kernel-devel-4.4.121-92.146.1 kernel-macros-4.4.121-92.146.1 kernel-source-4.4.121-92.146.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): kernel-default-4.4.121-92.146.1 kernel-default-base-4.4.121-92.146.1 kernel-default-base-debuginfo-4.4.121-92.146.1 kernel-default-debuginfo-4.4.121-92.146.1 kernel-default-debugsource-4.4.121-92.146.1 kernel-default-devel-4.4.121-92.146.1 kernel-syms-4.4.121-92.146.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.121-92.146.1 cluster-md-kmp-default-debuginfo-4.4.121-92.146.1 cluster-network-kmp-default-4.4.121-92.146.1 cluster-network-kmp-default-debuginfo-4.4.121-92.146.1 dlm-kmp-default-4.4.121-92.146.1 dlm-kmp-default-debuginfo-4.4.121-92.146.1 gfs2-kmp-default-4.4.121-92.146.1 gfs2-kmp-default-debuginfo-4.4.121-92.146.1 kernel-default-debuginfo-4.4.121-92.146.1 kernel-default-debugsource-4.4.121-92.146.1 ocfs2-kmp-default-4.4.121-92.146.1 ocfs2-kmp-default-debuginfo-4.4.121-92.146.1 References: https://www.suse.com/security/cve/CVE-2017-18204.html https://www.suse.com/security/cve/CVE-2020-0404.html https://www.suse.com/security/cve/CVE-2020-0427.html https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-0432.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14390.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25284.html https://www.suse.com/security/cve/CVE-2020-25643.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-26088.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1083244 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1175749 https://bugzilla.suse.com/1176011 https://bugzilla.suse.com/1176235 https://bugzilla.suse.com/1176253 https://bugzilla.suse.com/1176278 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176382 https://bugzilla.suse.com/1176423 https://bugzilla.suse.com/1176482 https://bugzilla.suse.com/1176721 https://bugzilla.suse.com/1176722 https://bugzilla.suse.com/1176725 https://bugzilla.suse.com/1176896 https://bugzilla.suse.com/1176922 https://bugzilla.suse.com/1176990 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177165 https://bugzilla.suse.com/1177206 https://bugzilla.suse.com/1177226 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1178782 From sle-security-updates at lists.suse.com Tue Nov 24 10:22:29 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2020 18:22:29 +0100 (CET) Subject: SUSE-SU-2020:3503-1: important: Security update for the Linux Kernel Message-ID: <20201124172229.BE2FAFBB4@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3503-1 Rating: important References: #1065600 #1083244 #1121826 #1121872 #1157298 #1160917 #1170415 #1175228 #1175306 #1175721 #1175749 #1176011 #1176069 #1176235 #1176253 #1176278 #1176381 #1176382 #1176423 #1176482 #1176721 #1176722 #1176725 #1176816 #1176896 #1176990 #1177027 #1177086 #1177121 #1177165 #1177206 #1177226 #1177410 #1177411 #1177511 #1177513 #1177725 #1177766 #1177816 #1178123 #1178622 #1178782 Cross-References: CVE-2017-18204 CVE-2019-19063 CVE-2019-6133 CVE-2020-0404 CVE-2020-0427 CVE-2020-0431 CVE-2020-0432 CVE-2020-12352 CVE-2020-14351 CVE-2020-14381 CVE-2020-14390 CVE-2020-25212 CVE-2020-25284 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25705 CVE-2020-26088 CVE-2020-8694 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise High Availability 12-SP3 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 21 vulnerabilities and has 21 fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511). - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381). - CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235). - CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206). - CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121). - CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990). - CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721). - CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722). - CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725). - CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423). - CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482). - CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c, which could have allowed an attacker to cause a denial of service (memory consumption) (bsc#1157298). - CVE-2019-6133: In PolicyKit (aka polkit), the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c (bsc#1121872). - CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244). The following non-security bugs were fixed: - hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816). - hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1176816). - net/packet: fix overflow in tpacket_rcv (bsc#1176069). - ocfs2: give applications more IO opportunities during fstrim (bsc#1175228). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xen: do not reschedule in preemption off sections (bsc#1175749). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3503=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3503=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3503=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3503=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3503=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2020-3503=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3503=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3503=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): kernel-devel-4.4.180-94.135.1 kernel-macros-4.4.180-94.135.1 kernel-source-4.4.180-94.135.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): kernel-default-4.4.180-94.135.1 kernel-default-base-4.4.180-94.135.1 kernel-default-base-debuginfo-4.4.180-94.135.1 kernel-default-debuginfo-4.4.180-94.135.1 kernel-default-debugsource-4.4.180-94.135.1 kernel-default-devel-4.4.180-94.135.1 kernel-default-kgraft-4.4.180-94.135.1 kernel-syms-4.4.180-94.135.1 kgraft-patch-4_4_180-94_135-default-1-4.5.1 kgraft-patch-4_4_180-94_135-default-debuginfo-1-4.5.1 - SUSE OpenStack Cloud 8 (x86_64): kernel-default-4.4.180-94.135.1 kernel-default-base-4.4.180-94.135.1 kernel-default-base-debuginfo-4.4.180-94.135.1 kernel-default-debuginfo-4.4.180-94.135.1 kernel-default-debugsource-4.4.180-94.135.1 kernel-default-devel-4.4.180-94.135.1 kernel-default-kgraft-4.4.180-94.135.1 kernel-syms-4.4.180-94.135.1 kgraft-patch-4_4_180-94_135-default-1-4.5.1 kgraft-patch-4_4_180-94_135-default-debuginfo-1-4.5.1 - SUSE OpenStack Cloud 8 (noarch): kernel-devel-4.4.180-94.135.1 kernel-macros-4.4.180-94.135.1 kernel-source-4.4.180-94.135.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kernel-default-4.4.180-94.135.1 kernel-default-base-4.4.180-94.135.1 kernel-default-base-debuginfo-4.4.180-94.135.1 kernel-default-debuginfo-4.4.180-94.135.1 kernel-default-debugsource-4.4.180-94.135.1 kernel-default-devel-4.4.180-94.135.1 kernel-default-kgraft-4.4.180-94.135.1 kernel-syms-4.4.180-94.135.1 kgraft-patch-4_4_180-94_135-default-1-4.5.1 kgraft-patch-4_4_180-94_135-default-debuginfo-1-4.5.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): kernel-devel-4.4.180-94.135.1 kernel-macros-4.4.180-94.135.1 kernel-source-4.4.180-94.135.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.4.180-94.135.1 kernel-default-base-4.4.180-94.135.1 kernel-default-base-debuginfo-4.4.180-94.135.1 kernel-default-debuginfo-4.4.180-94.135.1 kernel-default-debugsource-4.4.180-94.135.1 kernel-default-devel-4.4.180-94.135.1 kernel-syms-4.4.180-94.135.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kernel-default-kgraft-4.4.180-94.135.1 kgraft-patch-4_4_180-94_135-default-1-4.5.1 kgraft-patch-4_4_180-94_135-default-debuginfo-1-4.5.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): kernel-devel-4.4.180-94.135.1 kernel-macros-4.4.180-94.135.1 kernel-source-4.4.180-94.135.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): kernel-default-man-4.4.180-94.135.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): kernel-devel-4.4.180-94.135.1 kernel-macros-4.4.180-94.135.1 kernel-source-4.4.180-94.135.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): kernel-default-4.4.180-94.135.1 kernel-default-base-4.4.180-94.135.1 kernel-default-base-debuginfo-4.4.180-94.135.1 kernel-default-debuginfo-4.4.180-94.135.1 kernel-default-debugsource-4.4.180-94.135.1 kernel-default-devel-4.4.180-94.135.1 kernel-syms-4.4.180-94.135.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.180-94.135.1 cluster-md-kmp-default-debuginfo-4.4.180-94.135.1 dlm-kmp-default-4.4.180-94.135.1 dlm-kmp-default-debuginfo-4.4.180-94.135.1 gfs2-kmp-default-4.4.180-94.135.1 gfs2-kmp-default-debuginfo-4.4.180-94.135.1 kernel-default-debuginfo-4.4.180-94.135.1 kernel-default-debugsource-4.4.180-94.135.1 ocfs2-kmp-default-4.4.180-94.135.1 ocfs2-kmp-default-debuginfo-4.4.180-94.135.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): kernel-default-4.4.180-94.135.1 kernel-default-base-4.4.180-94.135.1 kernel-default-base-debuginfo-4.4.180-94.135.1 kernel-default-debuginfo-4.4.180-94.135.1 kernel-default-debugsource-4.4.180-94.135.1 kernel-default-devel-4.4.180-94.135.1 kernel-syms-4.4.180-94.135.1 - SUSE Enterprise Storage 5 (x86_64): kernel-default-kgraft-4.4.180-94.135.1 kgraft-patch-4_4_180-94_135-default-1-4.5.1 kgraft-patch-4_4_180-94_135-default-debuginfo-1-4.5.1 - SUSE Enterprise Storage 5 (noarch): kernel-devel-4.4.180-94.135.1 kernel-macros-4.4.180-94.135.1 kernel-source-4.4.180-94.135.1 - HPE Helion Openstack 8 (noarch): kernel-devel-4.4.180-94.135.1 kernel-macros-4.4.180-94.135.1 kernel-source-4.4.180-94.135.1 - HPE Helion Openstack 8 (x86_64): kernel-default-4.4.180-94.135.1 kernel-default-base-4.4.180-94.135.1 kernel-default-base-debuginfo-4.4.180-94.135.1 kernel-default-debuginfo-4.4.180-94.135.1 kernel-default-debugsource-4.4.180-94.135.1 kernel-default-devel-4.4.180-94.135.1 kernel-default-kgraft-4.4.180-94.135.1 kernel-syms-4.4.180-94.135.1 kgraft-patch-4_4_180-94_135-default-1-4.5.1 kgraft-patch-4_4_180-94_135-default-debuginfo-1-4.5.1 References: https://www.suse.com/security/cve/CVE-2017-18204.html https://www.suse.com/security/cve/CVE-2019-19063.html https://www.suse.com/security/cve/CVE-2019-6133.html https://www.suse.com/security/cve/CVE-2020-0404.html https://www.suse.com/security/cve/CVE-2020-0427.html https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-0432.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14390.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25284.html https://www.suse.com/security/cve/CVE-2020-25641.html https://www.suse.com/security/cve/CVE-2020-25643.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-26088.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1083244 https://bugzilla.suse.com/1121826 https://bugzilla.suse.com/1121872 https://bugzilla.suse.com/1157298 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1175228 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1175749 https://bugzilla.suse.com/1176011 https://bugzilla.suse.com/1176069 https://bugzilla.suse.com/1176235 https://bugzilla.suse.com/1176253 https://bugzilla.suse.com/1176278 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176382 https://bugzilla.suse.com/1176423 https://bugzilla.suse.com/1176482 https://bugzilla.suse.com/1176721 https://bugzilla.suse.com/1176722 https://bugzilla.suse.com/1176725 https://bugzilla.suse.com/1176816 https://bugzilla.suse.com/1176896 https://bugzilla.suse.com/1176990 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177121 https://bugzilla.suse.com/1177165 https://bugzilla.suse.com/1177206 https://bugzilla.suse.com/1177226 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177816 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178622 https://bugzilla.suse.com/1178782 From sle-security-updates at lists.suse.com Tue Nov 24 13:16:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2020 21:16:04 +0100 (CET) Subject: SUSE-SU-2020:3505-1: important: Security update for slurm Message-ID: <20201124201604.0849DFBB4@maintenance.suse.de> SUSE Security Update: Security update for slurm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3505-1 Rating: important References: #1178890 #1178891 Cross-References: CVE-2020-27745 CVE-2020-27746 Affected Products: SUSE Linux Enterprise Module for HPC 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for slurm fixes the following issues: - CVE-2020-27745: PMIx - fix potential buffer overflows from use of unpackmem() (bsc#1178890). - CVE-2020-27746: X11 forwarding - fix potential leak of the magic cookie when sent as an argument to the xauth command (bsc#1178891). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 15-SP1: zypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2020-3505=1 Package List: - SUSE Linux Enterprise Module for HPC 15-SP1 (aarch64 x86_64): libpmi0-18.08.9-3.16.4 libpmi0-debuginfo-18.08.9-3.16.4 libslurm33-18.08.9-3.16.4 libslurm33-debuginfo-18.08.9-3.16.4 perl-slurm-18.08.9-3.16.4 perl-slurm-debuginfo-18.08.9-3.16.4 slurm-18.08.9-3.16.4 slurm-auth-none-18.08.9-3.16.4 slurm-auth-none-debuginfo-18.08.9-3.16.4 slurm-config-18.08.9-3.16.4 slurm-config-man-18.08.9-3.16.4 slurm-debuginfo-18.08.9-3.16.4 slurm-debugsource-18.08.9-3.16.4 slurm-devel-18.08.9-3.16.4 slurm-doc-18.08.9-3.16.4 slurm-lua-18.08.9-3.16.4 slurm-lua-debuginfo-18.08.9-3.16.4 slurm-munge-18.08.9-3.16.4 slurm-munge-debuginfo-18.08.9-3.16.4 slurm-node-18.08.9-3.16.4 slurm-node-debuginfo-18.08.9-3.16.4 slurm-pam_slurm-18.08.9-3.16.4 slurm-pam_slurm-debuginfo-18.08.9-3.16.4 slurm-plugins-18.08.9-3.16.4 slurm-plugins-debuginfo-18.08.9-3.16.4 slurm-slurmdbd-18.08.9-3.16.4 slurm-slurmdbd-debuginfo-18.08.9-3.16.4 slurm-sql-18.08.9-3.16.4 slurm-sql-debuginfo-18.08.9-3.16.4 slurm-sview-18.08.9-3.16.4 slurm-sview-debuginfo-18.08.9-3.16.4 slurm-torque-18.08.9-3.16.4 slurm-torque-debuginfo-18.08.9-3.16.4 References: https://www.suse.com/security/cve/CVE-2020-27745.html https://www.suse.com/security/cve/CVE-2020-27746.html https://bugzilla.suse.com/1178890 https://bugzilla.suse.com/1178891 From sle-security-updates at lists.suse.com Tue Nov 24 13:17:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2020 21:17:07 +0100 (CET) Subject: SUSE-SU-2020:3507-1: important: Security update for the Linux Kernel Message-ID: <20201124201707.F3B65FBB4@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3507-1 Rating: important References: #1058115 #1163592 #1167030 #1172873 #1175306 #1175721 #1176855 #1176907 #1176983 #1177703 #1177819 #1177820 #1178123 #1178393 #1178589 #1178622 #1178686 #1178765 #1178782 #927455 Cross-References: CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has 17 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123). The following non-security bugs were fixed: - 9P: Cast to loff_t before multiplying (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - ACPI: dock: fix enum-conversion warning (git-fixes). - ACPI / extlog: Check for RDMSR failure (git-fixes). - ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes). - ACPI: video: use ACPI backlight for HP 635 Notebook (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: fix VHT NSS calculation when STBC is enabled (git-fixes). - ath10k: start recovery process when payload length exceeds max htc length for sdio (git-fixes). - bus/fsl_mc: Do not rely on caller to provide non NULL mc_io (git-fixes). - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (git-fixes). - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (git-fixes). - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (git-fixes). - can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (git-fixes). - can: peak_usb: add range checking in decode operations (git-fixes). - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (git-fixes). - can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes). - clk: ti: clockdomain: fix static checker warning (git-fixes). - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes). - device property: Do not clear secondary pointer for shared primary firmware node (git-fixes). - device property: Keep secondary firmware node secondary by type (git-fixes). - drbd: code cleanup by using sendpage_ok() to check page for kernel_sendpage() (bsc#1172873). - drm/amd/display: Do not invoke kgdb_breakpoint() unconditionally (git-fixes). - drm/amd/display: HDMI remote sink need mode validation for Linux (git-fixes). - drm/amdgpu: do not map BO in reserved region (git-fixes). - drm/bridge/synopsys: dsi: add support for non-continuous HS clock (git-fixes). - drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly (git-fixes). - drm/i915: Break up error capture compression loops with cond_resched() (git-fixes). - drm/i915: Force VT'd workarounds when running as a guest OS (git-fixes). - drm/imx: tve remove extraneous type qualifier (git-fixes). - drm/ttm: fix eviction valuable range check (git-fixes). - drm/vc4: drv: Add error handding for bind (git-fixes). - efivarfs: Replace invalid slashes with exclamation marks in dentries (git-fixes). - ftrace: Fix recursion check for NMI test (git-fixes). - ftrace: Handle tracing when switching between context (git-fixes). - hv_netvsc: Add XDP support (bsc#1177819, bsc#1177820). - hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177819, bsc#1177820). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - icmp: randomize the global rate limiter (git-fixes). - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled (git-fixes). - leds: bcm6328, bcm6358: use devres LED registering function (git-fixes). - libceph: use sendpage_ok() in ceph_tcp_sendpage() (bsc#1172873). - media: platform: Improve queue set up flow for bug fixing (git-fixes). - media: tw5864: check status of tw5864_frameinterval_get (git-fixes). - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event (bsc#1177703). - mmc: sdhci-of-esdhc: Handle pulse width detection erratum for more SoCs (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mm/memcg: fix refcount error while moving and swapping (bsc#1178686). - Move the upstreamed powercap fix into sorted sectio - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - net: add WARN_ONCE in kernel_sendpage() for improper zero-copy send (bsc#1172873). - net: introduce helper sendpage_ok() in include/linux/net.h (bsc#1172873). - net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition (git-fixes). - nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage() (bsc#1172873). - p54: avoid accessing the data mapped to streaming DMA (git-fixes). - pinctrl: intel: Set default bias in case no particular value given (git-fixes). - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - powerpc/vnic: Extend "failover pending" window (bsc#1176855 ltc#187293). - power: supply: test_power: add missing newlines when printing parameters by sysfs (git-fixes). - regulator: defer probe when trying to get voltage from unresolved supply (git-fixes). - regulator: resolve supply after creating regulator (git-fixes). - ring-buffer: Fix recursion protection transitions between interrupt context (git-fixes). - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - scsi: libiscsi: use sendpage_ok() in iscsi_tcp_segment_map() (bsc#1172873). - staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice (git-fixes). - staging: octeon: Drop on uncorrectable alignment or FCS error (git-fixes). - staging: octeon: repair "fixed-link" support (git-fixes). - thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() (git-fixes). - USB: Add NO_LPM quirk for Kingston flash drive (git-fixes). - USB: adutux: fix debugging (git-fixes). - usb: cdc-acm: fix cooldown mechanism (git-fixes). - usb: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - usb: mtu3: fix panic in mtu3_gadget_stop() (git-fixes). - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 (git-fixes). - USB: serial: option: add Quectel EC200T module support (git-fixes). - USB: serial: option: add Telit FN980 composition 0x1055 (git-fixes). - usb: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart (git-fixes). - usb: typec: tcpm: reset hard_reset_count for any disconnect (git-fixes). - video: fbdev: pvr2fb: initialize variables (git-fixes). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - vt: Disable KD_FONT_OP_COPY (bsc#1178589). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). - xfs: do not update mtime on COW faults (bsc#1167030). - xfs: fix a missing unlock on error in xfs_fs_map_blocks (git-fixes). - xfs: fix flags argument to rmap lookup when converting shared file rmaps (git-fixes). - xfs: fix rmap key and record comparison functions (git-fixes). - xfs: flush new eof page on truncate to avoid post-eof corruption (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-3507=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.72.1 kernel-default-debugsource-4.12.14-197.72.1 kernel-default-livepatch-4.12.14-197.72.1 kernel-default-livepatch-devel-4.12.14-197.72.1 kernel-livepatch-4_12_14-197_72-default-1-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1167030 https://bugzilla.suse.com/1172873 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176983 https://bugzilla.suse.com/1177703 https://bugzilla.suse.com/1177819 https://bugzilla.suse.com/1177820 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178589 https://bugzilla.suse.com/1178622 https://bugzilla.suse.com/1178686 https://bugzilla.suse.com/1178765 https://bugzilla.suse.com/1178782 https://bugzilla.suse.com/927455 From sle-security-updates at lists.suse.com Tue Nov 24 13:19:59 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2020 21:19:59 +0100 (CET) Subject: SUSE-SU-2020:3507-1: important: Security update for the Linux Kernel Message-ID: <20201124201959.9263CFBB4@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3507-1 Rating: important References: #1058115 #1163592 #1167030 #1172873 #1175306 #1175721 #1176855 #1176907 #1176983 #1177703 #1177819 #1177820 #1178123 #1178393 #1178589 #1178622 #1178686 #1178765 #1178782 #927455 Cross-References: CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has 17 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123). The following non-security bugs were fixed: - 9P: Cast to loff_t before multiplying (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - ACPI: dock: fix enum-conversion warning (git-fixes). - ACPI / extlog: Check for RDMSR failure (git-fixes). - ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes). - ACPI: video: use ACPI backlight for HP 635 Notebook (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: fix VHT NSS calculation when STBC is enabled (git-fixes). - ath10k: start recovery process when payload length exceeds max htc length for sdio (git-fixes). - bus/fsl_mc: Do not rely on caller to provide non NULL mc_io (git-fixes). - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (git-fixes). - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (git-fixes). - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (git-fixes). - can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (git-fixes). - can: peak_usb: add range checking in decode operations (git-fixes). - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (git-fixes). - can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes). - clk: ti: clockdomain: fix static checker warning (git-fixes). - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes). - device property: Do not clear secondary pointer for shared primary firmware node (git-fixes). - device property: Keep secondary firmware node secondary by type (git-fixes). - drbd: code cleanup by using sendpage_ok() to check page for kernel_sendpage() (bsc#1172873). - drm/amd/display: Do not invoke kgdb_breakpoint() unconditionally (git-fixes). - drm/amd/display: HDMI remote sink need mode validation for Linux (git-fixes). - drm/amdgpu: do not map BO in reserved region (git-fixes). - drm/bridge/synopsys: dsi: add support for non-continuous HS clock (git-fixes). - drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly (git-fixes). - drm/i915: Break up error capture compression loops with cond_resched() (git-fixes). - drm/i915: Force VT'd workarounds when running as a guest OS (git-fixes). - drm/imx: tve remove extraneous type qualifier (git-fixes). - drm/ttm: fix eviction valuable range check (git-fixes). - drm/vc4: drv: Add error handding for bind (git-fixes). - efivarfs: Replace invalid slashes with exclamation marks in dentries (git-fixes). - ftrace: Fix recursion check for NMI test (git-fixes). - ftrace: Handle tracing when switching between context (git-fixes). - hv_netvsc: Add XDP support (bsc#1177819, bsc#1177820). - hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177819, bsc#1177820). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - icmp: randomize the global rate limiter (git-fixes). - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled (git-fixes). - leds: bcm6328, bcm6358: use devres LED registering function (git-fixes). - libceph: use sendpage_ok() in ceph_tcp_sendpage() (bsc#1172873). - media: platform: Improve queue set up flow for bug fixing (git-fixes). - media: tw5864: check status of tw5864_frameinterval_get (git-fixes). - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event (bsc#1177703). - mmc: sdhci-of-esdhc: Handle pulse width detection erratum for more SoCs (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mm/memcg: fix refcount error while moving and swapping (bsc#1178686). - Move the upstreamed powercap fix into sorted sectio - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - net: add WARN_ONCE in kernel_sendpage() for improper zero-copy send (bsc#1172873). - net: introduce helper sendpage_ok() in include/linux/net.h (bsc#1172873). - net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition (git-fixes). - nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage() (bsc#1172873). - p54: avoid accessing the data mapped to streaming DMA (git-fixes). - pinctrl: intel: Set default bias in case no particular value given (git-fixes). - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - powerpc/vnic: Extend "failover pending" window (bsc#1176855 ltc#187293). - power: supply: test_power: add missing newlines when printing parameters by sysfs (git-fixes). - regulator: defer probe when trying to get voltage from unresolved supply (git-fixes). - regulator: resolve supply after creating regulator (git-fixes). - ring-buffer: Fix recursion protection transitions between interrupt context (git-fixes). - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - scsi: libiscsi: use sendpage_ok() in iscsi_tcp_segment_map() (bsc#1172873). - staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice (git-fixes). - staging: octeon: Drop on uncorrectable alignment or FCS error (git-fixes). - staging: octeon: repair "fixed-link" support (git-fixes). - thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() (git-fixes). - USB: Add NO_LPM quirk for Kingston flash drive (git-fixes). - USB: adutux: fix debugging (git-fixes). - usb: cdc-acm: fix cooldown mechanism (git-fixes). - usb: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - usb: mtu3: fix panic in mtu3_gadget_stop() (git-fixes). - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 (git-fixes). - USB: serial: option: add Quectel EC200T module support (git-fixes). - USB: serial: option: add Telit FN980 composition 0x1055 (git-fixes). - usb: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart (git-fixes). - usb: typec: tcpm: reset hard_reset_count for any disconnect (git-fixes). - video: fbdev: pvr2fb: initialize variables (git-fixes). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - vt: Disable KD_FONT_OP_COPY (bsc#1178589). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). - xfs: do not update mtime on COW faults (bsc#1167030). - xfs: fix a missing unlock on error in xfs_fs_map_blocks (git-fixes). - xfs: fix flags argument to rmap lookup when converting shared file rmaps (git-fixes). - xfs: fix rmap key and record comparison functions (git-fixes). - xfs: flush new eof page on truncate to avoid post-eof corruption (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3507=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-3507=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-3507=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-3507=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3507=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-3507=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.72.1 kernel-default-debugsource-4.12.14-197.72.1 kernel-default-extra-4.12.14-197.72.1 kernel-default-extra-debuginfo-4.12.14-197.72.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.72.1 kernel-default-debugsource-4.12.14-197.72.1 kernel-default-livepatch-4.12.14-197.72.1 kernel-default-livepatch-devel-4.12.14-197.72.1 kernel-livepatch-4_12_14-197_72-default-1-3.3.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.72.1 kernel-default-debugsource-4.12.14-197.72.1 reiserfs-kmp-default-4.12.14-197.72.1 reiserfs-kmp-default-debuginfo-4.12.14-197.72.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.72.1 kernel-obs-build-debugsource-4.12.14-197.72.1 kernel-syms-4.12.14-197.72.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.72.2 kernel-source-4.12.14-197.72.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.72.1 kernel-default-base-4.12.14-197.72.1 kernel-default-base-debuginfo-4.12.14-197.72.1 kernel-default-debuginfo-4.12.14-197.72.1 kernel-default-debugsource-4.12.14-197.72.1 kernel-default-devel-4.12.14-197.72.1 kernel-default-devel-debuginfo-4.12.14-197.72.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.72.1 kernel-macros-4.12.14-197.72.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.72.1 kernel-zfcpdump-debuginfo-4.12.14-197.72.1 kernel-zfcpdump-debugsource-4.12.14-197.72.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.72.1 cluster-md-kmp-default-debuginfo-4.12.14-197.72.1 dlm-kmp-default-4.12.14-197.72.1 dlm-kmp-default-debuginfo-4.12.14-197.72.1 gfs2-kmp-default-4.12.14-197.72.1 gfs2-kmp-default-debuginfo-4.12.14-197.72.1 kernel-default-debuginfo-4.12.14-197.72.1 kernel-default-debugsource-4.12.14-197.72.1 ocfs2-kmp-default-4.12.14-197.72.1 ocfs2-kmp-default-debuginfo-4.12.14-197.72.1 References: https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1167030 https://bugzilla.suse.com/1172873 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176983 https://bugzilla.suse.com/1177703 https://bugzilla.suse.com/1177819 https://bugzilla.suse.com/1177820 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178589 https://bugzilla.suse.com/1178622 https://bugzilla.suse.com/1178686 https://bugzilla.suse.com/1178765 https://bugzilla.suse.com/1178782 https://bugzilla.suse.com/927455 From sle-security-updates at lists.suse.com Tue Nov 24 13:22:58 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Nov 2020 21:22:58 +0100 (CET) Subject: SUSE-SU-2020:3506-1: important: Security update for slurm Message-ID: <20201124202258.466D0FBB4@maintenance.suse.de> SUSE Security Update: Security update for slurm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3506-1 Rating: important References: #1173805 #1178890 #1178891 Cross-References: CVE-2020-27745 CVE-2020-27746 Affected Products: SUSE Linux Enterprise Module for HPC 15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for slurm fixes the following issues: - Updated to 20.02.6: * CVE-2020-27745: PMIx - fix potential buffer overflows from use of unpackmem() (bsc#1178890). * CVE-2020-27746: X11 forwarding - fix potential leak of the magic cookie when sent as an argument to the xauth command (bsc#1178891). * Added support for openPMIx (bsc#1173805). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 15-SP2: zypper in -t patch SUSE-SLE-Module-HPC-15-SP2-2020-3506=1 Package List: - SUSE Linux Enterprise Module for HPC 15-SP2 (aarch64 x86_64): libnss_slurm2-20.02.6-3.3.4 libnss_slurm2-debuginfo-20.02.6-3.3.4 libpmi0-20.02.6-3.3.4 libpmi0-debuginfo-20.02.6-3.3.4 libslurm35-20.02.6-3.3.4 libslurm35-debuginfo-20.02.6-3.3.4 perl-slurm-20.02.6-3.3.4 perl-slurm-debuginfo-20.02.6-3.3.4 slurm-20.02.6-3.3.4 slurm-auth-none-20.02.6-3.3.4 slurm-auth-none-debuginfo-20.02.6-3.3.4 slurm-config-20.02.6-3.3.4 slurm-config-man-20.02.6-3.3.4 slurm-debuginfo-20.02.6-3.3.4 slurm-debugsource-20.02.6-3.3.4 slurm-devel-20.02.6-3.3.4 slurm-doc-20.02.6-3.3.4 slurm-lua-20.02.6-3.3.4 slurm-lua-debuginfo-20.02.6-3.3.4 slurm-munge-20.02.6-3.3.4 slurm-munge-debuginfo-20.02.6-3.3.4 slurm-node-20.02.6-3.3.4 slurm-node-debuginfo-20.02.6-3.3.4 slurm-pam_slurm-20.02.6-3.3.4 slurm-pam_slurm-debuginfo-20.02.6-3.3.4 slurm-plugins-20.02.6-3.3.4 slurm-plugins-debuginfo-20.02.6-3.3.4 slurm-slurmdbd-20.02.6-3.3.4 slurm-slurmdbd-debuginfo-20.02.6-3.3.4 slurm-sql-20.02.6-3.3.4 slurm-sql-debuginfo-20.02.6-3.3.4 slurm-sview-20.02.6-3.3.4 slurm-sview-debuginfo-20.02.6-3.3.4 slurm-torque-20.02.6-3.3.4 slurm-torque-debuginfo-20.02.6-3.3.4 slurm-webdoc-20.02.6-3.3.4 References: https://www.suse.com/security/cve/CVE-2020-27745.html https://www.suse.com/security/cve/CVE-2020-27746.html https://bugzilla.suse.com/1173805 https://bugzilla.suse.com/1178890 https://bugzilla.suse.com/1178891 From sle-security-updates at lists.suse.com Wed Nov 25 00:51:20 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Nov 2020 08:51:20 +0100 (CET) Subject: SUSE-CU-2020:693-1: Security update of suse/sle15 Message-ID: <20201125075120.9931FFBB4@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:693-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.352 Container Release : 6.2.352 Severity : moderate Type : security References : 1174593 1177458 1177490 1177510 1177858 1178512 1178727 CVE-2020-28196 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Wed Nov 25 00:56:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Nov 2020 08:56:05 +0100 (CET) Subject: SUSE-CU-2020:694-1: Security update of suse/sle15 Message-ID: <20201125075605.CB173FBB4@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:694-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.8.2.794 Container Release : 8.2.794 Severity : moderate Type : security References : 1174593 1177458 1177490 1177510 1177858 1178512 1178727 CVE-2020-28196 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Wed Nov 25 07:15:54 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Nov 2020 15:15:54 +0100 (CET) Subject: SUSE-SU-2020:3512-1: important: Security update for the Linux Kernel Message-ID: <20201125141554.1BAD9FBB3@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3512-1 Rating: important References: #1055014 #1058115 #1061843 #1065600 #1065729 #1066382 #1077428 #1112178 #1114648 #1131277 #1134760 #1140683 #1152624 #1157424 #1163592 #1167030 #1170415 #1170446 #1171558 #1172538 #1172757 #1173432 #1174748 #1175306 #1175520 #1175721 #1176354 #1176400 #1176485 #1176560 #1176713 #1176723 #1176855 #1176907 #1176946 #1176983 #1177086 #1177101 #1177271 #1177281 #1177359 #1177410 #1177411 #1177470 #1177685 #1177687 #1177703 #1177719 #1177724 #1177725 #1177729 #1177740 #1177749 #1177750 #1177753 #1177754 #1177755 #1177762 #1177766 #1177819 #1177820 #1177855 #1177856 #1177861 #1178003 #1178027 #1178123 #1178166 #1178185 #1178187 #1178188 #1178202 #1178234 #1178330 #1178393 #1178589 #1178591 #1178607 #1178622 #1178686 #1178700 #1178765 #1178782 #927455 #936888 Cross-References: CVE-2020-0430 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-16120 CVE-2020-25285 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP5 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 74 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 realtime kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-8694: Insufficient access control for some Intel(R) Processors may have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1170415). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470). - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). The following non-security bugs were fixed: - 9P: Cast to loff_t before multiplying (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - ACPI: dock: fix enum-conversion warning (git-fixes). - ACPI / extlog: Check for RDMSR failure (git-fixes). - ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes). - ACPI: video: use ACPI backlight for HP 635 Notebook (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: Fix potential use-after-free of streams (gix-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - arm64: Run ARCH_WORKAROUND_1 enabling code on all CPUs (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: fix VHT NSS calculation when STBC is enabled (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath10k: start recovery process when payload length exceeds max htc length for sdio (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11). - bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: fix incorrect updating of log root tree (bsc#1177687). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: remove root usage from can_overcommit (bsc#1131277). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - bus/fsl_mc: Do not rely on caller to provide non NULL mc_io (git-fixes). - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (git-fixes). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (git-fixes). - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (git-fixes). - can: peak_usb: add range checking in decode operations (git-fixes). - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (git-fixes). - can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234). - ceph: map snapid to anonymous bdev ID (bsc#1178234). - ceph: promote to unsigned long long before shifting (bsc#1178187). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - clk: ti: clockdomain: fix static checker warning (git-fixes). - coredump: fix crash when umh is disabled (bsc#1177753). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - debugfs: Fix module state check condition (git-fixes). - device property: Do not clear secondary pointer for shared primary firmware node (git-fixes). - device property: Keep secondary firmware node secondary by type (git-fixes). - Disable ipa-clones dump for KMP builds (bsc#1178330) - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - dpaa_eth: fix the RX headroom size alignment (git-fixes). - dpaa_eth: update the buffer layout for non-A050385 erratum scenarios (git-fixes). - drm/amd/display: Do not invoke kgdb_breakpoint() unconditionally (git-fixes). - drm/amd/display: HDMI remote sink need mode validation for Linux (git-fixes). - drm/amdgpu: do not map BO in reserved region (git-fixes). - drm/amdgpu: prevent double kfree ttm->sg (git-fixes). - drm/bridge/synopsys: dsi: add support for non-continuous HS clock (git-fixes). - drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly (git-fixes). - drm/gma500: fix error check (git-fixes). - drm/i915: Break up error capture compression loops with cond_resched() (git-fixes). - drm/i915: Force VT'd workarounds when running as a guest OS (git-fixes). - drm/imx: tve remove extraneous type qualifier (git-fixes). - drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes). - drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes). - drm/ttm: fix eviction valuable range check (git-fixes). - drm/vc4: drv: Add error handding for bind (git-fixes). - ea43d9709f72 ("nvme: fix identify error status silent ignore") - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - efivarfs: Replace invalid slashes with exclamation marks in dentries (git-fixes). - ext4: fix dir_nlink behaviour (bsc#1177359). - Fix use after free in get_capset_info callback (git-fixes). - ftrace: Fix recursion check for NMI test (git-fixes). - ftrace: Handle tracing when switching between context (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - hv_netvsc: Add XDP support (bsc#1177819, bsc#1177820). - hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177819, bsc#1177820). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - icmp: randomize the global rate limiter (git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - include/linux/swapops.h: correct guards for non_swap_entry() (git-fixes (mm/swap)). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipmi: use vzalloc instead of kmalloc for user creation (bsc#1178607). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - ipv4: Update exception handling for multipath routes via same device (networking-stable-20_09_24). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled (git-fixes). - leds: bcm6328, bcm6358: use devres LED registering function (git-fixes). - leds: mt6323: move period calculation (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: Improve queue set up flow for bug fixing (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: tw5864: check status of tw5864_frameinterval_get (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event (bsc#1177703). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mlx5 PPC ringsize workaround (bsc#1173432). - mlx5: remove support for ib_get_vector_affinity (bsc#1174748). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() (git-fixes (mm/hugetlb)). - mm/ksm.c: do not WARN if page is still mapped in remove_stable_node() (git-fixes (mm/hugetlb)). - mm/memcg: fix refcount error while moving and swapping (bsc#1178686). - mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() (bsc#1177685). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/mempolicy.c: use match_string() helper to simplify the code (git-fixes (mm/mempolicy)). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (git-fixes (mm/numa)). - mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages (git-fixes (mm/debug)). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm/page-writeback.c: use div64_ul() for u64-by-unsigned-long divide (git-fixes (mm/writeback)). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix race condition in zs_destroy_pool (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely (git-fixes (mm/zsmalloc)). - Move the upstreamed bluetooth fix into sorted section - Move the upstreamed powercap fix into sorted sectio - Move upstreamed patches into sorted section - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - net/mlx5e: Take common TIR context settings into a function (bsc#1177740). - net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - NFSv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - nvme: add a Identify Namespace Identification Descriptor list quirk (bsc#1174748). - nvme: do not update disk info for multipathed device (bsc#1171558). - nvme: Fix ctrl use-after-free during sysfs deletion (bsc#1174748). - nvme: fix deadlock caused by ANA update wrong locking (bsc#1174748). - nvme: fix possible hang when ns scanning fails during error recovery - nvme: fix possible io failures when removing multipathed ns (bsc#1174748). - nvme: make nvme_identify_ns propagate errors back (bsc#1174748). - nvme: make nvme_report_ns_ids propagate error back (bsc#1174748). - nvme-multipath: do not reset on unknown status (bsc#1174748). - nvme: Namepace identification descriptor list is optional (bsc#1174748). - nvme: pass status to nvme_error_status (bsc#1174748). - nvme-rdma: Avoid double freeing of async event data (bsc#1174748). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - nvme: return error from nvme_alloc_ns() (bsc#1174748). - ocfs2: fix unbalanced locking (git-fixes). - p54: avoid accessing the data mapped to streaming DMA (git-fixes). - perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1114648). - perf/x86: Fix n_pair for cancelled txn (bsc#1114648). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729). - powerpc: Fix circular dependency between percpu.h and mmu.h (git-fixes). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - powerpc/vnic: Extend "failover pending" window (bsc#1176855 ltc#187293). - powerpc/vnic: Extend "failover pending" window (bsc#1176855 ltc#187293). - power: supply: test_power: add missing newlines when printing parameters by sysfs (git-fixes). - pty: do tty_flip_buffer_push without port->lock in pty_write (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - regulator: defer probe when trying to get voltage from unresolved supply (git-fixes). - regulator: resolve supply after creating regulator (git-fixes). - ring-buffer: Fix recursion protection transitions between interrupt context (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rtl8xxxu: prevent potential memory leak (git-fixes). - scsi: hisi_sas: Add debugfs ITCT file and add file operations (bsc#1140683). - scsi: hisi_sas: Add manual trigger for debugfs dump (bsc#1140683). - scsi: hisi_sas: Add missing seq_printf() call in hisi_sas_show_row_32() (bsc#1140683). - scsi: hisi_sas: Change return variable type in phy_up_v3_hw() (bsc#1140683). - scsi: hisi_sas: Correct memory allocation size for DQ debugfs (bsc#1140683). - scsi: hisi_sas: Do some more tidy-up (bsc#1140683). - scsi: hisi_sas: Fix a timeout race of driver internal and SMP IO (bsc#1140683). - scsi: hisi_sas: Fix type casting and missing static qualifier in debugfs code (bsc#1140683). Refresh: - scsi: hisi_sas: No need to check return value of debugfs_create functions (bsc#1140683). Update: - scsi: hisi_sas: Some misc tidy-up (bsc#1140683). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice (git-fixes). - staging: octeon: Drop on uncorrectable alignment or FCS error (git-fixes). - staging: octeon: repair "fixed-link" support (git-fixes). - tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: earlycon dependency (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - USB: Add NO_LPM quirk for Kingston flash drive (git-fixes). - USB: adutux: fix debugging (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: fix cooldown mechanism (git-fixes). - USB: cdc-acm: handle broken union descriptors (git-fixes). - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usb: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - usb: host: xhci: fix ep context print mismatch in debugfs (git-fixes). - usb: mtu3: fix panic in mtu3_gadget_stop() (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 (git-fixes). - USB: serial: option: add Quectel EC200T module support (git-fixes). - USB: serial: option: add Telit FN980 composition 0x1055 (git-fixes). - USB: serial: qcserial: fix altsetting probing (git-fixes). - usb: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart (git-fixes). - usb: typec: tcpm: reset hard_reset_count for any disconnect (git-fixes). - vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202). - video: fbdev: pvr2fb: initialize variables (git-fixes). - video: fbdev: sis: fix null ptr dereference (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - vt: Disable KD_FONT_OP_COPY (bsc#1178589). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101). - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178). - x86, fakenuma: Fix invalid starting node ID (git-fixes (mm/x86/fakenuma)). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). - xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027). - xfs: do not update mtime on COW faults (bsc#1167030). - xfs: flush new eof page on truncate to avoid post-eof corruption (git-fixes). - xfs: limit entries returned when counting fsmap records (git-fixes). - xhci: do not create endpoint debugfs entry before ring buffer is set (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP5: zypper in -t patch SUSE-SLE-RT-12-SP5-2020-3512=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64): cluster-md-kmp-rt-4.12.14-10.22.1 dlm-kmp-rt-4.12.14-10.22.1 gfs2-kmp-rt-4.12.14-10.22.1 kernel-rt-4.12.14-10.22.1 kernel-rt-base-4.12.14-10.22.1 kernel-rt-devel-4.12.14-10.22.1 kernel-rt_debug-4.12.14-10.22.1 kernel-rt_debug-devel-4.12.14-10.22.1 kernel-syms-rt-4.12.14-10.22.1 ocfs2-kmp-rt-4.12.14-10.22.1 - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch): kernel-devel-rt-4.12.14-10.22.1 kernel-source-rt-4.12.14-10.22.1 References: https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1140683 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1167030 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1171558 https://bugzilla.suse.com/1172538 https://bugzilla.suse.com/1172757 https://bugzilla.suse.com/1173432 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175520 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176400 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176560 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176946 https://bugzilla.suse.com/1176983 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177101 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177359 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177685 https://bugzilla.suse.com/1177687 https://bugzilla.suse.com/1177703 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177729 https://bugzilla.suse.com/1177740 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177753 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177762 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177819 https://bugzilla.suse.com/1177820 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178027 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178187 https://bugzilla.suse.com/1178188 https://bugzilla.suse.com/1178202 https://bugzilla.suse.com/1178234 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178589 https://bugzilla.suse.com/1178591 https://bugzilla.suse.com/1178607 https://bugzilla.suse.com/1178622 https://bugzilla.suse.com/1178686 https://bugzilla.suse.com/1178700 https://bugzilla.suse.com/1178765 https://bugzilla.suse.com/1178782 https://bugzilla.suse.com/927455 https://bugzilla.suse.com/936888 From sle-security-updates at lists.suse.com Wed Nov 25 07:26:33 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Nov 2020 15:26:33 +0100 (CET) Subject: SUSE-SU-2020:3513-1: important: Security update for the Linux Kernel Message-ID: <20201125142633.B71E4FBB3@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3513-1 Rating: important References: #1055014 #1058115 #1061843 #1065600 #1065729 #1066382 #1077428 #1112178 #1131277 #1134760 #1163592 #1167030 #1170415 #1170446 #1171558 #1172873 #1173432 #1174748 #1175306 #1175721 #1176354 #1176485 #1176560 #1176713 #1176723 #1176855 #1176907 #1176983 #1177086 #1177101 #1177271 #1177281 #1177410 #1177411 #1177470 #1177685 #1177687 #1177703 #1177719 #1177724 #1177725 #1177740 #1177749 #1177750 #1177753 #1177754 #1177755 #1177762 #1177766 #1177819 #1177820 #1177855 #1177856 #1177861 #1178003 #1178027 #1178123 #1178166 #1178185 #1178187 #1178188 #1178202 #1178234 #1178330 #1178393 #1178589 #1178591 #1178622 #1178686 #1178765 #1178782 #1178838 #927455 Cross-References: CVE-2020-0430 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-16120 CVE-2020-25285 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP1 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 62 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-8694: Insufficient access control for some Intel(R) Processors may have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1170415). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470). - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). The following non-security bugs were fixed: - 9P: Cast to loff_t before multiplying (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - ACPI: dock: fix enum-conversion warning (git-fixes). - ACPI / extlog: Check for RDMSR failure (git-fixes). - ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes). - ACPI: video: use ACPI backlight for HP 635 Notebook (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: fix VHT NSS calculation when STBC is enabled (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath10k: start recovery process when payload length exceeds max htc length for sdio (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blacklist.conf: 11d6761218d1 mm, memcg: fix error return value of mem_cgroup_css_alloc() - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11). - bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11). - bpf: Zero-fill re-used per-cpu map element (git-fixes). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: fix incorrect updating of log root tree (bsc#1177687). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: remove root usage from can_overcommit (bsc#1131277). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - bus/fsl_mc: Do not rely on caller to provide non NULL mc_io (git-fixes). - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (git-fixes). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (git-fixes). - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (git-fixes). - can: peak_usb: add range checking in decode operations (git-fixes). - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (git-fixes). - can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234). - ceph: map snapid to anonymous bdev ID (bsc#1178234). - ceph: promote to unsigned long long before shifting (bsc#1178187). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - clk: ti: clockdomain: fix static checker warning (git-fixes). - coredump: fix crash when umh is disabled (bsc#1177753). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - device property: Do not clear secondary pointer for shared primary firmware node (git-fixes). - device property: Keep secondary firmware node secondary by type (git-fixes). - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - drbd: code cleanup by using sendpage_ok() to check page for kernel_sendpage() (bsc#1172873). - drm/amd/display: Do not invoke kgdb_breakpoint() unconditionally (git-fixes). - drm/amd/display: HDMI remote sink need mode validation for Linux (git-fixes). - drm/amdgpu: do not map BO in reserved region (git-fixes). - drm/amdgpu: prevent double kfree ttm->sg (git-fixes). - drm/bridge/synopsys: dsi: add support for non-continuous HS clock (git-fixes). - drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly (git-fixes). - drm/gma500: fix error check (git-fixes). - drm/i915: Break up error capture compression loops with cond_resched() (git-fixes). - drm/i915: Force VT'd workarounds when running as a guest OS (git-fixes). - drm/imx: tve remove extraneous type qualifier (git-fixes). - drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes). - drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes). - drm/ttm: fix eviction valuable range check (git-fixes). - drm/vc4: drv: Add error handding for bind (git-fixes). - Drop sysctl files for dropped archs, add ppc64le and arm64 (bsc#1178838). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - efivarfs: Replace invalid slashes with exclamation marks in dentries (git-fixes). - Fix use after free in get_capset_info callback (git-fixes). - ftrace: Fix recursion check for NMI test (git-fixes). - ftrace: Handle tracing when switching between context (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - hv_netvsc: Add XDP support (bsc#1177819, bsc#1177820). - hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177819, bsc#1177820). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - icmp: randomize the global rate limiter (git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - include/linux/swapops.h: correct guards for non_swap_entry() (git-fixes (mm/swap)). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled (git-fixes). - leds: bcm6328, bcm6358: use devres LED registering function (git-fixes). - leds: mt6323: move period calculation (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188). - libceph: use sendpage_ok() in ceph_tcp_sendpage() (bsc#1172873). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: Improve queue set up flow for bug fixing (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: tw5864: check status of tw5864_frameinterval_get (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event (bsc#1177703). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mlx5 PPC ringsize workaround (bsc#1173432). - mlx5: remove support for ib_get_vector_affinity (bsc#1174748). - mmc: sdhci-of-esdhc: Handle pulse width detection erratum for more SoCs (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() (git-fixes (mm/hugetlb)). - mm/ksm.c: do not WARN if page is still mapped in remove_stable_node() (git-fixes (mm/hugetlb)). - mm/memcg: fix refcount error while moving and swapping (bsc#1178686). - mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() (bsc#1177685). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/mempolicy.c: use match_string() helper to simplify the code (git-fixes (mm/mempolicy)). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (git-fixes (mm/numa)). - mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages (git-fixes (mm/debug)). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm/page-writeback.c: use div64_ul() for u64-by-unsigned-long divide (git-fixes (mm/writeback)). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix race condition in zs_destroy_pool (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely (git-fixes (mm/zsmalloc)). - Move the upstreamed bluetooth fix into sorted section - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: add WARN_ONCE in kernel_sendpage() for improper zero-copy send (bsc#1172873). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: introduce helper sendpage_ok() in include/linux/net.h (bsc#1172873). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - net/mlx5e: Take common TIR context settings into a function (bsc#1177740). - net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - nvme: do not update disk info for multipathed device (bsc#1171558). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage() (bsc#1172873). - p54: avoid accessing the data mapped to streaming DMA (git-fixes). - pinctrl: intel: Set default bias in case no particular value given (git-fixes). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - powerpc/vnic: Extend "failover pending" window (bsc#1176855 ltc#187293). - power: supply: test_power: add missing newlines when printing parameters by sysfs (git-fixes). - pty: do tty_flip_buffer_push without port->lock in pty_write (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - regulator: defer probe when trying to get voltage from unresolved supply (git-fixes). - regulator: resolve supply after creating regulator (git-fixes). - ring-buffer: Fix recursion protection transitions between interrupt context (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rtl8xxxu: prevent potential memory leak (git-fixes). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - scsi: libiscsi: use sendpage_ok() in iscsi_tcp_segment_map() (bsc#1172873). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice (git-fixes). - staging: octeon: Drop on uncorrectable alignment or FCS error (git-fixes). - staging: octeon: repair "fixed-link" support (git-fixes). - tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11). - thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() (git-fixes). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: earlycon dependency (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - USB: Add NO_LPM quirk for Kingston flash drive (git-fixes). - USB: adutux: fix debugging (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - USB: cdc-acm: fix cooldown mechanism (git-fixes). - usb: cdc-acm: handle broken union descriptors (git-fixes). - usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - USB: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - USB: mtu3: fix panic in mtu3_gadget_stop() (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 (git-fixes). - USB: serial: option: add Quectel EC200T module support (git-fixes). - USB: serial: option: add Telit FN980 composition 0x1055 (git-fixes). - usb: serial: qcserial: fix altsetting probing (git-fixes). - USB: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart (git-fixes). - USB: typec: tcpm: reset hard_reset_count for any disconnect (git-fixes). - vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202). - video: fbdev: pvr2fb: initialize variables (git-fixes). - video: fbdev: sis: fix null ptr dereference (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - vt: Disable KD_FONT_OP_COPY (bsc#1178589). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101). - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178). - x86, fakenuma: Fix invalid starting node ID (git-fixes (mm/x86/fakenuma)). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). - xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027). - xfs: do not update mtime on COW faults (bsc#1167030). - xfs: fix a missing unlock on error in xfs_fs_map_blocks (git-fixes). - xfs: fix flags argument to rmap lookup when converting shared file rmaps (git-fixes). - xfs: fix rmap key and record comparison functions (git-fixes). - xfs: flush new eof page on truncate to avoid post-eof corruption (git-fixes). - xfs: limit entries returned when counting fsmap records (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP1: zypper in -t patch SUSE-SLE-Module-RT-15-SP1-2020-3513=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP1 (noarch): kernel-devel-rt-4.12.14-14.41.2 kernel-source-rt-4.12.14-14.41.2 - SUSE Linux Enterprise Module for Realtime 15-SP1 (x86_64): cluster-md-kmp-rt-4.12.14-14.41.2 cluster-md-kmp-rt-debuginfo-4.12.14-14.41.2 dlm-kmp-rt-4.12.14-14.41.2 dlm-kmp-rt-debuginfo-4.12.14-14.41.2 gfs2-kmp-rt-4.12.14-14.41.2 gfs2-kmp-rt-debuginfo-4.12.14-14.41.2 kernel-rt-4.12.14-14.41.2 kernel-rt-base-4.12.14-14.41.2 kernel-rt-base-debuginfo-4.12.14-14.41.2 kernel-rt-debuginfo-4.12.14-14.41.2 kernel-rt-debugsource-4.12.14-14.41.2 kernel-rt-devel-4.12.14-14.41.2 kernel-rt-devel-debuginfo-4.12.14-14.41.2 kernel-rt_debug-debuginfo-4.12.14-14.41.2 kernel-rt_debug-debugsource-4.12.14-14.41.2 kernel-rt_debug-devel-4.12.14-14.41.2 kernel-rt_debug-devel-debuginfo-4.12.14-14.41.2 kernel-syms-rt-4.12.14-14.41.2 ocfs2-kmp-rt-4.12.14-14.41.2 ocfs2-kmp-rt-debuginfo-4.12.14-14.41.2 References: https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1167030 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1171558 https://bugzilla.suse.com/1172873 https://bugzilla.suse.com/1173432 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176560 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176983 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177101 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177685 https://bugzilla.suse.com/1177687 https://bugzilla.suse.com/1177703 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177740 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177753 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177762 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177819 https://bugzilla.suse.com/1177820 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178027 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178187 https://bugzilla.suse.com/1178188 https://bugzilla.suse.com/1178202 https://bugzilla.suse.com/1178234 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178589 https://bugzilla.suse.com/1178591 https://bugzilla.suse.com/1178622 https://bugzilla.suse.com/1178686 https://bugzilla.suse.com/1178765 https://bugzilla.suse.com/1178782 https://bugzilla.suse.com/1178838 https://bugzilla.suse.com/927455 From sle-security-updates at lists.suse.com Wed Nov 25 10:16:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Nov 2020 18:16:44 +0100 (CET) Subject: SUSE-SU-2020:3515-1: important: Security update for LibVNCServer Message-ID: <20201125171644.77A8EF7D6@maintenance.suse.de> SUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3515-1 Rating: important References: #1178682 Cross-References: CVE-2020-25708 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for LibVNCServer fixes the following issues: - CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3515=1 - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3515=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-3515=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-3515=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): LibVNCServer-debugsource-0.9.10-4.25.1 libvncclient0-0.9.10-4.25.1 libvncclient0-debuginfo-0.9.10-4.25.1 libvncserver0-0.9.10-4.25.1 libvncserver0-debuginfo-0.9.10-4.25.1 - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): LibVNCServer-debugsource-0.9.10-4.25.1 libvncclient0-0.9.10-4.25.1 libvncclient0-debuginfo-0.9.10-4.25.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.10-4.25.1 libvncserver0-0.9.10-4.25.1 libvncserver0-debuginfo-0.9.10-4.25.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.10-4.25.1 libvncserver0-0.9.10-4.25.1 libvncserver0-debuginfo-0.9.10-4.25.1 References: https://www.suse.com/security/cve/CVE-2020-25708.html https://bugzilla.suse.com/1178682 From sle-security-updates at lists.suse.com Wed Nov 25 10:17:39 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Nov 2020 18:17:39 +0100 (CET) Subject: SUSE-SU-2020:3522-1: important: Security update for the Linux Kernel Message-ID: <20201125171739.E290BF7D6@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3522-1 Rating: important References: #1055014 #1055186 #1061843 #1065600 #1065729 #1066382 #1077428 #1129923 #1134760 #1149032 #1152489 #1162702 #1163592 #1164648 #1165692 #1166146 #1166166 #1167030 #1170415 #1170446 #1171073 #1171688 #1172873 #1174003 #1174098 #1174748 #1174969 #1175052 #1175306 #1175621 #1175721 #1175749 #1175807 #1175898 #1176180 #1176354 #1176400 #1176485 #1176564 #1176713 #1176907 #1176983 #1177086 #1177090 #1177109 #1177271 #1177281 #1177353 #1177410 #1177411 #1177470 #1177617 #1177681 #1177683 #1177687 #1177694 #1177697 #1177698 #1177703 #1177719 #1177724 #1177725 #1177726 #1177727 #1177729 #1177739 #1177749 #1177750 #1177754 #1177755 #1177765 #1177766 #1177799 #1177801 #1177814 #1177817 #1177820 #1177854 #1177855 #1177856 #1177861 #1178002 #1178079 #1178123 #1178166 #1178173 #1178175 #1178176 #1178177 #1178183 #1178184 #1178185 #1178186 #1178190 #1178191 #1178246 #1178255 #1178304 #1178307 #1178330 #1178393 #1178395 #1178461 #1178579 #1178581 #1178584 #1178585 #1178589 #1178591 #1178622 #1178659 #1178661 #1178686 #1178700 #1178782 Cross-References: CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-16120 CVE-2020-24490 CVE-2020-25285 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-28974 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP2 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 103 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 realtime kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-8694: Insufficient access control for some Intel(R) Processors may have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1170415). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470). - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-24490: Fixed a heap buffer overflow when processing extended advertising report events aka "BleedingTooth (bsc#1177726). - CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon (bsc#1178589) The following non-security bugs were fixed: - 9P: Cast to loff_t before multiplying (git-fixes). - ACPI: Always build evged in (git-fixes). - ACPI: button: fix handling lid state changes when input device closed (git-fixes). - ACPI: configfs: Add missing config_item_put() to fix refcount leak (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - ACPI: dock: fix enum-conversion warning (git-fixes). - ACPI / extlog: Check for RDMSR failure (git-fixes). - ACPI: GED: fix -Wformat (git-fixes). - ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes). - ACPI: video: use ACPI backlight for HP 635 Notebook (git-fixes). - act_ife: load meta modules before tcf_idr_check_alloc() (networking-stable-20_09_24). - ALSA: ac97: (cosmetic) align argument names (git-fixes). - ALSA: aoa: i2sbus: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: asihpi: fix spellint typo in comments (git-fixes). - ALSA: atmel: ac97: clarify operator precedence (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: fireworks: use semicolons rather than commas to separate statements (git-fixes). - ALSA: fix kernel-doc markups (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda: (cosmetic) align function parameters (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close (git-fixes). - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - Enable headphone for ASUS TM420 (git-fixes). - ALSA: hda/realtek - Fixed HP headset Mic can't be detected (git-fixes). - ALSA: hda/realtek - set mic to auto detect on a HP AIO machine (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: hdspm: Fix typo arbitary (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: portman2x4: fix repeated word 'if' (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: sparc: dbri: fix repeated word 'the' (git-fixes). - ALSA: usb-audio: Add implicit feedback quirk for MODX (git-fixes). - ALSA: usb-audio: Add implicit feedback quirk for Qu-16 (git-fixes). - ALSA: usb-audio: Add implicit feedback quirk for Zoom UAC-2 (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: add usb vendor id as DSD-capable for Khadas devices (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ALSA: usb-audio: Line6 Pod Go interface requires static clock rate quirk (git-fixes). - ALSA: usb: scarless_gen2: fix endianness issue (git-fixes). - ALSA: vx: vx_core: clarify operator precedence (git-fixes). - ALSA: vx: vx_pcm: remove redundant assignment (git-fixes). - arm64: Enable PCI write-combine resources under sysfs (bsc#1175807). - ASoC: codecs: wcd9335: Set digital gain range correctly (git-fixes). - ASoC: cs42l51: manage mclk shutdown delay (git-fixes). - ASoC: fsl: imx-es8328: add missing put_device() call in imx_es8328_probe() (git-fixes). - ASoC: fsl_sai: Instantiate snd_soc_dai_driver (git-fixes). - ASoC: Intel: kbl_rt5663_max98927: Fix kabylake_ssp_fixup function (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ASoC: qcom: sdm845: set driver name correctly (git-fixes). - ASoC: sun50i-codec-analog: Fix duplicate use of ADC enable bits (git-fixes). - ASoC: tlv320aic32x4: Fix bdiv clock rate derivation (git-fixes). - ata: ahci: mvebu: Make SATA PHY optional for Armada 3720 (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: fix VHT NSS calculation when STBC is enabled (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath10k: start recovery process when payload length exceeds max htc length for sdio (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - ath9k_htc: Use appropriate rs_datalen type (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - block: Fix page_is_mergeable() for compound pages (bsc#1177814). - block: Set same_page to false in __bio_try_merge_page if ret is false (git-fixes). - Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb (git-fixes). - Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex (git-fixes). - bonding: show saner speed for broadcast mode (networking-stable-20_08_24). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: Account for merged patches upstream Move below patches to sorted section. - btrfs: add owner and fs_info to alloc_state io_tree (bsc#1177854). - btrfs: allocate scrub workqueues outside of locks (bsc#1178183). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: cleanup cow block on error (bsc#1178584). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: drop path before adding new uuid tree entry (bsc#1178176). - btrfs: fix filesystem corruption after a device replace (bsc#1178395). - btrfs: fix NULL pointer dereference after failure to create snapshot (bsc#1178190). - btrfs: fix overflow when copying corrupt csums for a message (bsc#1178191). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: fix space cache memory leak after transaction abort (bsc#1178173). - btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks (bsc#1178395). - btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing (bsc#1178395). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: reschedule if necessary when logging directory items (bsc#1178585). - btrfs: send, orphanize first all conflicting inodes when processing references (bsc#1178579). - btrfs: send, recompute reference path after orphanization of a directory (bsc#1178581). - btrfs: set the correct lockdep class for new nodes (bsc#1178184). - btrfs: set the lockdep class for log tree extent buffers (bsc#1178186). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (git-fixes). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (git-fixes). - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: flexcan: flexcan_remove(): disable wakeup completely (git-fixes). - can: flexcan: remove ack_grp and ack_bit handling from driver (git-fixes). - can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A (git-fixes). - can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (git-fixes). - can: peak_usb: add range checking in decode operations (git-fixes). - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (git-fixes). - can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: promote to unsigned long long before shifting (bsc#1178175). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - clk: keystone: sci-clk: fix parsing assigned-clock data during probe (git-fixes). - clk: meson: g12a: mark fclk_div2 as critical (git-fixes). - clk: qcom: gcc-sdm660: Fix wrong parent_map (git-fixes). - cosa: Add missing kfree in error path of cosa_write (git-fixes). - create Storage / NVMe subsection - crypto: algif_aead - Do not set MAY_BACKLOG on the async path (git-fixes). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - crypto: picoxcell - Fix potential race condition bug (git-fixes). - crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA (git-fixes). - cxgb4: fix memory leak during module unload (networking-stable-20_09_24). - cxgb4: Fix offset when clearing filter byte counters (networking-stable-20_09_24). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - dax: Fix compilation for CONFIG_DAX && !CONFIG_FS_DAX (bsc#1177817). - dax: fix detection of dax support for non-persistent memory block devices (bsc#1171073). - dax: Fix stack overflow when mounting fsdax pmem device (bsc#1171073). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - Disable module compression on SLE15 SP2 (bsc#1178307) - dma-buf: Remove custom seqcount lockdep class key (bsc#1176564 bsc#1162702). - dma-buf: Use sequence counter with associated wound/wait mutex (bsc#1176564 bsc#1162702). - dma-direct: add missing set_memory_decrypted() for coherent mapping (bsc#1175898, ECO-2743). - dma-direct: always align allocation size in dma_direct_alloc_pages() (bsc#1175898, ECO-2743). - dma-direct: atomic allocations must come from atomic coherent pools (bsc#1175898, ECO-2743). - dma-direct: check return value when encrypting or decrypting memory (bsc#1175898, ECO-2743). - dma-direct: consolidate the error handling in dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dma-direct: make uncached_kernel_address more general (bsc#1175898, ECO-2743). - dma-direct: provide function to check physical memory area validity (bsc#1175898, ECO-2743). - dma-direct: provide mmap and get_sgtable method overrides (bsc#1175898, ECO-2743). - dma-direct: re-encrypt memory if dma_direct_alloc_pages() fails (bsc#1175898, ECO-2743). - dma-direct: remove __dma_direct_free_pages (bsc#1175898, ECO-2743). - dma-direct: remove the dma_handle argument to __dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - dmaengine: dmatest: Check list for emptiness before access its last entry (git-fixes). - dmaengine: dw: Activate FIFO-mode for memory peripherals only (git-fixes). - dma-mapping: add a dma_can_mmap helper (bsc#1175898, ECO-2743). - dma-mapping: always use VM_DMA_COHERENT for generic DMA remap (bsc#1175898, ECO-2743). - dma-mapping: DMA_COHERENT_POOL should select GENERIC_ALLOCATOR (bsc#1175898, ECO-2743). - dma-mapping: make dma_atomic_pool_init self-contained (bsc#1175898, ECO-2743). - dma-mapping: merge the generic remapping helpers into dma-direct (bsc#1175898, ECO-2743). - dma-mapping: remove arch_dma_mmap_pgprot (bsc#1175898, ECO-2743). - dma-mapping: warn when coherent pool is depleted (bsc#1175898, ECO-2743). - dma-pool: add additional coherent pools to map to gfp mask (bsc#1175898, ECO-2743). - dma-pool: add pool sizes to debugfs (bsc#1175898, ECO-2743). - dma-pool: decouple DMA_REMAP from DMA_COHERENT_POOL (bsc#1175898, ECO-2743). - dma-pool: do not allocate pool memory from CMA (bsc#1175898, ECO-2743). - dma-pool: dynamically expanding atomic pools (bsc#1175898, ECO-2743). - dma-pool: Fix an uninitialized variable bug in atomic_pool_expand() (bsc#1175898, ECO-2743). - dma-pool: fix coherent pool allocations for IOMMU mappings (bsc#1175898, ECO-2743). - dma-pool: fix too large DMA pools on medium memory size systems (bsc#1175898, ECO-2743). - dma-pool: get rid of dma_in_atomic_pool() (bsc#1175898, ECO-2743). - dma-pool: introduce dma_guess_pool() (bsc#1175898, ECO-2743). - dma-pool: make sure atomic pool suits device (bsc#1175898, ECO-2743). - dma-pool: Only allocate from CMA when in same memory zone (bsc#1175898, ECO-2743). - dma-pool: scale the default DMA coherent pool size with memory capacity (bsc#1175898, ECO-2743). - dma-remap: separate DMA atomic pools from direct remap code (bsc#1175898, ECO-2743). - dm: Call proper helper to determine dax support (bsc#1177817). - dm/dax: Fix table reference counts (bsc#1178246). - docs: driver-api: remove a duplicated index entry (git-fixes). - Documentation: locking: Describe seqlock design and usage (bsc#1176564 bsc#1162702). - Do not create null.i000.ipa-clones file (bsc#1178330) - drbd: code cleanup by using sendpage_ok() to check page for kernel_sendpage() (bsc#1172873). - drivers: watchdog: rdc321x_wdt: Fix race condition bugs (git-fixes). - drop Storage / bsc#1171688 subsection No effect on expanded tree. - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1152489). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - exfat: fix name_hash computation on big endian systems (git-fixes). - exfat: fix overflow issue in exfat_cluster_to_sector() (git-fixes). - exfat: fix possible memory leak in exfat_find() (git-fixes). - exfat: fix use of uninitialized spinlock on error path (git-fixes). - exfat: fix wrong hint_stat initialization in exfat_find_dir_entry() (git-fixes). - exfat: fix wrong size update of stream entry by typo (git-fixes). - extcon: ptn5150: Fix usage of atomic GPIO with sleeping GPIO chips (git-fixes). - fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h (git-fixes). - ftrace: Fix recursion check for NMI test (git-fixes). - ftrace: Handle tracing when switching between context (git-fixes). - futex: Adjust absolute futex timeouts with per time namespace offset (bsc#1164648). - futex: Consistently use fshared as boolean (bsc#1149032). - futex: Fix incorrect should_fail_futex() handling (bsc#1149032). - futex: Remove put_futex_key() (bsc#1149032). - futex: Remove unused or redundant includes (bsc#1149032). - gpio: pcie-idio-24: Enable PEX8311 interrupts (git-fixes). - gpio: pcie-idio-24: Fix IRQ Enable Register value (git-fixes). - gpio: pcie-idio-24: Fix irq mask when masking (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: hid-input: fix stylus battery reporting (git-fixes). - HID: ite: Add USB id match for Acer One S1003 keyboard dock (git-fixes). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - hrtimer: Use sequence counter with associated raw spinlock (bsc#1176564 bsc#1162702). - hv_netvsc: Add XDP support (bsc#1177820). - hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177820). - hv_netvsc: make recording RSS hash depend on feature flag (bsc#1177820). - hv_netvsc: record hardware hash in skb (bsc#1177820). - hwmon: (mlxreg-fan) Fix double "Mellanox" (git-fixes). - hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61} (git-fixes). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs (git-fixes). - i2c: cpm: Fix i2c_ram structure (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - i2c: meson: fix clock setting overwrite (git-fixes). - i2c: meson: fixup rate calculation with filter delay (git-fixes). - i2c: owl: Clear NACK and BUS error bits (git-fixes). - i2c: rcar: Auto select RESET_CONTROLLER (git-fixes). - i3c: master add i3c_master_attach_boardinfo to preserve boardinfo (git-fixes). - i3c: master: Fix error return in cdns_i3c_master_probe() (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - ibmvnic: set up 200GBPS speed (bsc#1129923 git-fixes). - icmp: randomize the global rate limiter (git-fixes). - ida: Free allocated bitmap in error path (git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio: adc: gyroadc: fix leak of device node iterator (git-fixes). - iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Do not ignore errors from crypto_shash_update() (git-fixes). - ima: extend boot_aggregate with kernel measurements (bsc#1177617). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - Input: ati_remote2 - add missing newlines when printing module parameters (git-fixes). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: stmfts - fix a & vs && typo (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iocost: Use sequence counter with associated spinlock (bsc#1176564 bsc#1162702). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400). - iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1177739). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipmi_si: Fix wrong return value in try_smi_init() (git-fixes). - ipv4: Initialize flowi4_multipath_hash in data path (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - ipv4: Update exception handling for multipath routes via same device (networking-stable-20_09_24). - ipv6: avoid lockdep issue in fib6_del() (networking-stable-20_09_24). - ipv6: Fix sysctl max for fib_multipath_hash_policy (networking-stable-20_09_11). - ipvlan: fix device features (networking-stable-20_08_24). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kabi fix for NFS: Fix flexfiles read failover (git-fixes). - kABI: Fix kABI after add CodeSigning extended key usage (bsc#1177353). - kabi/severities: ignore kABI for target_core_rbd Match behaviour for all other Ceph specific modules. - kallsyms: Refactor kallsyms_show_value() to take cred (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - kexec: Do not take mutex when crashing kernel (bsc#1177698). - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled (git-fixes). - kvm/eventfd: Use sequence counter with associated spinlock (bsc#1176564 bsc#1162702). - KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (git-fixes). - lan743x: fix "BUG: invalid wait context" when setting rx mode (git-fixes). - leds: bcm6328, bcm6358: use devres LED registering function (git-fixes). - leds: mt6323: move period calculation (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178177). - libceph: use sendpage_ok() in ceph_tcp_sendpage() (bsc#1172873). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - lib/crc32test: remove extra local_irq_disable/enable (git-fixes). - lockdep: Add preemption enabled/disabled assertion APIs (bsc#1176564 bsc#1162702). - lockdep: Split header file into lockdep and lockdep_types (bsc#1176564 bsc#1162702). - mac80211: handle lack of sband->bitrates in rates (git-fixes). - macsec: avoid use-after-free in macsec_handle_frame() (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: camss: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: i2c: ov5640: Enable data pins on poweron for DVP mode (git-fixes). - media: i2c: ov5640: Remain in power down for DVP mode unless streaming (git-fixes). - media: i2c: ov5640: Separate out mipi configuration from s_power (git-fixes). - media: imx274: fix frame interval handling (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: mx2_emmaprp: Fix memleak in emmaprp_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: ov5640: Correct Bit Div register in clock tree diagram (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: Improve queue set up flow for bug fixing (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: rcar-csi2: Allocate v4l2_async_subdev dynamically (git-fixes). - media: rcar_drif: Allocate v4l2_async_subdev dynamically (git-fixes). - media: rcar_drif: Fix fwnode reference leak when parsing DT (git-fixes). - media: rcar-vin: Fix a reference count leak (git-fixes). - media: rc: do not access device via sysfs after rc_unregister_device() (git-fixes). - media: rc: uevent sysfs file races with rc_unregister_device() (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: rockchip/rga: Fix a reference count leak (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: staging/intel-ipu3: css: Correctly reset some memory (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: stm32-dcmi: Fix a reference count leak (git-fixes). - media: tc358743: cleanup tc358743_cec_isr (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: tw5864: check status of tw5864_frameinterval_get (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: uvcvideo: Fix dereference of out-of-bound list iterator (git-fixes). - media: uvcvideo: Fix uvc_ctrl_fixup_xu_info() not having any effect (git-fixes). - media: uvcvideo: Set media controller entity functions (git-fixes). - media: uvcvideo: Silence shift-out-of-bounds warning (git-fixes). - media: v4l2-async: Document asd allocation requirements (git-fixes). - media: venus: core: Fix runtime PM imbalance in venus_probe (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event (bsc#1177703). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - memory: omap-gpmc: Fix build error without CONFIG_OF (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mm: call cond_resched() from deferred_init_memmap() (git fixes (mm/init), bsc#1177697). - mmc: core: do not set limits.discard_granularity as 0 (git-fixes). - mm, compaction: fully assume capture is not NULL in compact_zone_order() (git fixes (mm/compaction), bsc#1177681). - mm, compaction: make capture control handling safe wrt interrupts (git fixes (mm/compaction), bsc#1177681). - mmc: renesas_sdhi_core: Add missing tmio_mmc_host_free() at remove (git-fixes). - mmc: sdhci-acpi: AMDI0040: Set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes). - mmc: sdhci: Add LTR support for some Intel BYT based controllers (git-fixes). - mmc: sdhci-of-esdhc: Handle pulse width detection erratum for more SoCs (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - mm/debug.c: always print flags in dump_page() (git fixes (mm/debug)). - mm: do not panic when links can't be created in sysfs (bsc#1178002). - mm: do not rely on system state to detect hot-plug operations (bsc#1178002). - mm: fix a race during THP splitting (bsc#1178255). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm: initialize deferred pages with interrupts enabled (git fixes (mm/init), bsc#1177697). - mm: madvise: fix vma user-after-free (git-fixes). - mm, memcg: fix inconsistent oom event behavior (bsc#1178659). - mm/memcg: fix refcount error while moving and swapping (bsc#1178686). - mm/memcontrol.c: add missed css_put() (bsc#1178661). - mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps() (bsc#1177694). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/migrate.c: also overwrite error when it is bigger than zero (git fixes (mm/move_pages), bsc#1177683). - mm: move_pages: report the number of non-attempted pages (git fixes (mm/move_pages), bsc#1177683). - mm: move_pages: return valid node id in status if the page is already on the target node (git fixes (mm/move_pages), bsc#1177683). - mm/pagealloc.c: call touch_nmi_watchdog() on max order boundaries in deferred init (git fixes (mm/init), bsc#1177697). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm: replace memmap_context by meminit_context (bsc#1178002). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm, slab/slub: move and improve cache_from_obj() (mm/slub bsc#1165692). - mm, slub: extend checks guarded by slub_debug static key (mm/slub bsc#1165692). - mm, slub: extend slub_debug syntax for multiple blocks (mm/slub bsc#1165692). - mm, slub: introduce kmem_cache_debug_flags() (mm/slub bsc#1165692). - mm, slub: introduce static key for slub_debug() (mm/slub bsc#1165692). - mm, slub: make reclaim_account attribute read-only (mm/slub bsc#1165692). - mm, slub: make remaining slub_debug related attributes read-only (mm/slub bsc#1165692). - mm, slub: make some slub_debug related attributes read-only (mm/slub bsc#1165692). - mm, slub: remove runtime allocation order changes (mm/slub bsc#1165692). - mm, slub: restore initial kmem_cache flags (mm/slub bsc#1165692). - mm/swap: Do not abuse the seqcount_t latching API (bsc#1176564 bsc#1162702). Remove: - mm/swapfile.c: fix potential memory leak in sys_swapon (git-fixes). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - module: Correctly truncate sysfs sections output (git-fixes). - module: Do not expose section addresses to non-CAP_SYSLOG (git-fixes). - module: Refactor section attr into bin attribute (git-fixes). - module: statically initialize init section freeing data (git-fixes). - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mtd: rawnand: stm32_fmc2: fix a buffer overflow (git-fixes). - mtd: rawnand: vf610: disable clk on error handling path in probe (git-fixes). - mtd: spinand: gigadevice: Add QE Bit (git-fixes). - mtd: spinand: gigadevice: Only one dummy byte in QUADIO (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: add WARN_ONCE in kernel_sendpage() for improper zero-copy send (bsc#1172873). - net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU (networking-stable-20_09_24). - net/core: check length before updating Ethertype in skb_mpls_{push,pop} (git-fixes). - net: DCB: Validate DCB_ATTR_DCB_BUFFER argument (networking-stable-20_09_24). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: dsa: b53: check for timeout (networking-stable-20_08_24). - net: dsa: rtl8366: Properly clear member config (networking-stable-20_09_24). - net: fec: correct the error path for regulator disable in probe (networking-stable-20_08_24). - netfilter: conntrack: Use sequence counter with associated spinlock (bsc#1176564 bsc#1162702). - netfilter: nft_set_rbtree: Use sequence counter with associated rwlock (bsc#1176564 bsc#1162702). - net: Fix bridge enslavement failure (networking-stable-20_09_24). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: introduce helper sendpage_ok() in include/linux/net.h (bsc#1172873). kABI workaround for including mm.h in include/linux/net.h (bsc#1172873). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - net: lantiq: Disable IRQs only if NAPI gets scheduled (networking-stable-20_09_24). - net: lantiq: Use napi_complete_done() (networking-stable-20_09_24). - net: lantiq: use netif_tx_napi_add() for TX NAPI (networking-stable-20_09_24). - net: lantiq: Wake TX queue again (networking-stable-20_09_24). - net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported (networking-stable-20_09_24). - net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported (networking-stable-20_09_24). - net/mlx5: Fix FTE cleanup (networking-stable-20_09_24). - net: mscc: ocelot: fix race condition with TX timestamping (bsc#1178461). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: phy: Do not warn in phy_stop() on PHY_DOWN (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow (networking-stable-20_08_24). - net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant (networking-stable-20_09_24). - net: sctp: Fix negotiation of the number of data streams (networking-stable-20_08_24). - net/smc: Prevent kernel-infoleak in __smc_diag_dump() (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nfp: use correct define to return NONE fec (networking-stable-20_09_24). - nfsd4: fix NULL dereference in nfsd/clients display code (git-fixes). - NFS: Do not move layouts to plh_return_segs list while in use (git-fixes). - NFS: Do not return layout segments that are in use (git-fixes). - nfs: ensure correct writeback errors are returned on close() (git-fixes). - NFS: Fix flexfiles read failover (git-fixes). - nfs: nfs_file_write() should check for writeback errors (git-fixes). - NFSv4.2: fix client's attribute cache management for copy_file_range (git-fixes). - NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE (bsc#1176180). - NFSv4: Use sequence counter with associated spinlock (bsc#1176564 bsc#1162702). - NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE (bsc#1176180). - NFSv4.x recover from pre-mature loss of openstateid (bsc#1176180). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - ntb: intel: Fix memleak in intel_ntb_pci_probe (git-fixes). - nvme-multipath: retry commands for dying queues (bsc#1171688). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage() (bsc#1172873). - overflow: Include header file with SIZE_MAX declaration (git-fixes). - p54: avoid accessing the data mapped to streaming DMA (git-fixes). - PCI: aardvark: Check for errors from pci_bridge_emul_init() call (git-fixes). - PCI/ACPI: Whitelist hotplug ports for D3 if power managed by ACPI (git-fixes). - percpu: fix first chunk size calculation for populated bitmap (git-fixes (mm/percpu)). - perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1152489). - perf/x86: Fix n_pair for cancelled txn (bsc#1152489). - pinctrl: aspeed: Fix GPI only function problem (git-fixes). - pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB (git-fixes). - pinctrl: intel: Set default bias in case no particular value given (git-fixes). - pinctrl: mcp23s08: Fix mcp23x17 precious range (git-fixes). - pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser (git-fixes). - PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification. - PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification (bsc#1177353). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - PM: hibernate: Batch hibernate and resume IO requests (bsc#1178079). - PM: hibernate: remove the bogus call to get_gendisk() in software_resume() (git-fixes). - PM: runtime: Drop runtime PM references to supplier on link removal (git-fixes). - pNFS/flexfiles: Ensure we initialise the mirror bsizes correctly on read (git-fixes). - powerpc/book3s64/radix: Make radix_mem_block_size 64bit (bsc#1055186 ltc#153436 git-fixes). - powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/papr_scm: Fix warning triggered by perf_stats_show() (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: Avoid using addr_to_pfn in real mode (jsc#SLE-9246 git-fixes). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - power: supply: bq27xxx: report "not charging" on all types (git-fixes). - power: supply: test_power: add missing newlines when printing parameters by sysfs (git-fixes). - pwm: img: Fix null pointer access in probe (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - qla2xxx: Return EBUSY on fcport deletion (bsc#1171688). - qtnfmac: fix resource leaks on unsupported iftype error return path (git-fixes). - r8169: fix data corruption issue on RTL8402 (bsc#1174098). - r8169: fix issue with forced threading in combination with shared interrupts (git-fixes). - r8169: fix operation under forced interrupt threading (git-fixes). - raid5: Use sequence counter with associated spinlock (bsc#1176564 bsc#1162702). - rapidio: fix the missed put_device() for rio_mport_add_riodev (git-fixes). - rbtree_latch: Use seqcount_latch_t (bsc#1176564 bsc#1162702). - RDMA/hfi1: Correct an interlock issue for TID RDMA WRITE request (bsc#1175621). - Refresh patches.suse/vfs-add-super_operations-get_inode_dev. (bsc#1176983) - regulator: axp20x: fix LDO2/4 description (git-fixes). - regulator: defer probe when trying to get voltage from unresolved supply (git-fixes). - regulator: resolve supply after creating regulator (git-fixes). - rename Other drivers / Intel IOMMU subsection to IOMMU - reset: sti: reset-syscfg: fix struct description warnings (git-fixes). - ring-buffer: Fix recursion protection transitions between interrupt context (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rtc: rx8010: do not modify the global rtc ops (git-fixes). - rtl8xxxu: prevent potential memory leak (git-fixes). - rtw88: increse the size of rx buffer size (git-fixes). - s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177799 LTC#188733). - s390/dasd: Fix zero write for FBA devices (bsc#1177801 LTC#188735). - sched_clock: Expose struct clock_read_data (bsc#1176564 bsc#1162702). - sched: tasks: Use sequence counter with associated spinlock (bsc#1176564 bsc#1162702). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - scsi: libiscsi: use sendpage_ok() in iscsi_tcp_segment_map() (bsc#1172873). - scsi: mptfusion: Do not use GFP_ATOMIC for larger DMA allocations (bsc#1175898, ECO-2743). - scsi: qla2xxx: Add IOCB resource tracking (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Add rport fields in debugfs (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Add SLER and PI control support (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix memory size truncation (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix MPI reset needed message (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix reset of MPI firmware (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Performance tweak (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1171688 bsc#1174003). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - selftests/timers: Turn off timeout setting (git-fixes). - seqcount: Compress SEQCNT_LOCKNAME_ZERO() (bsc#1176564 bsc#1162702). - seqcount: More consistent seqprop names (bsc#1176564 bsc#1162702). - seqlock: Add kernel-doc for seqcount_t and seqlock_t APIs (bsc#1176564 bsc#1162702). - seqlock: Align multi-line macros newline escapes at 72 columns (bsc#1176564 bsc#1162702). - seqlock: Extend seqcount API with associated locks (bsc#1176564 bsc#1162702). - seqlock: Fold seqcount_LOCKNAME_init() definition (bsc#1176564 bsc#1162702). - seqlock: Fold seqcount_LOCKNAME_t definition (bsc#1176564 bsc#1162702). - seqlock: Implement raw_seqcount_begin() in terms of raw_read_seqcount() (bsc#1176564 bsc#1162702). - seqlock: Introduce seqcount_latch_t (bsc#1176564 bsc#1162702). - seqlock, kcsan: Add annotations for KCSAN (bsc#1176564 bsc#1162702). - seqlock: lockdep assert non-preemptibility on seqcount_t write (bsc#1176564 bsc#1162702). - seqlock: PREEMPT_RT: Do not starve seqlock_t writers (bsc#1176564 bsc#1162702). - seqlock: Properly format kernel-doc code samples (bsc#1176564 bsc#1162702). - seqlock: Reorder seqcount_t and seqlock_t API definitions (bsc#1176564 bsc#1162702). - seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier (bsc#1176564 bsc#1162702). - seqlock: seqcount latch APIs: Only allow seqcount_latch_t (bsc#1176564 bsc#1162702). - seqlock: seqcount_LOCKNAME_t: Introduce PREEMPT_RT support (bsc#1176564 bsc#1162702). - seqlock: seqcount_LOCKNAME_t: Standardize naming convention (bsc#1176564 bsc#1162702). - seqlock: seqcount_t: Implement all read APIs as statement expressions (bsc#1176564 bsc#1162702). - seqlock: seqcount_t latch: End read sections with read_seqcount_retry() (bsc#1176564 bsc#1162702). - seqlock: s/__SEQ_LOCKDEP/__SEQ_LOCK/g (bsc#1176564 bsc#1162702). - seqlock: Unbreak lockdep (bsc#1176564 bsc#1162702). - seqlock: Use unique prefix for seqcount_t property accessors (bsc#1176564 bsc#1162702). - serial: 8250_mtk: Fix uart_get_baud_rate warning (git-fixes). - serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init (git-fixes). - slimbus: core: check get_addr before removing laddr ida (git-fixes). - slimbus: core: do not enter to clock pause mode in core (git-fixes). - slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback (git-fixes). - soc: fsl: qbman: Fix return value on success (git-fixes). - spi: dw-pci: free previously allocated IRQs if desc->setup() fails (git-fixes). - spi: omap2-mcspi: Improve performance waiting for CHSTAT (git-fixes). - spi: spi-s3c64xx: Check return values (git-fixes). - spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() (git-fixes). - spi: sprd: Release DMA channel also on probe deferral (git-fixes). - spi: stm32: Rate-limit the 'Communication suspended' message (git-fixes). - staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice (git-fixes). - staging: comedi: check validity of wMaxPacketSize of usb endpoints found (git-fixes). - staging: octeon: Drop on uncorrectable alignment or FCS error (git-fixes). - staging: octeon: repair "fixed-link" support (git-fixes). - staging: rtl8192u: Do not use GFP_KERNEL in atomic context (git-fixes). - SUNRPC: Revert 241b1f419f0e ("SUNRPC: Remove xdr_buf_trim()") (git-fixes). - svcrdma: fix bounce buffers for unaligned offsets and multiple pages (git-fixes). - svcrdma: Fix page leak in svc_rdma_recv_read_chunk() (git-fixes). - Sync rt_debug config file. - taprio: Fix allowing too small intervals (networking-stable-20_09_24). - tcp: use sendpage_ok() to detect misused .sendpage (bsc#1172873). - timekeeping: Use seqcount_latch_t (bsc#1176564 bsc#1162702). - timekeeping: Use sequence counter with associated raw spinlock (bsc#1176564 bsc#1162702). - time: Prevent undefined behaviour in timespec64_to_ns() (bsc#1164648). - time/sched_clock: Use raw_read_seqcount_latch() (bsc#1176564 bsc#1162702). - time/sched_clock: Use raw_read_seqcount_latch() during suspend (bsc#1176564 bsc#1162702). - time/sched_clock: Use seqcount_latch_t (bsc#1176564 bsc#1162702). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: Fix memory leak in tipc_group_create_member() (networking-stable-20_09_24). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tracing: Check return value of __create_val_fields() before using its result (git-fixes). - tracing: Fix out of bounds write in get_trace_buf (git-fixes). - tracing: Save normal string variables (git-fixes). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: fsl_lpuart: add LS1028A support (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - tty: serial: fsl_lpuart: LS1021A had a FIFO size of 16 words, like LS1028A (git-fixes). - uio: free uio id after uio file node is freed (git-fixes). - USB: Add NO_LPM quirk for Kingston flash drive (git-fixes). - USB: adutux: fix debugging (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: fix cooldown mechanism (git-fixes). - USB: cdc-acm: handle broken union descriptors (git-fixes). - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: dwc3: gadget: Resume pending requests after CLEAR_STALL (git-fixes). - usb: dwc3: pci: Allow Elkhart Lake to utilize DSM method for PM functionality (git-fixes). - usb: dwc3: simple: add support for Hikey 970 (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usb: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - usblp: fix race between disconnect() and read() (git-fixes). - usb: mtu3: fix panic in mtu3_gadget_stop() (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - USB: serial: cyberjack: fix write-URB completion race (git-fixes). - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes). - USB: serial: option: add Cellient MPL200 card (git-fixes). - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 (git-fixes). - USB: serial: option: add Quectel EC200T module support (git-fixes). - USB: serial: option: add Telit FN980 composition 0x1055 (git-fixes). - USB: serial: option: Add Telit FT980-KS composition (git-fixes). - USB: serial: pl2303: add device-id for HP GC device (git-fixes). - USB: serial: qcserial: fix altsetting probing (git-fixes). - usb: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart (git-fixes). - usb: typec: tcpm: reset hard_reset_count for any disconnect (git-fixes). - usb: xhci-mtk: Fix typo (git-fixes). - usb: xhci: omit duplicate actions when suspending a runtime suspended host (git-fixes). - userfaultfd: Use sequence counter with associated spinlock (bsc#1176564 bsc#1162702). - vfs: Use sequence counter with associated spinlock (bsc#1176564 bsc#1162702). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - virtio-net: do not disable guest csum when disable LRO (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - vt: Disable KD_FONT_OP_COPY (bsc#1178589). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: Fix memleak in watchdog_cdev_register (git-fixes). - watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 (git-fixes). - watchdog: Use put_device on error (git-fixes). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - whitespace cleanup - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - X.509: Add CodeSigning extended key usage parsing (bsc#1177353). - x86/alternative: Do not call text_poke() in lazy TLB mode (bsc#1175749). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1152489). - x86/ioapic: Unbreak check_timer() (bsc#1152489). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1177765). - x86/mm: unencrypted non-blocking DMA allocations use coherent pools (bsc#1175898, ECO-2743). - x86/tsc: Use seqcount_latch_t (bsc#1176564 bsc#1162702). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1176907). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pvcallsback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xfrm: policy: Use sequence counters with associated lock (bsc#1176564 bsc#1162702). - xfs: complain if anyone tries to create a too-large buffer log item (bsc#1166146). - xfs: do not update mtime on COW faults (bsc#1167030). - xfs: fix high key handling in the rt allocator's query_range function (git-fixes). - xfs: fix scrub flagging rtinherit even if there is no rt device (git-fixes). - xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files (git-fixes). - xfs: flush new eof page on truncate to avoid post-eof corruption (git-fixes). - xfs: force the log after remapping a synchronous-writes file (git-fixes). - xfs: introduce XFS_MAX_FILEOFF (bsc#1166166). - xfs: limit entries returned when counting fsmap records (git-fixes). - xfs: remove unused variable 'done' (bsc#1166166). - xfs: set xefi_discard when creating a deferred agfl free log intent item (git-fixes). - xfs: truncate should remove all blocks, not just to the end of the page cache (bsc#1166166). - xhci: do not create endpoint debugfs entry before ring buffer is set (git-fixes). - xprtrdma: fix incorrect header size calculations (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP2: zypper in -t patch SUSE-SLE-Module-RT-15-SP2-2020-3522=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP2 (noarch): kernel-devel-rt-5.3.18-16.1 kernel-source-rt-5.3.18-16.1 - SUSE Linux Enterprise Module for Realtime 15-SP2 (x86_64): cluster-md-kmp-rt-5.3.18-16.1 cluster-md-kmp-rt-debuginfo-5.3.18-16.1 dlm-kmp-rt-5.3.18-16.1 dlm-kmp-rt-debuginfo-5.3.18-16.1 gfs2-kmp-rt-5.3.18-16.1 gfs2-kmp-rt-debuginfo-5.3.18-16.1 kernel-rt-5.3.18-16.1 kernel-rt-debuginfo-5.3.18-16.1 kernel-rt-debugsource-5.3.18-16.1 kernel-rt-devel-5.3.18-16.1 kernel-rt-devel-debuginfo-5.3.18-16.1 kernel-rt_debug-debuginfo-5.3.18-16.1 kernel-rt_debug-debugsource-5.3.18-16.1 kernel-rt_debug-devel-5.3.18-16.1 kernel-rt_debug-devel-debuginfo-5.3.18-16.1 kernel-syms-rt-5.3.18-16.1 ocfs2-kmp-rt-5.3.18-16.1 ocfs2-kmp-rt-debuginfo-5.3.18-16.1 References: https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-24490.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-28974.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1129923 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1149032 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1162702 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1165692 https://bugzilla.suse.com/1166146 https://bugzilla.suse.com/1166166 https://bugzilla.suse.com/1167030 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1171073 https://bugzilla.suse.com/1171688 https://bugzilla.suse.com/1172873 https://bugzilla.suse.com/1174003 https://bugzilla.suse.com/1174098 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1174969 https://bugzilla.suse.com/1175052 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175621 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1175749 https://bugzilla.suse.com/1175807 https://bugzilla.suse.com/1175898 https://bugzilla.suse.com/1176180 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176400 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176564 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176983 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177090 https://bugzilla.suse.com/1177109 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177353 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177617 https://bugzilla.suse.com/1177681 https://bugzilla.suse.com/1177683 https://bugzilla.suse.com/1177687 https://bugzilla.suse.com/1177694 https://bugzilla.suse.com/1177697 https://bugzilla.suse.com/1177698 https://bugzilla.suse.com/1177703 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177726 https://bugzilla.suse.com/1177727 https://bugzilla.suse.com/1177729 https://bugzilla.suse.com/1177739 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177765 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177799 https://bugzilla.suse.com/1177801 https://bugzilla.suse.com/1177814 https://bugzilla.suse.com/1177817 https://bugzilla.suse.com/1177820 https://bugzilla.suse.com/1177854 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178002 https://bugzilla.suse.com/1178079 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178173 https://bugzilla.suse.com/1178175 https://bugzilla.suse.com/1178176 https://bugzilla.suse.com/1178177 https://bugzilla.suse.com/1178183 https://bugzilla.suse.com/1178184 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178186 https://bugzilla.suse.com/1178190 https://bugzilla.suse.com/1178191 https://bugzilla.suse.com/1178246 https://bugzilla.suse.com/1178255 https://bugzilla.suse.com/1178304 https://bugzilla.suse.com/1178307 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178395 https://bugzilla.suse.com/1178461 https://bugzilla.suse.com/1178579 https://bugzilla.suse.com/1178581 https://bugzilla.suse.com/1178584 https://bugzilla.suse.com/1178585 https://bugzilla.suse.com/1178589 https://bugzilla.suse.com/1178591 https://bugzilla.suse.com/1178622 https://bugzilla.suse.com/1178659 https://bugzilla.suse.com/1178661 https://bugzilla.suse.com/1178686 https://bugzilla.suse.com/1178700 https://bugzilla.suse.com/1178782 From sle-security-updates at lists.suse.com Wed Nov 25 10:30:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Nov 2020 18:30:04 +0100 (CET) Subject: SUSE-SU-2020:3514-1: moderate: Security update for ucode-intel Message-ID: <20201125173004.596D8F7D6@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3514-1 Rating: moderate References: #1170446 #1173592 #1173594 #1178971 Cross-References: CVE-2020-8695 CVE-2020-8696 CVE-2020-8698 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for ucode-intel fixes the following issues: - Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971) - Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms. - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) INTEL-SA-00389 (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) - CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592) - Release notes: - Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00381.html). - Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00389.html). - Update for functional issues. Refer to [Second Generation Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel?? Xeon?? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel?? Core??? Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel?? Core??? Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel?? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel?? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel?? Xeon?? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3514=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3514=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3514=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3514=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3514=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3514=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3514=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3514=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3514=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3514=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3514=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3514=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3514=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3514=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3514=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE OpenStack Cloud 9 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE OpenStack Cloud 8 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE OpenStack Cloud 7 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - SUSE Enterprise Storage 5 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 - HPE Helion Openstack 8 (x86_64): ucode-intel-20201118-13.81.1 ucode-intel-debuginfo-20201118-13.81.1 ucode-intel-debugsource-20201118-13.81.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8696.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173592 https://bugzilla.suse.com/1173594 https://bugzilla.suse.com/1178971 From sle-security-updates at lists.suse.com Wed Nov 25 10:33:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Nov 2020 18:33:16 +0100 (CET) Subject: SUSE-SU-2020:3516-1: important: Security update for bluez Message-ID: <20201125173316.766C3F7E7@maintenance.suse.de> SUSE Security Update: Security update for bluez ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3516-1 Rating: important References: #1166751 Cross-References: CVE-2020-0556 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for bluez fixes the following issues: - CVE-2020-0556: Fixed improper access control which may lead to escalation of privilege and denial of service by an unauthenticated user (bsc#1166751). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3516=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3516=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3516=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3516=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3516=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-3516=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3516=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3516=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3516=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3516=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3516=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3516=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3516=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3516=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3516=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3516=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3516=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3516=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE OpenStack Cloud 9 (x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE OpenStack Cloud 8 (x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE OpenStack Cloud 7 (s390x x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): bluez-cups-5.13-5.23.1 bluez-cups-debuginfo-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 bluez-devel-5.13-5.23.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 - HPE Helion Openstack 8 (x86_64): bluez-5.13-5.23.1 bluez-debuginfo-5.13-5.23.1 bluez-debugsource-5.13-5.23.1 libbluetooth3-5.13-5.23.1 libbluetooth3-debuginfo-5.13-5.23.1 References: https://www.suse.com/security/cve/CVE-2020-0556.html https://bugzilla.suse.com/1166751 From sle-security-updates at lists.suse.com Thu Nov 26 00:10:20 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:10:20 +0100 (CET) Subject: SUSE-CU-2020:696-1: Security update of ses/7/cephcsi/cephcsi Message-ID: <20201126071020.86940FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:696-1 Container Tags : ses/7/cephcsi/cephcsi:3.1.1 , ses/7/cephcsi/cephcsi:3.1.1.0.3.62 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus , ses/7/cephcsi/cephcsi:v3.1.1 , ses/7/cephcsi/cephcsi:v3.1.1.0 Container Release : 3.62 Severity : important Type : security References : 1160790 1161088 1161089 1161670 1174232 1174593 1176116 1176256 1176257 1176258 1176259 1177458 1177490 1177510 1177699 1177858 1177864 1177939 1178387 1178512 1178727 CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 CVE-2020-15166 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3157-1 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3264-1 Released: Tue Nov 10 09:50:29 2020 Summary: Security update for zeromq Type: security Severity: moderate References: 1176116,1176256,1176257,1176258,1176259,CVE-2020-15166 This update for zeromq fixes the following issues: - CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116). - Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256) - Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257) - Fixed memory leak when processing PUB messages with metadata (bsc#1176259) - Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3269-1 Released: Tue Nov 10 15:57:24 2020 Summary: Security update for python-waitress Type: security Severity: moderate References: 1160790,1161088,1161089,1161670,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792 This update for python-waitress to 1.4.3 fixes the following security issues: - CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3301-1 Released: Thu Nov 12 13:51:02 2020 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1177939 This update for openssh fixes the following issues: - Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3307-1 Released: Thu Nov 12 14:17:55 2020 Summary: Recommended update for rdma-core Type: recommended Severity: moderate References: 1177699 This update for rdma-core fixes the following issue: - Move rxe_cfg to libibverbs-utils. (bsc#1177699) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Thu Nov 26 00:11:11 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:11:11 +0100 (CET) Subject: SUSE-CU-2020:698-1: Security update of ses/7/ceph/grafana Message-ID: <20201126071111.C97FAFBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/grafana ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:698-1 Container Tags : ses/7/ceph/grafana:7.1.5 , ses/7/ceph/grafana:7.1.5.3.287 , ses/7/ceph/grafana:latest , ses/7/ceph/grafana:sle15.2.octopus Container Release : 3.287 Severity : important Type : security References : 1174232 1174593 1177458 1177490 1177510 1177858 1178387 1178512 1178727 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/ceph/grafana was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3249-1 Released: Fri Nov 6 17:02:51 2020 Summary: Recommended update for grafana Type: recommended Severity: moderate References: This update for grafana fixes the following issues: - Update to version 7.1.5: * Features / Enhancements - Stats: Stop counting the same user multiple times. - Field overrides: Filter by field name using regex. - AzureMonitor: map more units. - Explore: Don't run queries on datasource change. - Graph: Support setting field unit & override data source (automatic) unit. - Explore: Unification of logs/metrics/traces user interface - Table: JSON Cell should try to convert strings to JSON - Variables: enables cancel for slow query variables queries. - TimeZone: unify the time zone pickers to one that can rule them all. - Search: support URL query params. - Grafana-UI: Add FileUpload. - TablePanel: Sort numbers correctly. * Bug fixes - Alerting: remove LongToWide call in alerting. - AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified and alias was used. - Variables: Fixes issue with All variable not being resolved. - Templating: Fixes so texts show in picker not the values. - Templating: Templating: Fix undefined result when using raw interpolation format - TextPanel: Fix content overflowing panel boundaries. - StatPanel: Fix stat panel display name not showing when explicitly set. - Query history: Fix search filtering if null value. - Flux: Ensure connections to InfluxDB are closed. - Dashboard: Fix for viewer can enter panel edit mode by modifying url (but cannot not save anything). - Prometheus: Fix prom links in mixed mode. - Sign In Use correct url for the Sign In button. - StatPanel: Fixes issue with name showing for single series / field results - BarGauge: Fix space bug in single series mode. - Auth: Fix POST request failures with anonymous access - Templating: Fix recursive loop of template variable queries when changing ad-hoc-variable - Templating: Fixed recursive queries triggered when switching dashboard settings view - GraphPanel: Fix annotations overflowing panels. - Prometheus: Fix performance issue in processing of histogram labels. - Datasources: Handle URL parsing error. - Security: Use Header.Set and Header.Del for X-Grafana-User header. * Changes in spec file - Fix golang version = 1.14 to avoid dependency conflicts on some OBS projects ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Thu Nov 26 00:12:54 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:12:54 +0100 (CET) Subject: SUSE-CU-2020:699-1: Security update of ses/7/ceph/ceph Message-ID: <20201126071254.9BD05FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:699-1 Container Tags : ses/7/ceph/ceph:15.2.5.514 , ses/7/ceph/ceph:15.2.5.514.4.18 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 4.18 Severity : important Type : security References : 1090767 1096515 1097410 1106873 1119069 1119069 1119105 1120374 1121045 1121207 1122983 1140868 1141322 1141322 1149792 1155350 1155357 1155360 1158527 1159819 1159819 1160790 1161088 1161089 1161573 1161670 1164076 1165828 1166880 1167494 1168416 1168669 1168669 1169042 1169746 1169872 1169997 1170571 1170572 1170908 1171978 1172807 1172807 1172816 1173032 1173391 1173560 1174230 1174232 1174593 1174697 1176116 1176173 1176173 1176256 1176257 1176258 1176259 1176285 1176325 1176384 1176756 1176899 1177458 1177490 1177510 1177699 1177811 1177858 1177939 1177977 1178217 1178387 1178512 1178727 996146 CVE-2018-0495 CVE-2018-12384 CVE-2018-12404 CVE-2018-12404 CVE-2018-12405 CVE-2018-17466 CVE-2018-18492 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498 CVE-2018-18500 CVE-2018-18501 CVE-2018-18505 CVE-2018-18508 CVE-2019-11709 CVE-2019-11711 CVE-2019-11712 CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11719 CVE-2019-11729 CVE-2019-11730 CVE-2019-11745 CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 CVE-2019-17006 CVE-2019-17006 CVE-2019-9811 CVE-2020-12399 CVE-2020-12402 CVE-2020-15166 CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 CVE-2020-15683 CVE-2020-15969 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1334-1 Released: Tue Jul 17 09:06:41 2018 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1096515 This update for mozilla-nss provides the following fixes: - Update to NSS 3.36.4 required by Firefox 60.0.2. (bsc#1096515) - Fix a problem that would cause connections to a server that was recently upgraded to TLS 1.3 to result in a SSL_RX_MALFORMED_SERVER_HELLO error. - Fix a rare bug with PKCS#12 files. - Use relro linker option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:3044-1 Released: Fri Dec 21 18:47:21 2018 Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss Type: security Severity: important References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues: Issues fixed in MozillaFirefox: - Update to Firefox ESR 60.4 (bsc#1119105) - CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Fixed a use-after-free with select element - CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images - CVE-2018-12405: Fixed a few memory safety bugs Issues fixed in mozilla-nss: - Update to NSS 3.40.1 (bsc#1119105) - CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069) - CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873) - CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410) - Fixed a decryption failure during FFDHE key exchange - Various security fixes in the ASN.1 code Issues fixed in mozilla-nspr: - Update mozilla-nspr to 4.20 (bsc#1119105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:91-1 Released: Tue Jan 15 14:14:43 2019 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1090767,1121045,1121207 This update for mozilla-nss fixes the following issues: - The hmac packages used in FIPS certification inadvertently removed in last update: re-added. (bsc#1121207) - Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:273-1 Released: Wed Feb 6 16:48:18 2019 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1119069,1120374,1122983,CVE-2018-12404,CVE-2018-18500,CVE-2018-18501,CVE-2018-18505 This update for MozillaFirefox, mozilla-nss fixes the following issues: Security issues fixed: - CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (bsc#1122983). - CVE-2018-18501: Fixed multiple memory safety bugs (bsc#1122983). - CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (bsc#1122983). - CVE-2018-12404: Cache side-channel variant of the Bleichenbacher attack (bsc#1119069). Non-security issue fixed: - Update to MozillaFirefox ESR 60.5.0 - Update to mozilla-nss 3.41.1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1869-1 Released: Wed Jul 17 14:03:20 2019 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1140868,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811 This update for MozillaFirefox, mozilla-nss fixes the following issues: MozillaFirefox to version ESR 60.8: - CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868). - CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868). - CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868). - CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868). - CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868). - CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868). - CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868). - CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868). - CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868). - CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868). mozilla-nss to version 3.44.1: * Added IPSEC IKE support to softoken * Many new FIPS test cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2142-1 Released: Wed Aug 14 18:14:04 2019 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1141322 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.45 (bsc#1141322) : * New function in pk11pub.h: PK11_FindRawCertsWithSubject * The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374) * Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078). * Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579) * Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262) * Add IPSEC IKE support to softoken (bmo#1546229) * Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616) * Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. * Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. mozilla-nspr was updated to version 4.21 * Changed prbit.h to use builtin function on aarch64. * Removed Gonk/B2G references. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2777-1 Released: Thu Oct 24 16:13:20 2019 Summary: Recommended update for fipscheck Type: recommended Severity: moderate References: 1149792 This update for fipscheck fixes the following issues: - Remove #include of unused fips.h to fix build with OpenSSL 1.1.1 (bsc#1149792) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3395-1 Released: Mon Dec 30 14:05:06 2019 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: moderate References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:850-1 Released: Thu Apr 2 14:37:31 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1155350,1155357,1155360,1166880 This update for mozilla-nss fixes the following issues: Added various fixes related to FIPS certification: * Use getrandom() to obtain entropy where possible. * Make DSA KAT FIPS compliant. * Use FIPS compliant hash when validating keypair. * Enforce FIPS requirements on RSA key generation. * Miscellaneous fixes to CAVS tests. * Enforce FIPS limits on how much data can be processed without rekeying. * Run self tests on library initialization in FIPS mode. * Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher). * Clear various temporary variables after use. * Allow MD5 to be used in TLS PRF. * Preferentially gather entropy from /dev/random over /dev/urandom. * Allow enabling FIPS mode consistently with NSS_FIPS environment variable. * Fix argument parsing bug in lowhashtest. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:949-1 Released: Wed Apr 8 07:45:48 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1168669 This update for mozilla-nss fixes the following issues: - Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR is unavailable, resulting in an abort (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1055-1 Released: Tue Apr 21 15:53:44 2020 Summary: Recommended update for patterns-server-enterprise Type: recommended Severity: moderate References: 1168416,1169042 This update for patterns-server-enterprise fixes the following issues: - added libgnutls30-hmac to the FIPS pattern. (bsc#1169042 bsc#1168416) - remove strongswan-hmac-32bit (not used currently) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1061-1 Released: Wed Apr 22 10:45:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1169872 This update for mozilla-nss fixes the following issues: - This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872). - Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1131-1 Released: Tue Apr 28 11:59:17 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170571,1170572 This update for mozilla-nss fixes the following issues: - FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571) - FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 checks. - FIPS: Replace bad attempt at unconditional nssdbm checksumming with a dlopen(), so it can be located consistently and perform its own self-tests. - FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for a SECStatus, which caused key derivation to fail when the caller provided a valid subprime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1348-1 Released: Wed May 20 11:37:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170908 This update for mozilla-nss fixes the following issues: The following issues are fixed: - Add AES Keywrap POST. - Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1677-1 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1821-1 Released: Thu Jul 2 08:39:34 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1172807,1172816 This update for dracut fixes the following issues: - 35network-legacy: Fix dual stack setups. (bsc#1172807) - 95iscsi: fix missing space when compiling cmdline args. (bsc#1172816) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1850-1 Released: Mon Jul 6 14:44:39 2020 Summary: Security update for mozilla-nss Type: security Severity: moderate References: 1168669,1173032,CVE-2020-12402 This update for mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53.1 - CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032) - Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1950-1 Released: Fri Jul 17 17:16:21 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1161573,1165828,1169997,1172807,1173560 This update for dracut fixes the following issues: - Update to version 049.1+suse.152.g8506e86f: * 01fips: modprobe failures during manual module loading is not fatal. (bsc#bsc#1169997) * 91zipl: parse-zipl.sh: honor SYSTEMD_READY. (bsc#1165828) * 95iscsi: fix ipv6 target discovery. (bsc#1172807) * 35network-legacy: correct conditional for creating did-setup file. (bsc#1172807) - Update to version 049.1+suse.148.gc4a6c2dd: * 95fcoe: load 'libfcoe' module as a fallback. (bsc#1173560) * 99base: enable the initqueue in both 'dracut --add-device' and 'dracut --mount' cases. (bsc#1161573) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2451-1 Released: Wed Sep 2 12:30:38 2020 Summary: Recommended update for dracut Type: recommended Severity: important References: 1167494,996146 This update for dracut fixes the following issues: Update from version 049.1+suse.152.g8506e86f to version 049.1+suse.156.g7d852636: - net-lib.sh: support infiniband network mac addresses (bsc#996146) - 95nfs: use ip_params_for_remote_addr() (bsc#1167494) - 95iscsi: use ip_params_for_remote_addr() (bsc#1167494) - dracut-functions: add ip_params_for_remote_addr() helper (bsc#1167494) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2979-1 Released: Wed Oct 21 11:37:14 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1176173 This update for mozilla-nss fixes the following issue: - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3059-1 Released: Wed Oct 28 06:11:23 2020 Summary: Recommended update for sysconfig Type: recommended Severity: moderate References: 1173391,1176285,1176325 This update for sysconfig fixes the following issues: - Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285) - Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325) - Fix for 'chrony helper' calling in background. (bsc#1173391) - Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3091-1 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Type: security Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3253-1 Released: Mon Nov 9 07:45:04 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1174697,1176173 This update for mozilla-nss fixes the following issues: - Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697) - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3264-1 Released: Tue Nov 10 09:50:29 2020 Summary: Security update for zeromq Type: security Severity: moderate References: 1176116,1176256,1176257,1176258,1176259,CVE-2020-15166 This update for zeromq fixes the following issues: - CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116). - Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256) - Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257) - Fixed memory leak when processing PUB messages with metadata (bsc#1176259) - Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3269-1 Released: Tue Nov 10 15:57:24 2020 Summary: Security update for python-waitress Type: security Severity: moderate References: 1160790,1161088,1161089,1161670,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792 This update for python-waitress to 1.4.3 fixes the following security issues: - CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3301-1 Released: Thu Nov 12 13:51:02 2020 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1177939 This update for openssh fixes the following issues: - Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3307-1 Released: Thu Nov 12 14:17:55 2020 Summary: Recommended update for rdma-core Type: recommended Severity: moderate References: 1177699 This update for rdma-core fixes the following issue: - Move rxe_cfg to libibverbs-utils. (bsc#1177699) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3498-1 Released: Tue Nov 24 13:07:16 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1164076,1177811,1178217 This update for dracut fixes the following issues: - Update from version 049.1+suse.156.g7d852636 to version 049.1+suse.171.g65b2addf: - dracut.sh: FIPS workaround for openssl-libs (bsc#1178217) - 01fips: turn info calls into fips_info calls (bsc#1164076) - 00systemd: add missing cryptsetup-related targets (bsc#1177811) From sle-security-updates at lists.suse.com Thu Nov 26 00:15:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:15:09 +0100 (CET) Subject: SUSE-CU-2020:702-1: Security update of ses/7/cephcsi/csi-attacher Message-ID: <20201126071509.72EDCFBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-attacher ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:702-1 Container Tags : ses/7/cephcsi/csi-attacher:v2.1.0 , ses/7/cephcsi/csi-attacher:v2.1.0-rev1 , ses/7/cephcsi/csi-attacher:v2.1.0-rev1-build3.104 Container Release : 3.104 Severity : important Type : security References : 1174232 1174593 1177458 1177490 1177510 1177858 1178387 1178512 1178727 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-attacher was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Thu Nov 26 00:15:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:15:46 +0100 (CET) Subject: SUSE-CU-2020:703-1: Security update of ses/7/cephcsi/csi-livenessprobe Message-ID: <20201126071546.936D3FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-livenessprobe ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:703-1 Container Tags : ses/7/cephcsi/csi-livenessprobe:v1.1.0 , ses/7/cephcsi/csi-livenessprobe:v1.1.0-rev1 , ses/7/cephcsi/csi-livenessprobe:v1.1.0-rev1-build3.102 Container Release : 3.102 Severity : important Type : security References : 1174232 1174593 1177458 1177490 1177510 1177858 1178387 1178512 1178727 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-livenessprobe was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Thu Nov 26 00:16:25 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:16:25 +0100 (CET) Subject: SUSE-CU-2020:704-1: Security update of ses/7/cephcsi/csi-node-driver-registrar Message-ID: <20201126071625.284D6FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-node-driver-registrar ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:704-1 Container Tags : ses/7/cephcsi/csi-node-driver-registrar:v1.3.0 , ses/7/cephcsi/csi-node-driver-registrar:v1.3.0-rev1 , ses/7/cephcsi/csi-node-driver-registrar:v1.3.0-rev1-build3.99 Container Release : 3.99 Severity : important Type : security References : 1174232 1174593 1177458 1177490 1177510 1177858 1178387 1178512 1178727 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-node-driver-registrar was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3502-1 Released: Tue Nov 24 14:31:32 2020 Summary: Recommended update for csi-node-driver-registrar Type: recommended Severity: moderate References: This update for csi-node-driver-registrar fixes the following issues: - Update to version 1.3.0 - Fix registration socket cleanup on Windows during startup. - Migrated to 'go' modules, so the source builds also outside of 'GOPATH'. - Rework '_service' and spec file to make future version updates easier. From sle-security-updates at lists.suse.com Thu Nov 26 00:17:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:17:04 +0100 (CET) Subject: SUSE-CU-2020:705-1: Security update of ses/7/cephcsi/csi-provisioner Message-ID: <20201126071704.3E18EFBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-provisioner ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:705-1 Container Tags : ses/7/cephcsi/csi-provisioner:v1.6.0 , ses/7/cephcsi/csi-provisioner:v1.6.0-rev1 , ses/7/cephcsi/csi-provisioner:v1.6.0-rev1-build3.95 Container Release : 3.95 Severity : important Type : security References : 1174232 1174593 1177458 1177490 1177510 1177858 1178387 1178512 1178727 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-provisioner was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Thu Nov 26 00:17:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:17:43 +0100 (CET) Subject: SUSE-CU-2020:706-1: Security update of ses/7/cephcsi/csi-resizer Message-ID: <20201126071743.76A73FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-resizer ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:706-1 Container Tags : ses/7/cephcsi/csi-resizer:v0.5.0 , ses/7/cephcsi/csi-resizer:v0.5.0-rev1 , ses/7/cephcsi/csi-resizer:v0.5.0-rev1-build3.94 Container Release : 3.94 Severity : important Type : security References : 1174232 1174593 1177458 1177490 1177510 1177858 1178387 1178512 1178727 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-resizer was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3504-1 Released: Tue Nov 24 14:32:01 2020 Summary: Recommended update for csi-external-resizer Type: recommended Severity: moderate References: This update for csi-external-resizer fixes the following issues: - Update to version 0.5.0. - Ability to customize PVC workqueue retry interval. - Pass volume capability to 'ControllerExpandVolume' RPC call. - Rework '_service' and spec file to make future version updates easier. From sle-security-updates at lists.suse.com Thu Nov 26 00:18:24 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:18:24 +0100 (CET) Subject: SUSE-CU-2020:707-1: Security update of ses/7/cephcsi/csi-snapshotter Message-ID: <20201126071824.4B3DCFBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-snapshotter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:707-1 Container Tags : ses/7/cephcsi/csi-snapshotter:v2.1.1 , ses/7/cephcsi/csi-snapshotter:v2.1.1-rev1 , ses/7/cephcsi/csi-snapshotter:v2.1.1-rev1-build3.94 Container Release : 3.94 Severity : important Type : security References : 1174232 1174593 1177458 1177490 1177510 1177858 1178387 1178512 1178727 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-snapshotter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Thu Nov 26 00:19:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:19:08 +0100 (CET) Subject: SUSE-CU-2020:708-1: Security update of ses/7/prometheus-webhook-snmp Message-ID: <20201126071908.3352FFBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/prometheus-webhook-snmp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:708-1 Container Tags : ses/7/prometheus-webhook-snmp:1.4 , ses/7/prometheus-webhook-snmp:1.4.1.81 , ses/7/prometheus-webhook-snmp:latest , ses/7/prometheus-webhook-snmp:sle15.2.octopus Container Release : 1.81 Severity : important Type : security References : 1174232 1174593 1177458 1177490 1177510 1177858 1178387 1178512 1178727 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/prometheus-webhook-snmp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) From sle-security-updates at lists.suse.com Thu Nov 26 00:20:48 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 08:20:48 +0100 (CET) Subject: SUSE-CU-2020:709-1: Security update of ses/7/rook/ceph Message-ID: <20201126072048.A0757FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:709-1 Container Tags : ses/7/rook/ceph:1.4.7 , ses/7/rook/ceph:1.4.7.6 , ses/7/rook/ceph:1.4.7.6.1.1378 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1378 Severity : important Type : security References : 1160790 1161088 1161089 1161670 1174232 1174593 1176116 1176256 1176257 1176258 1176259 1177458 1177490 1177510 1177699 1177858 1177864 1177939 1178387 1178512 1178727 CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 CVE-2020-15166 CVE-2020-25692 CVE-2020-28196 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3157-1 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3264-1 Released: Tue Nov 10 09:50:29 2020 Summary: Security update for zeromq Type: security Severity: moderate References: 1176116,1176256,1176257,1176258,1176259,CVE-2020-15166 This update for zeromq fixes the following issues: - CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116). - Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256) - Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257) - Fixed memory leak when processing PUB messages with metadata (bsc#1176259) - Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3269-1 Released: Tue Nov 10 15:57:24 2020 Summary: Security update for python-waitress Type: security Severity: moderate References: 1160790,1161088,1161089,1161670,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792 This update for python-waitress to 1.4.3 fixes the following security issues: - CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: HTTP request smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: HTTP request smuggling by sending the Content-Length header twice (bsc#1161670). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3301-1 Released: Thu Nov 12 13:51:02 2020 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1177939 This update for openssh fixes the following issues: - Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3307-1 Released: Thu Nov 12 14:17:55 2020 Summary: Recommended update for rdma-core Type: recommended Severity: moderate References: 1177699 This update for rdma-core fixes the following issue: - Move rxe_cfg to libibverbs-utils. (bsc#1177699) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3510-1 Released: Wed Nov 25 07:38:02 2020 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: rook was updated to v1.4.7 * Ceph * Log warning about v14.2.13 being an unsupported Ceph version due to errors creating new OSDs (#6545) * Disaster recovery guide for PVCs (#6452) * Set the deviceClass for OSDs in non-PVC clusters (#6545) * External cluster script to fail if prometheus port is not default (#6504) * Remove the osd pvc from the osd purge job (#6533) * External cluster script added additional checks for monitoring endpoint (#6473) * Ignore Ceph health error MDS_ALL_DOWN during reconciliation (#6494) * Add optional labels to mon pods (#6515) * Assert type for logging errors before using it (#6503) * Check for orphaned mon resources with every reconcile (#6493) * Update the mon PDBs if the maxUnavailable changed (#6469) * NFS * Update documentation and examples (#6455) From sle-security-updates at lists.suse.com Thu Nov 26 07:15:20 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 15:15:20 +0100 (CET) Subject: SUSE-SU-2020:3528-1: important: Security update for MozillaThunderbird Message-ID: <20201126141520.86ABFFBB4@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3528-1 Rating: important References: #1178894 Cross-References: CVE-2020-15999 CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26966 CVE-2020-26968 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Workstation Extension 15-SP1 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: TODO - Mozilla Thunderbird 78.5.0 * new: OpenPGP: Added option to disable attaching the public key to a signed message (bmo#1654950) * new: MailExtensions: "compose_attachments" context added to Menus API (bmo#1670822) * new: MailExtensions: Menus API now available on displayed messages (bmo#1670825) * changed: MailExtensions: browser.tabs.create will now wait for "mail-delayed-startup-finished" event (bmo#1674407) * fixed: OpenPGP: Support for inline PGP messages improved (bmo#1672851) * fixed: OpenPGP: Message security dialog showed unverified keys as unavailable (bmo#1675285) * fixed: Chat: New chat contact menu item did not function (bmo#1663321) * fixed: Various theme and usability improvements (bmo#1673861) * fixed: Various security fixes MFSA 2020-52 (bsc#1178894) * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API) * CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords * CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Thunderbird 78.5 - Mozilla Thunderbird 78.4.3 * fixed: User interface was inconsistent when switching from the default theme to the dark theme and back to the default theme (bmo#1659282) * fixed: Email subject would disappear when hovering over it with the mouse when using Windows 7 Classic theme (bmo#1675970) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2020-3528=1 - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-3528=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): MozillaThunderbird-78.5.0-3.107.1 MozillaThunderbird-debuginfo-78.5.0-3.107.1 MozillaThunderbird-debugsource-78.5.0-3.107.1 MozillaThunderbird-translations-common-78.5.0-3.107.1 MozillaThunderbird-translations-other-78.5.0-3.107.1 - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): MozillaThunderbird-78.5.0-3.107.1 MozillaThunderbird-debuginfo-78.5.0-3.107.1 MozillaThunderbird-debugsource-78.5.0-3.107.1 MozillaThunderbird-translations-common-78.5.0-3.107.1 MozillaThunderbird-translations-other-78.5.0-3.107.1 References: https://www.suse.com/security/cve/CVE-2020-15999.html https://www.suse.com/security/cve/CVE-2020-16012.html https://www.suse.com/security/cve/CVE-2020-26951.html https://www.suse.com/security/cve/CVE-2020-26953.html https://www.suse.com/security/cve/CVE-2020-26956.html https://www.suse.com/security/cve/CVE-2020-26958.html https://www.suse.com/security/cve/CVE-2020-26959.html https://www.suse.com/security/cve/CVE-2020-26960.html https://www.suse.com/security/cve/CVE-2020-26961.html https://www.suse.com/security/cve/CVE-2020-26965.html https://www.suse.com/security/cve/CVE-2020-26966.html https://www.suse.com/security/cve/CVE-2020-26968.html https://bugzilla.suse.com/1178894 From sle-security-updates at lists.suse.com Thu Nov 26 10:18:39 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 18:18:39 +0100 (CET) Subject: SUSE-SU-2020:3532-1: important: Security update for the Linux Kernel Message-ID: <20201126171839.1E27AF7D6@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3532-1 Rating: important References: #1051510 #1058115 #1065600 #1131277 #1160947 #1161360 #1163524 #1166965 #1170232 #1170415 #1171417 #1172073 #1172366 #1173115 #1173233 #1175306 #1175721 #1175749 #1175882 #1176011 #1176235 #1176278 #1176381 #1176423 #1176482 #1176485 #1176698 #1176721 #1176722 #1176723 #1176725 #1176732 #1176877 #1176907 #1176922 #1176990 #1177027 #1177086 #1177121 #1177165 #1177206 #1177226 #1177410 #1177411 #1177470 #1177511 #1177513 #1177724 #1177725 #1177766 #1178003 #1178123 #1178330 #1178393 #1178622 #1178765 #1178782 #1178838 Cross-References: CVE-2020-0404 CVE-2020-0427 CVE-2020-0430 CVE-2020-0431 CVE-2020-0432 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-14381 CVE-2020-14390 CVE-2020-16120 CVE-2020-2521 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-27673 CVE-2020-27675 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that solves 26 vulnerabilities and has 32 fixes is now available. Description: The SUSE Linux Enterprise 15 LTSS kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). - CVE-2020-2521: Fixed getxattr kernel panic and memory overflow (bsc#1176381). - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206). - CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121). - CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990). - CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235). - CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721). - CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725). - CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722). - CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423). - CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1131277). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922). - btrfs: remove root usage from can_overcommit (bsc#1131277). - hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - livepatch: Add -fdump-ipa-clones to build (). Add support for -fdump-ipa-clones GCC option. Update config files accordingly. - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - scsi: qla2xxx: Do not consume srb greedily (bsc#1173233). - scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1173233). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - x86/hyperv: Create and use Hyper-V page definitions (bsc#1176877). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: do not reschedule in preemption off sections (bsc#1175749). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-3532=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-livepatch-4.12.14-150.63.1 kernel-livepatch-4_12_14-150_63-default-1-1.5.1 kernel-livepatch-4_12_14-150_63-default-debuginfo-1-1.5.1 References: https://www.suse.com/security/cve/CVE-2020-0404.html https://www.suse.com/security/cve/CVE-2020-0427.html https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-0432.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14390.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-2521.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25284.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25641.html https://www.suse.com/security/cve/CVE-2020-25643.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-26088.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27675.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1163524 https://bugzilla.suse.com/1166965 https://bugzilla.suse.com/1170232 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1172073 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1173115 https://bugzilla.suse.com/1173233 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1175749 https://bugzilla.suse.com/1175882 https://bugzilla.suse.com/1176011 https://bugzilla.suse.com/1176235 https://bugzilla.suse.com/1176278 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176423 https://bugzilla.suse.com/1176482 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176698 https://bugzilla.suse.com/1176721 https://bugzilla.suse.com/1176722 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176725 https://bugzilla.suse.com/1176732 https://bugzilla.suse.com/1176877 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176922 https://bugzilla.suse.com/1176990 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177121 https://bugzilla.suse.com/1177165 https://bugzilla.suse.com/1177206 https://bugzilla.suse.com/1177226 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178622 https://bugzilla.suse.com/1178765 https://bugzilla.suse.com/1178782 https://bugzilla.suse.com/1178838 From sle-security-updates at lists.suse.com Thu Nov 26 10:27:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 18:27:09 +0100 (CET) Subject: SUSE-SU-2020:14550-1: important: Security update for python Message-ID: <20201126172709.8BC8BF7E7@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14550-1 Rating: important References: #1177211 Cross-References: CVE-2020-26116 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python fixes the following issues: - bsc#1177211 (CVE-2020-26116) no longer allowing special characters in the method parameter of HTTPConnection.putrequest in httplib, stopping injection of headers. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-python-14550=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-python-14550=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-python-14550=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-python-14550=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): libpython2_6-1_0-2.6.9-40.48.1 python-2.6.9-40.48.1 python-base-2.6.9-40.48.1 python-curses-2.6.9-40.48.1 python-demo-2.6.9-40.48.1 python-gdbm-2.6.9-40.48.1 python-idle-2.6.9-40.48.1 python-tk-2.6.9-40.48.1 python-xml-2.6.9-40.48.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libpython2_6-1_0-32bit-2.6.9-40.48.1 python-32bit-2.6.9-40.48.1 python-base-32bit-2.6.9-40.48.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (noarch): python-doc-2.6-8.40.48.1 python-doc-pdf-2.6-8.40.48.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): python-doc-2.6-8.40.48.1 python-doc-pdf-2.6-8.40.48.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libpython2_6-1_0-2.6.9-40.48.1 python-2.6.9-40.48.1 python-base-2.6.9-40.48.1 python-curses-2.6.9-40.48.1 python-demo-2.6.9-40.48.1 python-gdbm-2.6.9-40.48.1 python-idle-2.6.9-40.48.1 python-tk-2.6.9-40.48.1 python-xml-2.6.9-40.48.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): python-base-debuginfo-2.6.9-40.48.1 python-base-debugsource-2.6.9-40.48.1 python-debuginfo-2.6.9-40.48.1 python-debugsource-2.6.9-40.48.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): python-base-debuginfo-32bit-2.6.9-40.48.1 python-debuginfo-32bit-2.6.9-40.48.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): python-base-debuginfo-2.6.9-40.48.1 python-base-debugsource-2.6.9-40.48.1 python-debuginfo-2.6.9-40.48.1 python-debugsource-2.6.9-40.48.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x x86_64): python-base-debuginfo-32bit-2.6.9-40.48.1 python-debuginfo-32bit-2.6.9-40.48.1 References: https://www.suse.com/security/cve/CVE-2020-26116.html https://bugzilla.suse.com/1177211 From sle-security-updates at lists.suse.com Thu Nov 26 10:28:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 18:28:02 +0100 (CET) Subject: SUSE-SU-2020:14549-1: important: Security update for LibVNCServer Message-ID: <20201126172802.DCCCDF7E7@maintenance.suse.de> SUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14549-1 Rating: important References: #1178682 Cross-References: CVE-2020-25708 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for LibVNCServer fixes the following issues: - CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-LibVNCServer-14549=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-LibVNCServer-14549=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-LibVNCServer-14549=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-LibVNCServer-14549=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): LibVNCServer-0.9.1-160.22.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): LibVNCServer-0.9.1-160.22.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): LibVNCServer-debuginfo-0.9.1-160.22.1 LibVNCServer-debugsource-0.9.1-160.22.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): LibVNCServer-debuginfo-0.9.1-160.22.1 LibVNCServer-debugsource-0.9.1-160.22.1 References: https://www.suse.com/security/cve/CVE-2020-25708.html https://bugzilla.suse.com/1178682 From sle-security-updates at lists.suse.com Thu Nov 26 10:30:26 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 18:30:26 +0100 (CET) Subject: SUSE-SU-2020:3532-1: important: Security update for the Linux Kernel Message-ID: <20201126173026.46FC9F7D6@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3532-1 Rating: important References: #1051510 #1058115 #1065600 #1131277 #1160947 #1161360 #1163524 #1166965 #1170232 #1170415 #1171417 #1172073 #1172366 #1173115 #1173233 #1175306 #1175721 #1175749 #1175882 #1176011 #1176235 #1176278 #1176381 #1176423 #1176482 #1176485 #1176698 #1176721 #1176722 #1176723 #1176725 #1176732 #1176877 #1176907 #1176922 #1176990 #1177027 #1177086 #1177121 #1177165 #1177206 #1177226 #1177410 #1177411 #1177470 #1177511 #1177513 #1177724 #1177725 #1177766 #1178003 #1178123 #1178330 #1178393 #1178622 #1178765 #1178782 #1178838 Cross-References: CVE-2020-0404 CVE-2020-0427 CVE-2020-0430 CVE-2020-0431 CVE-2020-0432 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-14381 CVE-2020-14390 CVE-2020-16120 CVE-2020-2521 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-27673 CVE-2020-27675 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves 26 vulnerabilities and has 32 fixes is now available. Description: The SUSE Linux Enterprise 15 LTSS kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). - CVE-2020-2521: Fixed getxattr kernel panic and memory overflow (bsc#1176381). - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206). - CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121). - CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990). - CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235). - CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721). - CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725). - CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722). - CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423). - CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1131277). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922). - btrfs: remove root usage from can_overcommit (bsc#1131277). - hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - livepatch: Add -fdump-ipa-clones to build (). Add support for -fdump-ipa-clones GCC option. Update config files accordingly. - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - scsi: qla2xxx: Do not consume srb greedily (bsc#1173233). - scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1173233). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - x86/hyperv: Create and use Hyper-V page definitions (bsc#1176877). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: do not reschedule in preemption off sections (bsc#1175749). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3532=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3532=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-3532=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3532=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3532=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-3532=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): kernel-default-4.12.14-150.63.1 kernel-default-base-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-devel-4.12.14-150.63.1 kernel-default-devel-debuginfo-4.12.14-150.63.1 kernel-obs-build-4.12.14-150.63.1 kernel-obs-build-debugsource-4.12.14-150.63.1 kernel-syms-4.12.14-150.63.1 kernel-vanilla-base-4.12.14-150.63.1 kernel-vanilla-base-debuginfo-4.12.14-150.63.1 kernel-vanilla-debuginfo-4.12.14-150.63.1 kernel-vanilla-debugsource-4.12.14-150.63.1 reiserfs-kmp-default-4.12.14-150.63.1 reiserfs-kmp-default-debuginfo-4.12.14-150.63.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): kernel-devel-4.12.14-150.63.1 kernel-docs-4.12.14-150.63.1 kernel-macros-4.12.14-150.63.1 kernel-source-4.12.14-150.63.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): kernel-default-4.12.14-150.63.1 kernel-default-base-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-devel-4.12.14-150.63.1 kernel-default-devel-debuginfo-4.12.14-150.63.1 kernel-obs-build-4.12.14-150.63.1 kernel-obs-build-debugsource-4.12.14-150.63.1 kernel-syms-4.12.14-150.63.1 kernel-vanilla-base-4.12.14-150.63.1 kernel-vanilla-base-debuginfo-4.12.14-150.63.1 kernel-vanilla-debuginfo-4.12.14-150.63.1 kernel-vanilla-debugsource-4.12.14-150.63.1 reiserfs-kmp-default-4.12.14-150.63.1 reiserfs-kmp-default-debuginfo-4.12.14-150.63.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): kernel-devel-4.12.14-150.63.1 kernel-docs-4.12.14-150.63.1 kernel-macros-4.12.14-150.63.1 kernel-source-4.12.14-150.63.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): kernel-default-man-4.12.14-150.63.1 kernel-zfcpdump-debuginfo-4.12.14-150.63.1 kernel-zfcpdump-debugsource-4.12.14-150.63.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-livepatch-4.12.14-150.63.1 kernel-livepatch-4_12_14-150_63-default-1-1.5.1 kernel-livepatch-4_12_14-150_63-default-debuginfo-1-1.5.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): kernel-default-4.12.14-150.63.1 kernel-default-base-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-devel-4.12.14-150.63.1 kernel-default-devel-debuginfo-4.12.14-150.63.1 kernel-obs-build-4.12.14-150.63.1 kernel-obs-build-debugsource-4.12.14-150.63.1 kernel-syms-4.12.14-150.63.1 kernel-vanilla-base-4.12.14-150.63.1 kernel-vanilla-base-debuginfo-4.12.14-150.63.1 kernel-vanilla-debuginfo-4.12.14-150.63.1 kernel-vanilla-debugsource-4.12.14-150.63.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): kernel-devel-4.12.14-150.63.1 kernel-docs-4.12.14-150.63.1 kernel-macros-4.12.14-150.63.1 kernel-source-4.12.14-150.63.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): kernel-default-4.12.14-150.63.1 kernel-default-base-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-devel-4.12.14-150.63.1 kernel-default-devel-debuginfo-4.12.14-150.63.1 kernel-obs-build-4.12.14-150.63.1 kernel-obs-build-debugsource-4.12.14-150.63.1 kernel-syms-4.12.14-150.63.1 kernel-vanilla-base-4.12.14-150.63.1 kernel-vanilla-base-debuginfo-4.12.14-150.63.1 kernel-vanilla-debuginfo-4.12.14-150.63.1 kernel-vanilla-debugsource-4.12.14-150.63.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): kernel-devel-4.12.14-150.63.1 kernel-docs-4.12.14-150.63.1 kernel-macros-4.12.14-150.63.1 kernel-source-4.12.14-150.63.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-150.63.1 cluster-md-kmp-default-debuginfo-4.12.14-150.63.1 dlm-kmp-default-4.12.14-150.63.1 dlm-kmp-default-debuginfo-4.12.14-150.63.1 gfs2-kmp-default-4.12.14-150.63.1 gfs2-kmp-default-debuginfo-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 ocfs2-kmp-default-4.12.14-150.63.1 ocfs2-kmp-default-debuginfo-4.12.14-150.63.1 References: https://www.suse.com/security/cve/CVE-2020-0404.html https://www.suse.com/security/cve/CVE-2020-0427.html https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-0432.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14390.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-2521.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25284.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25641.html https://www.suse.com/security/cve/CVE-2020-25643.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-26088.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27675.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1161360 https://bugzilla.suse.com/1163524 https://bugzilla.suse.com/1166965 https://bugzilla.suse.com/1170232 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1172073 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1173115 https://bugzilla.suse.com/1173233 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1175749 https://bugzilla.suse.com/1175882 https://bugzilla.suse.com/1176011 https://bugzilla.suse.com/1176235 https://bugzilla.suse.com/1176278 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176423 https://bugzilla.suse.com/1176482 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176698 https://bugzilla.suse.com/1176721 https://bugzilla.suse.com/1176722 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176725 https://bugzilla.suse.com/1176732 https://bugzilla.suse.com/1176877 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176922 https://bugzilla.suse.com/1176990 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177121 https://bugzilla.suse.com/1177165 https://bugzilla.suse.com/1177206 https://bugzilla.suse.com/1177226 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1178003 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178622 https://bugzilla.suse.com/1178765 https://bugzilla.suse.com/1178782 https://bugzilla.suse.com/1178838 From sle-security-updates at lists.suse.com Thu Nov 26 13:21:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 21:21:46 +0100 (CET) Subject: SUSE-SU-2020:3539-1: important: Security update for ceph Message-ID: <20201126202146.5CD9CF7E7@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3539-1 Rating: important References: #1170200 #1174466 #1177344 #1177843 #1178073 #1178531 Cross-References: CVE-2020-25660 Affected Products: SUSE Enterprise Storage 7 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for ceph fixes the following issues: Security issue fixed: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - mgr/dashboard: Fix for CrushMap viewer items getting compressed vertically (bsc#1170200) - mon: have 'mon stat' output json as well (bsc#1174466) - mgr/dashboard: support Orchestrator and user-defined Ganesha cluster (bsc#1177344) - mgr/dashboard: fix downstream NFS doc links (bsc#1178073) - cephadm: set default container_image to registry.suse.com/ses/7/ceph/ceph (bsc#1178531) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2020-3539=1 Package List: - SUSE Enterprise Storage 7 (aarch64 x86_64): ceph-base-15.2.5.667+g1a579d5bf2-3.3.1 ceph-base-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 ceph-common-15.2.5.667+g1a579d5bf2-3.3.1 ceph-common-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 ceph-debugsource-15.2.5.667+g1a579d5bf2-3.3.1 cephadm-15.2.5.667+g1a579d5bf2-3.3.1 libcephfs2-15.2.5.667+g1a579d5bf2-3.3.1 libcephfs2-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 librados2-15.2.5.667+g1a579d5bf2-3.3.1 librados2-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 librbd1-15.2.5.667+g1a579d5bf2-3.3.1 librbd1-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 librgw2-15.2.5.667+g1a579d5bf2-3.3.1 librgw2-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 python3-ceph-argparse-15.2.5.667+g1a579d5bf2-3.3.1 python3-ceph-common-15.2.5.667+g1a579d5bf2-3.3.1 python3-cephfs-15.2.5.667+g1a579d5bf2-3.3.1 python3-cephfs-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 python3-rados-15.2.5.667+g1a579d5bf2-3.3.1 python3-rados-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 python3-rbd-15.2.5.667+g1a579d5bf2-3.3.1 python3-rbd-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 python3-rgw-15.2.5.667+g1a579d5bf2-3.3.1 python3-rgw-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 rbd-nbd-15.2.5.667+g1a579d5bf2-3.3.1 rbd-nbd-debuginfo-15.2.5.667+g1a579d5bf2-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-25660.html https://bugzilla.suse.com/1170200 https://bugzilla.suse.com/1174466 https://bugzilla.suse.com/1177344 https://bugzilla.suse.com/1177843 https://bugzilla.suse.com/1178073 https://bugzilla.suse.com/1178531 From sle-security-updates at lists.suse.com Thu Nov 26 13:24:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 21:24:56 +0100 (CET) Subject: SUSE-SU-2020:3544-1: important: Security update for the Linux Kernel Message-ID: <20201126202456.1D8DFF7E7@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3544-1 Rating: important References: #1051510 #1058115 #1065600 #1131277 #1160947 #1163524 #1166965 #1168468 #1170139 #1170232 #1170415 #1171417 #1171675 #1172073 #1172366 #1173115 #1173233 #1175228 #1175306 #1175721 #1175882 #1176011 #1176235 #1176278 #1176381 #1176423 #1176482 #1176485 #1176698 #1176721 #1176722 #1176723 #1176725 #1176732 #1176869 #1176907 #1176922 #1176935 #1176950 #1176990 #1177027 #1177086 #1177121 #1177206 #1177340 #1177410 #1177411 #1177470 #1177511 #1177724 #1177725 #1177766 #1177816 #1178123 #1178330 #1178393 #1178669 #1178765 #1178782 #1178838 Cross-References: CVE-2020-0404 CVE-2020-0427 CVE-2020-0430 CVE-2020-0431 CVE-2020-0432 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-14381 CVE-2020-14390 CVE-2020-16120 CVE-2020-2521 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-27673 CVE-2020-27675 CVE-2020-8694 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves 26 vulnerabilities and has 34 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-12351: Implemented a kABI workaround for bluetooth l2cap_ops filter addition (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25212: Fixed a TOCTOU mismatch in the NFS client code (bnc#1176381). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). - CVE-2020-14381: Fixed a UAF in the fast user mutex (futex) wait operation (bsc#1176011). - CVE-2020-25643: Fixed an improper input validation in the ppp_cp_parse_cr function of the HDLC_PPP module (bnc#1177206). - CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121). - CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990). - CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235). - CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721). - CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725). - CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722). - CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423). - CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: - btrfs: remove root usage from can_overcommit (bsc#1131277). - hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816). - hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - livepatch: Add -fdump-ipa-clones to build (). Add support for -fdump-ipa-clones GCC option. Update config files accordingly. - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - NFS: On fatal writeback errors, we need to call nfs_inode_remove_request() (bsc#1177340). - NFS: only invalidate dentrys that are clearly invalid (bsc#1178669 bsc#1170139). - NFS: Revalidate the file mapping on all fatal writeback errors (bsc#1177340). - NFSv4: do not mark all open state for recovery when handling recallable state revoked flag (bsc#1176935). - obsolete_kmp: provide newer version than the obsoleted one (boo#1170232). - ocfs2: give applications more IO opportunities during fstrim (bsc#1175228). - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - rpadlpar_io: Add MODULE_DESCRIPTION entries to kernel modules (bsc#1176869 ltc#188243). - scsi: fnic: Do not call 'scsi_done()' for unhandled commands (bsc#1168468, bsc#1171675). - scsi: qla2xxx: Do not consume srb greedily (bsc#1173233). - scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1173233). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3544=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3544=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3544=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3544=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-3544=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): kernel-devel-4.12.14-95.65.1 kernel-macros-4.12.14-95.65.1 kernel-source-4.12.14-95.65.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): kernel-default-4.12.14-95.65.1 kernel-default-base-4.12.14-95.65.1 kernel-default-base-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 kernel-default-devel-4.12.14-95.65.1 kernel-default-devel-debuginfo-4.12.14-95.65.1 kernel-syms-4.12.14-95.65.1 - SUSE OpenStack Cloud 9 (x86_64): kernel-default-4.12.14-95.65.1 kernel-default-base-4.12.14-95.65.1 kernel-default-base-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 kernel-default-devel-4.12.14-95.65.1 kernel-default-devel-debuginfo-4.12.14-95.65.1 kernel-syms-4.12.14-95.65.1 - SUSE OpenStack Cloud 9 (noarch): kernel-devel-4.12.14-95.65.1 kernel-macros-4.12.14-95.65.1 kernel-source-4.12.14-95.65.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): kernel-default-4.12.14-95.65.1 kernel-default-base-4.12.14-95.65.1 kernel-default-base-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 kernel-default-devel-4.12.14-95.65.1 kernel-syms-4.12.14-95.65.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): kernel-devel-4.12.14-95.65.1 kernel-macros-4.12.14-95.65.1 kernel-source-4.12.14-95.65.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): kernel-default-devel-debuginfo-4.12.14-95.65.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-95.65.1 kernel-default-base-4.12.14-95.65.1 kernel-default-base-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 kernel-default-devel-4.12.14-95.65.1 kernel-syms-4.12.14-95.65.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): kernel-default-devel-debuginfo-4.12.14-95.65.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): kernel-devel-4.12.14-95.65.1 kernel-macros-4.12.14-95.65.1 kernel-source-4.12.14-95.65.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x): kernel-default-man-4.12.14-95.65.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-95.65.1 cluster-md-kmp-default-debuginfo-4.12.14-95.65.1 dlm-kmp-default-4.12.14-95.65.1 dlm-kmp-default-debuginfo-4.12.14-95.65.1 gfs2-kmp-default-4.12.14-95.65.1 gfs2-kmp-default-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 ocfs2-kmp-default-4.12.14-95.65.1 ocfs2-kmp-default-debuginfo-4.12.14-95.65.1 References: https://www.suse.com/security/cve/CVE-2020-0404.html https://www.suse.com/security/cve/CVE-2020-0427.html https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-0432.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14390.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-2521.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25284.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25641.html https://www.suse.com/security/cve/CVE-2020-25643.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-26088.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27675.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1163524 https://bugzilla.suse.com/1166965 https://bugzilla.suse.com/1168468 https://bugzilla.suse.com/1170139 https://bugzilla.suse.com/1170232 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171675 https://bugzilla.suse.com/1172073 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1173115 https://bugzilla.suse.com/1173233 https://bugzilla.suse.com/1175228 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1175882 https://bugzilla.suse.com/1176011 https://bugzilla.suse.com/1176235 https://bugzilla.suse.com/1176278 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176423 https://bugzilla.suse.com/1176482 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176698 https://bugzilla.suse.com/1176721 https://bugzilla.suse.com/1176722 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176725 https://bugzilla.suse.com/1176732 https://bugzilla.suse.com/1176869 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176922 https://bugzilla.suse.com/1176935 https://bugzilla.suse.com/1176950 https://bugzilla.suse.com/1176990 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177121 https://bugzilla.suse.com/1177206 https://bugzilla.suse.com/1177340 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177816 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178669 https://bugzilla.suse.com/1178765 https://bugzilla.suse.com/1178782 https://bugzilla.suse.com/1178838 From sle-security-updates at lists.suse.com Thu Nov 26 13:32:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 21:32:22 +0100 (CET) Subject: SUSE-SU-2020:3473-2: moderate: Security update for ceph Message-ID: <20201126203222.A281BF7E7@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3473-2 Rating: moderate References: #1163764 #1170200 #1170498 #1173079 #1174466 #1174529 #1174644 #1175120 #1175161 #1175169 #1176451 #1176499 #1176638 #1177078 #1177151 #1177319 #1177344 #1177450 #1177643 #1177676 #1177843 #1177933 #1178073 #1178531 SES-1071 SES-185 Cross-References: CVE-2020-25660 Affected Products: SUSE Enterprise Storage 7 ______________________________________________________________________________ An update that solves one vulnerability, contains two features and has 23 fixes is now available. Description: This update for ceph fixes the following issues: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - Added --container-init feature (bsc#1177319, bsc#1163764) - Made journald as the logdriver again (bsc#1177933) - Fixes a condition check for copy_tree, copy_files, and move_files in cephadm (bsc#1177676) - Fixed a bug where device_health_metrics pool gets created even without any OSDs in the cluster (bsc#1173079) - Log cephadm output /var/log/ceph/cephadm.log (bsc#1174644) - Fixed a bug where the orchestrator didn't come up anymore after the deletion of OSDs (bsc#1176499) - Fixed a bug where cephadm fails to deploy all OSDs and gets stuck (bsc#1177450) - python-common will no longer skip unavailable disks (bsc#1177151) - Added snap-schedule module (jsc#SES-704) - Updated the SES7 downstream branding (bsc#1175120, bsc#1175161, bsc#1175169, bsc#1170498) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2020-3473=1 Package List: - SUSE Enterprise Storage 7 (aarch64 x86_64): ceph-base-15.2.5.667+g1a579d5bf2-3.5.1 ceph-base-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 ceph-common-15.2.5.667+g1a579d5bf2-3.5.1 ceph-common-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 ceph-debugsource-15.2.5.667+g1a579d5bf2-3.5.1 cephadm-15.2.5.667+g1a579d5bf2-3.5.1 libcephfs2-15.2.5.667+g1a579d5bf2-3.5.1 libcephfs2-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 librados2-15.2.5.667+g1a579d5bf2-3.5.1 librados2-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 librbd1-15.2.5.667+g1a579d5bf2-3.5.1 librbd1-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 librgw2-15.2.5.667+g1a579d5bf2-3.5.1 librgw2-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 python3-ceph-argparse-15.2.5.667+g1a579d5bf2-3.5.1 python3-ceph-common-15.2.5.667+g1a579d5bf2-3.5.1 python3-cephfs-15.2.5.667+g1a579d5bf2-3.5.1 python3-cephfs-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 python3-rados-15.2.5.667+g1a579d5bf2-3.5.1 python3-rados-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 python3-rbd-15.2.5.667+g1a579d5bf2-3.5.1 python3-rbd-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 python3-rgw-15.2.5.667+g1a579d5bf2-3.5.1 python3-rgw-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 rbd-nbd-15.2.5.667+g1a579d5bf2-3.5.1 rbd-nbd-debuginfo-15.2.5.667+g1a579d5bf2-3.5.1 References: https://www.suse.com/security/cve/CVE-2020-25660.html https://bugzilla.suse.com/1163764 https://bugzilla.suse.com/1170200 https://bugzilla.suse.com/1170498 https://bugzilla.suse.com/1173079 https://bugzilla.suse.com/1174466 https://bugzilla.suse.com/1174529 https://bugzilla.suse.com/1174644 https://bugzilla.suse.com/1175120 https://bugzilla.suse.com/1175161 https://bugzilla.suse.com/1175169 https://bugzilla.suse.com/1176451 https://bugzilla.suse.com/1176499 https://bugzilla.suse.com/1176638 https://bugzilla.suse.com/1177078 https://bugzilla.suse.com/1177151 https://bugzilla.suse.com/1177319 https://bugzilla.suse.com/1177344 https://bugzilla.suse.com/1177450 https://bugzilla.suse.com/1177643 https://bugzilla.suse.com/1177676 https://bugzilla.suse.com/1177843 https://bugzilla.suse.com/1177933 https://bugzilla.suse.com/1178073 https://bugzilla.suse.com/1178531 From sle-security-updates at lists.suse.com Thu Nov 26 13:47:34 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Nov 2020 21:47:34 +0100 (CET) Subject: SUSE-SU-2020:3544-1: important: Security update for the Linux Kernel Message-ID: <20201126204734.CBBDEF7D6@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3544-1 Rating: important References: #1051510 #1058115 #1065600 #1131277 #1160947 #1163524 #1166965 #1168468 #1170139 #1170232 #1170415 #1171417 #1171675 #1172073 #1172366 #1173115 #1173233 #1175228 #1175306 #1175721 #1175882 #1176011 #1176235 #1176278 #1176381 #1176423 #1176482 #1176485 #1176698 #1176721 #1176722 #1176723 #1176725 #1176732 #1176869 #1176907 #1176922 #1176935 #1176950 #1176990 #1177027 #1177086 #1177121 #1177206 #1177340 #1177410 #1177411 #1177470 #1177511 #1177724 #1177725 #1177766 #1177816 #1178123 #1178330 #1178393 #1178669 #1178765 #1178782 #1178838 Cross-References: CVE-2020-0404 CVE-2020-0427 CVE-2020-0430 CVE-2020-0431 CVE-2020-0432 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-14381 CVE-2020-14390 CVE-2020-16120 CVE-2020-2521 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-27673 CVE-2020-27675 CVE-2020-8694 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves 26 vulnerabilities and has 34 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-12351: Implemented a kABI workaround for bluetooth l2cap_ops filter addition (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). - CVE-2020-25212: Fixed a TOCTOU mismatch in the NFS client code (bnc#1176381). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). - CVE-2020-14381: Fixed a UAF in the fast user mutex (futex) wait operation (bsc#1176011). - CVE-2020-25643: Fixed an improper input validation in the ppp_cp_parse_cr function of the HDLC_PPP module (bnc#1177206). - CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121). - CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990). - CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235). - CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721). - CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725). - CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722). - CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423). - CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: - btrfs: remove root usage from can_overcommit (bsc#1131277). - hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816). - hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - livepatch: Add -fdump-ipa-clones to build (). Add support for -fdump-ipa-clones GCC option. Update config files accordingly. - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - NFS: On fatal writeback errors, we need to call nfs_inode_remove_request() (bsc#1177340). - NFS: only invalidate dentrys that are clearly invalid (bsc#1178669 bsc#1170139). - NFS: Revalidate the file mapping on all fatal writeback errors (bsc#1177340). - NFSv4: do not mark all open state for recovery when handling recallable state revoked flag (bsc#1176935). - obsolete_kmp: provide newer version than the obsoleted one (boo#1170232). - ocfs2: give applications more IO opportunities during fstrim (bsc#1175228). - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - rpadlpar_io: Add MODULE_DESCRIPTION entries to kernel modules (bsc#1176869 ltc#188243). - scsi: fnic: Do not call 'scsi_done()' for unhandled commands (bsc#1168468, bsc#1171675). - scsi: qla2xxx: Do not consume srb greedily (bsc#1173233). - scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1173233). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3544=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3544=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3544=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3544=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-3544=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-3544=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): kernel-default-4.12.14-95.65.1 kernel-default-base-4.12.14-95.65.1 kernel-default-base-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 kernel-default-devel-4.12.14-95.65.1 kernel-default-devel-debuginfo-4.12.14-95.65.1 kernel-syms-4.12.14-95.65.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): kernel-devel-4.12.14-95.65.1 kernel-macros-4.12.14-95.65.1 kernel-source-4.12.14-95.65.1 - SUSE OpenStack Cloud 9 (x86_64): kernel-default-4.12.14-95.65.1 kernel-default-base-4.12.14-95.65.1 kernel-default-base-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 kernel-default-devel-4.12.14-95.65.1 kernel-default-devel-debuginfo-4.12.14-95.65.1 kernel-syms-4.12.14-95.65.1 - SUSE OpenStack Cloud 9 (noarch): kernel-devel-4.12.14-95.65.1 kernel-macros-4.12.14-95.65.1 kernel-source-4.12.14-95.65.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): kernel-default-4.12.14-95.65.1 kernel-default-base-4.12.14-95.65.1 kernel-default-base-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 kernel-default-devel-4.12.14-95.65.1 kernel-syms-4.12.14-95.65.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): kernel-devel-4.12.14-95.65.1 kernel-macros-4.12.14-95.65.1 kernel-source-4.12.14-95.65.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): kernel-default-devel-debuginfo-4.12.14-95.65.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-95.65.1 kernel-default-base-4.12.14-95.65.1 kernel-default-base-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 kernel-default-devel-4.12.14-95.65.1 kernel-syms-4.12.14-95.65.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): kernel-default-devel-debuginfo-4.12.14-95.65.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): kernel-devel-4.12.14-95.65.1 kernel-macros-4.12.14-95.65.1 kernel-source-4.12.14-95.65.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x): kernel-default-man-4.12.14-95.65.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kernel-default-kgraft-4.12.14-95.65.1 kernel-default-kgraft-devel-4.12.14-95.65.1 kgraft-patch-4_12_14-95_65-default-1-6.5.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-95.65.1 cluster-md-kmp-default-debuginfo-4.12.14-95.65.1 dlm-kmp-default-4.12.14-95.65.1 dlm-kmp-default-debuginfo-4.12.14-95.65.1 gfs2-kmp-default-4.12.14-95.65.1 gfs2-kmp-default-debuginfo-4.12.14-95.65.1 kernel-default-debuginfo-4.12.14-95.65.1 kernel-default-debugsource-4.12.14-95.65.1 ocfs2-kmp-default-4.12.14-95.65.1 ocfs2-kmp-default-debuginfo-4.12.14-95.65.1 References: https://www.suse.com/security/cve/CVE-2020-0404.html https://www.suse.com/security/cve/CVE-2020-0427.html https://www.suse.com/security/cve/CVE-2020-0430.html https://www.suse.com/security/cve/CVE-2020-0431.html https://www.suse.com/security/cve/CVE-2020-0432.html https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-14381.html https://www.suse.com/security/cve/CVE-2020-14390.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-2521.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25284.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25641.html https://www.suse.com/security/cve/CVE-2020-25643.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-26088.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27675.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1131277 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1163524 https://bugzilla.suse.com/1166965 https://bugzilla.suse.com/1168468 https://bugzilla.suse.com/1170139 https://bugzilla.suse.com/1170232 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171675 https://bugzilla.suse.com/1172073 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1173115 https://bugzilla.suse.com/1173233 https://bugzilla.suse.com/1175228 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1175882 https://bugzilla.suse.com/1176011 https://bugzilla.suse.com/1176235 https://bugzilla.suse.com/1176278 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176423 https://bugzilla.suse.com/1176482 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176698 https://bugzilla.suse.com/1176721 https://bugzilla.suse.com/1176722 https://bugzilla.suse.com/1176723 https://bugzilla.suse.com/1176725 https://bugzilla.suse.com/1176732 https://bugzilla.suse.com/1176869 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176922 https://bugzilla.suse.com/1176935 https://bugzilla.suse.com/1176950 https://bugzilla.suse.com/1176990 https://bugzilla.suse.com/1177027 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177121 https://bugzilla.suse.com/1177206 https://bugzilla.suse.com/1177340 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177816 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178669 https://bugzilla.suse.com/1178765 https://bugzilla.suse.com/1178782 https://bugzilla.suse.com/1178838 From sle-security-updates at lists.suse.com Fri Nov 27 00:06:58 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 08:06:58 +0100 (CET) Subject: SUSE-CU-2020:712-1: Security update of ses/7/cephcsi/cephcsi Message-ID: <20201127070658.77FE0FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:712-1 Container Tags : ses/7/cephcsi/cephcsi:3.1.1 , ses/7/cephcsi/cephcsi:3.1.1.0.3.66 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus , ses/7/cephcsi/cephcsi:v3.1.1 , ses/7/cephcsi/cephcsi:v3.1.1.0 Container Release : 3.66 Severity : important Type : security References : 1170200 1174466 1177344 1177843 1178073 1178531 CVE-2020-25660 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3537-1 Released: Thu Nov 26 15:25:38 2020 Summary: Recommended update for ceph-csi Type: recommended Severity: moderate References: This update for ceph-csi fixes the following issues: - Use csi-attacher sidecar version v2.1.0 in helm charts due to build challenges with v2.1.1. - Use upstream default CSI and sidecar versions in the helm charts. - Add examples directory into cephfs and rbd helm charts ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3539-1 Released: Thu Nov 26 15:52:34 2020 Summary: Security update for ceph Type: security Severity: important References: 1170200,1174466,1177344,1177843,1178073,1178531,CVE-2020-25660 This update for ceph fixes the following issues: Security issue fixed: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - mgr/dashboard: Fix for CrushMap viewer items getting compressed vertically (bsc#1170200) - mon: have 'mon stat' output json as well (bsc#1174466) - mgr/dashboard: support Orchestrator and user-defined Ganesha cluster (bsc#1177344) - mgr/dashboard: fix downstream NFS doc links (bsc#1178073) - cephadm: set default container_image to registry.suse.com/ses/7/ceph/ceph (bsc#1178531) From sle-security-updates at lists.suse.com Fri Nov 27 00:08:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 08:08:10 +0100 (CET) Subject: SUSE-CU-2020:715-1: Security update of ses/7/ceph/grafana Message-ID: <20201127070810.19790FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/grafana ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:715-1 Container Tags : ses/7/ceph/grafana:7.1.5 , ses/7/ceph/grafana:7.1.5.3.290 , ses/7/ceph/grafana:latest , ses/7/ceph/grafana:sle15.2.octopus Container Release : 3.290 Severity : important Type : security References : 1170200 1174466 1177344 1177843 1178073 1178531 CVE-2020-25660 ----------------------------------------------------------------- The container ses/7/ceph/grafana was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3539-1 Released: Thu Nov 26 15:52:34 2020 Summary: Security update for ceph Type: security Severity: important References: 1170200,1174466,1177344,1177843,1178073,1178531,CVE-2020-25660 This update for ceph fixes the following issues: Security issue fixed: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - mgr/dashboard: Fix for CrushMap viewer items getting compressed vertically (bsc#1170200) - mon: have 'mon stat' output json as well (bsc#1174466) - mgr/dashboard: support Orchestrator and user-defined Ganesha cluster (bsc#1177344) - mgr/dashboard: fix downstream NFS doc links (bsc#1178073) - cephadm: set default container_image to registry.suse.com/ses/7/ceph/ceph (bsc#1178531) From sle-security-updates at lists.suse.com Fri Nov 27 00:10:01 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 08:10:01 +0100 (CET) Subject: SUSE-CU-2020:717-1: Security update of ses/7/ceph/ceph Message-ID: <20201127071001.D54F7FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:717-1 Container Tags : ses/7/ceph/ceph:15.2.5.667 , ses/7/ceph/ceph:15.2.5.667.4.21 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 4.21 Severity : important Type : security References : 1168155 1170200 1171234 1172082 1174099 1174466 1177344 1177843 1178073 1178531 959556 CVE-2020-25660 ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3539-1 Released: Thu Nov 26 15:52:34 2020 Summary: Security update for ceph Type: security Severity: important References: 1170200,1174466,1177344,1177843,1178073,1178531,CVE-2020-25660 This update for ceph fixes the following issues: Security issue fixed: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - mgr/dashboard: Fix for CrushMap viewer items getting compressed vertically (bsc#1170200) - mon: have 'mon stat' output json as well (bsc#1174466) - mgr/dashboard: support Orchestrator and user-defined Ganesha cluster (bsc#1177344) - mgr/dashboard: fix downstream NFS doc links (bsc#1178073) - cephadm: set default container_image to registry.suse.com/ses/7/ceph/ceph (bsc#1178531) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3540-1 Released: Thu Nov 26 15:57:16 2020 Summary: Recommended update for wicked Type: recommended Severity: moderate References: 1168155,1171234,1172082,1174099,959556 This update for wicked fixes the following issues: - Fix to avoid incomplete ifdown/timeout on route deletion error. (bsc#1174099) - Allow 'linuxrc' to send 'RFC2132' without providing the MAC address. (jsc#SLE-15770) - Fixes to ifreload on port changes. (bsc#1168155, bsc#1172082) - Fix schema to use correct 'hwaddr_policy' property. (bsc#1171234) - Enable IPv6 on ports when 'nsna_ping' linkwatch is used. (bsc#959556) From sle-security-updates at lists.suse.com Fri Nov 27 00:19:25 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 08:19:25 +0100 (CET) Subject: SUSE-CU-2020:728-1: Security update of ses/7/rook/ceph Message-ID: <20201127071925.51A06FBB3@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:728-1 Container Tags : ses/7/rook/ceph:1.4.7 , ses/7/rook/ceph:1.4.7.6 , ses/7/rook/ceph:1.4.7.6.1.1381 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1381 Severity : important Type : security References : 1170200 1174466 1177344 1177843 1178073 1178531 CVE-2020-25660 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3539-1 Released: Thu Nov 26 15:52:34 2020 Summary: Security update for ceph Type: security Severity: important References: 1170200,1174466,1177344,1177843,1178073,1178531,CVE-2020-25660 This update for ceph fixes the following issues: Security issue fixed: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - mgr/dashboard: Fix for CrushMap viewer items getting compressed vertically (bsc#1170200) - mon: have 'mon stat' output json as well (bsc#1174466) - mgr/dashboard: support Orchestrator and user-defined Ganesha cluster (bsc#1177344) - mgr/dashboard: fix downstream NFS doc links (bsc#1178073) - cephadm: set default container_image to registry.suse.com/ses/7/ceph/ceph (bsc#1178531) From sle-security-updates at lists.suse.com Fri Nov 27 07:20:33 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 15:20:33 +0100 (CET) Subject: SUSE-SU-2020:3548-1: important: Security update for MozillaFirefox Message-ID: <20201127142033.3D193F7E7@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3548-1 Rating: important References: #1178824 Cross-References: CVE-2020-15999 CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26966 CVE-2020-26968 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.5.0 ESR (bsc#1178824) * CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953: Fullscreen could be enabled without displaying the security UI * CVE-2020-26956: XSS through paste (manual and clipboard API) * CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959: Use-after-free in WebRequestService * CVE-2020-26960: Potential use-after-free in uses of nsTArray * CVE-2020-15999: Heap buffer overflow in freetype * CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965: Software keyboards may have remembered typed passwords * CVE-2020-26966: Single-word search queries were also broadcast to local network * CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3548=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3548=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3548=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3548=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3548=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3548=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3548=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3548=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3548=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3548=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3548=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3548=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3548=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3548=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3548=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3548=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3548=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE OpenStack Cloud 9 (x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-78.5.0-112.36.1 MozillaFirefox-debuginfo-78.5.0-112.36.1 MozillaFirefox-debugsource-78.5.0-112.36.1 MozillaFirefox-devel-78.5.0-112.36.1 MozillaFirefox-translations-common-78.5.0-112.36.1 References: https://www.suse.com/security/cve/CVE-2020-15999.html https://www.suse.com/security/cve/CVE-2020-16012.html https://www.suse.com/security/cve/CVE-2020-26951.html https://www.suse.com/security/cve/CVE-2020-26953.html https://www.suse.com/security/cve/CVE-2020-26956.html https://www.suse.com/security/cve/CVE-2020-26958.html https://www.suse.com/security/cve/CVE-2020-26959.html https://www.suse.com/security/cve/CVE-2020-26960.html https://www.suse.com/security/cve/CVE-2020-26961.html https://www.suse.com/security/cve/CVE-2020-26965.html https://www.suse.com/security/cve/CVE-2020-26966.html https://www.suse.com/security/cve/CVE-2020-26968.html https://bugzilla.suse.com/1178824 From sle-security-updates at lists.suse.com Fri Nov 27 10:15:13 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 18:15:13 +0100 (CET) Subject: SUSE-SU-2020:2474-2: moderate: Security update for libX11 Message-ID: <20201127171513.31944F7D6@maintenance.suse.de> SUSE Security Update: Security update for libX11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:2474-2 Rating: moderate References: #1175239 Cross-References: CVE-2020-14363 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libX11 fixes the following issues: - CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-2474=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-2474=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2474=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2474=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libX11-6-1.6.5-3.12.1 libX11-6-debuginfo-1.6.5-3.12.1 libX11-debugsource-1.6.5-3.12.1 libX11-devel-1.6.5-3.12.1 libX11-xcb1-1.6.5-3.12.1 libX11-xcb1-debuginfo-1.6.5-3.12.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): libX11-data-1.6.5-3.12.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libX11-6-32bit-1.6.5-3.12.1 libX11-6-32bit-debuginfo-1.6.5-3.12.1 libX11-xcb1-32bit-1.6.5-3.12.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.12.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libX11-6-1.6.5-3.12.1 libX11-6-debuginfo-1.6.5-3.12.1 libX11-debugsource-1.6.5-3.12.1 libX11-devel-1.6.5-3.12.1 libX11-xcb1-1.6.5-3.12.1 libX11-xcb1-debuginfo-1.6.5-3.12.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): libX11-data-1.6.5-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libX11-6-1.6.5-3.12.1 libX11-6-debuginfo-1.6.5-3.12.1 libX11-debugsource-1.6.5-3.12.1 libX11-devel-1.6.5-3.12.1 libX11-xcb1-1.6.5-3.12.1 libX11-xcb1-debuginfo-1.6.5-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libX11-6-32bit-1.6.5-3.12.1 libX11-6-32bit-debuginfo-1.6.5-3.12.1 libX11-xcb1-32bit-1.6.5-3.12.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): libX11-data-1.6.5-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libX11-6-1.6.5-3.12.1 libX11-6-debuginfo-1.6.5-3.12.1 libX11-debugsource-1.6.5-3.12.1 libX11-devel-1.6.5-3.12.1 libX11-xcb1-1.6.5-3.12.1 libX11-xcb1-debuginfo-1.6.5-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libX11-6-32bit-1.6.5-3.12.1 libX11-6-32bit-debuginfo-1.6.5-3.12.1 libX11-xcb1-32bit-1.6.5-3.12.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): libX11-data-1.6.5-3.12.1 References: https://www.suse.com/security/cve/CVE-2020-14363.html https://bugzilla.suse.com/1175239 From sle-security-updates at lists.suse.com Fri Nov 27 10:16:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 18:16:17 +0100 (CET) Subject: SUSE-SU-2020:3550-1: important: Security update for LibVNCServer Message-ID: <20201127171617.11C6CF7D6@maintenance.suse.de> SUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3550-1 Rating: important References: #1178682 Cross-References: CVE-2020-25708 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for LibVNCServer fixes the following issues: - CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-3550=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-3550=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-3550=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-3550=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3550=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3550=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-3550=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-3550=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-3550=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3550=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-3550=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-3550=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-3550=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-3550=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-3550=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-3550=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-3550=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE OpenStack Cloud 9 (x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE OpenStack Cloud 8 (x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE OpenStack Cloud 7 (s390x x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 LibVNCServer-devel-0.9.9-17.34.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 - HPE Helion Openstack 8 (x86_64): LibVNCServer-debugsource-0.9.9-17.34.1 libvncclient0-0.9.9-17.34.1 libvncclient0-debuginfo-0.9.9-17.34.1 libvncserver0-0.9.9-17.34.1 libvncserver0-debuginfo-0.9.9-17.34.1 References: https://www.suse.com/security/cve/CVE-2020-25708.html https://bugzilla.suse.com/1178682 From sle-security-updates at lists.suse.com Fri Nov 27 10:17:20 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 18:17:20 +0100 (CET) Subject: SUSE-SU-2020:3549-1: important: Security update for nodejs12 Message-ID: <20201127171720.C1618F7D6@maintenance.suse.de> SUSE Security Update: Security update for nodejs12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3549-1 Rating: important References: #1178882 Cross-References: CVE-2020-8277 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for nodejs12 fixes the following issues: Update to 12.19.1 fixing: - CVE-2020-8277: Denial of Service through DNS request (bsc#1178882). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-3549=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs12-12.19.1-1.23.1 nodejs12-debuginfo-12.19.1-1.23.1 nodejs12-debugsource-12.19.1-1.23.1 nodejs12-devel-12.19.1-1.23.1 npm12-12.19.1-1.23.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs12-docs-12.19.1-1.23.1 References: https://www.suse.com/security/cve/CVE-2020-8277.html https://bugzilla.suse.com/1178882 From sle-security-updates at lists.suse.com Fri Nov 27 10:21:59 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 18:21:59 +0100 (CET) Subject: SUSE-SU-2020:3551-1: moderate: Security update for libssh2_org Message-ID: <20201127172159.6E850F7D6@maintenance.suse.de> SUSE Security Update: Security update for libssh2_org ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3551-1 Rating: moderate References: #1130103 #1178083 SLE-16922 Cross-References: CVE-2019-17498 CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 10 vulnerabilities, contains one feature is now available. Description: This update for libssh2_org fixes the following issues: - Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922] Enhancements and bugfixes: * adds ECDSA keys and host key support when using OpenSSL * adds ED25519 key and host key support when using OpenSSL 1.1.1 * adds OpenSSH style key file reading * adds AES CTR mode support when using WinCNG * adds PEM passphrase protected file support for Libgcrypt and WinCNG * adds SHA256 hostkey fingerprint * adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() * adds explicit zeroing of sensitive data in memory * adds additional bounds checks to network buffer reads * adds the ability to use the server default permissions when creating sftp directories * adds support for building with OpenSSL no engine flag * adds support for building with LibreSSL * increased sftp packet size to 256k * fixed oversized packet handling in sftp * fixed building with OpenSSL 1.1 * fixed a possible crash if sftp stat gets an unexpected response * fixed incorrect parsing of the KEX preference string value * fixed conditional RSA and AES-CTR support * fixed a small memory leak during the key exchange process * fixed a possible memory leak of the ssh banner string * fixed various small memory leaks in the backends * fixed possible out of bounds read when parsing public keys from the server * fixed possible out of bounds read when parsing invalid PEM files * no longer null terminates the scp remote exec command * now handle errors when diffie hellman key pair generation fails * improved building instructions * improved unit tests - Version update to 1.8.2: [bsc#1130103] Bug fixes: * Fixed the misapplied userauth patch that broke 1.8.1 * moved the MAX size declarations from the public header Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3551=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3551=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3551=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3551=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3551=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3551=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libssh2-1-1.9.0-4.13.1 libssh2-1-debuginfo-1.9.0-4.13.1 libssh2-devel-1.9.0-4.13.1 libssh2_org-debugsource-1.9.0-4.13.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libssh2-1-32bit-1.9.0-4.13.1 libssh2-1-32bit-debuginfo-1.9.0-4.13.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libssh2-1-1.9.0-4.13.1 libssh2-1-debuginfo-1.9.0-4.13.1 libssh2-devel-1.9.0-4.13.1 libssh2_org-debugsource-1.9.0-4.13.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libssh2-1-1.9.0-4.13.1 libssh2-1-debuginfo-1.9.0-4.13.1 libssh2-devel-1.9.0-4.13.1 libssh2_org-debugsource-1.9.0-4.13.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libssh2-1-32bit-1.9.0-4.13.1 libssh2-1-32bit-debuginfo-1.9.0-4.13.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libssh2-1-1.9.0-4.13.1 libssh2-1-debuginfo-1.9.0-4.13.1 libssh2-devel-1.9.0-4.13.1 libssh2_org-debugsource-1.9.0-4.13.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libssh2-1-32bit-1.9.0-4.13.1 libssh2-1-32bit-debuginfo-1.9.0-4.13.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libssh2-1-1.9.0-4.13.1 libssh2-1-debuginfo-1.9.0-4.13.1 libssh2-devel-1.9.0-4.13.1 libssh2_org-debugsource-1.9.0-4.13.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libssh2-1-32bit-1.9.0-4.13.1 libssh2-1-32bit-debuginfo-1.9.0-4.13.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libssh2-1-1.9.0-4.13.1 libssh2-1-debuginfo-1.9.0-4.13.1 libssh2-devel-1.9.0-4.13.1 libssh2_org-debugsource-1.9.0-4.13.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libssh2-1-32bit-1.9.0-4.13.1 libssh2-1-32bit-debuginfo-1.9.0-4.13.1 References: https://www.suse.com/security/cve/CVE-2019-17498.html https://www.suse.com/security/cve/CVE-2019-3855.html https://www.suse.com/security/cve/CVE-2019-3856.html https://www.suse.com/security/cve/CVE-2019-3857.html https://www.suse.com/security/cve/CVE-2019-3858.html https://www.suse.com/security/cve/CVE-2019-3859.html https://www.suse.com/security/cve/CVE-2019-3860.html https://www.suse.com/security/cve/CVE-2019-3861.html https://www.suse.com/security/cve/CVE-2019-3862.html https://www.suse.com/security/cve/CVE-2019-3863.html https://bugzilla.suse.com/1130103 https://bugzilla.suse.com/1178083 From sle-security-updates at lists.suse.com Fri Nov 27 13:15:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 27 Nov 2020 21:15:43 +0100 (CET) Subject: SUSE-SU-2020:3552-1: moderate: Security update for binutils Message-ID: <20201127201543.A40B4F7E7@maintenance.suse.de> SUSE Security Update: Security update for binutils ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3552-1 Rating: moderate References: #1126826 #1126829 #1126831 #1140126 #1142649 #1143609 #1153768 #1153770 #1157755 #1160254 #1160590 #1163333 #1163744 #1179036 ECO-2373 SLE-7464 SLE-7903 Cross-References: CVE-2019-12972 CVE-2019-14250 CVE-2019-14444 CVE-2019-17450 CVE-2019-17451 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves 8 vulnerabilities, contains three features and has 6 fixes is now available. Description: This update for binutils fixes the following issues: binutils was updated to version 2.35.1 (jsc#ECO-2373) Additional branch fixes applied on top of 2.35.1: * Fixes PR26520, aka [bsc#1179036], a problem in addr2line with certain DWARF variable descriptions. * Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878, PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869, PR26711 * The above includes fixes for dwo files produced by modern dwp, fixing several problems in the DWARF reader. Update to binutils 2.35.1 and rebased branch diff: * This is a point release over the previous 2.35 version, containing bug fixes, and as an exception to the usual rule, one new feature. The new feature is the support for a new directive in the assembler: ".nop". This directive creates a single no-op instruction in whatever encoding is correct for the target architecture. Unlike the .space or .fill this is a real instruction, and it does affect the generation of DWARF line number tables, should they be enabled. Update to binutils 2.35: * The assembler can now produce DWARF-5 format line number tables. * Readelf now has a "lint" mode to enable extra checks of the files it is processing. * Readelf will now display "[...]" when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - fix DT_NEEDED order with -flto [bsc#1163744] Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to bsc#1163333. - Includes fixes for these CVEs: bsc#1153768 aka CVE-2019-17451 aka PR25070 bsc#1153770 aka CVE-2019-17450 aka PR25078 - fix various build fails on aarch64 (PR25210, bsc#1157755). Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to "no". * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and --dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with --syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with --disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bsc#1126826 aka CVE-2019-9077 aka PR1126826 bsc#1126829 aka CVE-2019-9075 aka PR1126829 bsc#1126831 aka CVE-2019-9074 aka PR24235 bsc#1140126 aka CVE-2019-12972 aka PR23405 bsc#1143609 aka CVE-2019-14444 aka PR24829 bsc#1142649 aka CVE-2019-14250 aka PR90924 * Add xBPF target * Fix various problems with DWARF 5 support in gas * fix nm -B for objects compiled with -flto and -fcommon. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3552=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3552=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3552=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3552=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): binutils-2.35.1-6.15.1 binutils-debuginfo-2.35.1-6.15.1 binutils-debugsource-2.35.1-6.15.1 binutils-devel-2.35.1-6.15.1 libctf-nobfd0-2.35.1-6.15.1 libctf-nobfd0-debuginfo-2.35.1-6.15.1 libctf0-2.35.1-6.15.1 libctf0-debuginfo-2.35.1-6.15.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): binutils-devel-32bit-2.35.1-6.15.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): binutils-2.35.1-6.15.1 binutils-debuginfo-2.35.1-6.15.1 binutils-debugsource-2.35.1-6.15.1 binutils-devel-2.35.1-6.15.1 libctf-nobfd0-2.35.1-6.15.1 libctf-nobfd0-debuginfo-2.35.1-6.15.1 libctf0-2.35.1-6.15.1 libctf0-debuginfo-2.35.1-6.15.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): binutils-2.35.1-6.15.1 binutils-debuginfo-2.35.1-6.15.1 binutils-debugsource-2.35.1-6.15.1 binutils-devel-2.35.1-6.15.1 libctf-nobfd0-2.35.1-6.15.1 libctf-nobfd0-debuginfo-2.35.1-6.15.1 libctf0-2.35.1-6.15.1 libctf0-debuginfo-2.35.1-6.15.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): binutils-devel-32bit-2.35.1-6.15.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): binutils-2.35.1-6.15.1 binutils-debuginfo-2.35.1-6.15.1 binutils-debugsource-2.35.1-6.15.1 binutils-devel-2.35.1-6.15.1 libctf-nobfd0-2.35.1-6.15.1 libctf-nobfd0-debuginfo-2.35.1-6.15.1 libctf0-2.35.1-6.15.1 libctf0-debuginfo-2.35.1-6.15.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): binutils-devel-32bit-2.35.1-6.15.1 References: https://www.suse.com/security/cve/CVE-2019-12972.html https://www.suse.com/security/cve/CVE-2019-14250.html https://www.suse.com/security/cve/CVE-2019-14444.html https://www.suse.com/security/cve/CVE-2019-17450.html https://www.suse.com/security/cve/CVE-2019-17451.html https://www.suse.com/security/cve/CVE-2019-9074.html https://www.suse.com/security/cve/CVE-2019-9075.html https://www.suse.com/security/cve/CVE-2019-9077.html https://bugzilla.suse.com/1126826 https://bugzilla.suse.com/1126829 https://bugzilla.suse.com/1126831 https://bugzilla.suse.com/1140126 https://bugzilla.suse.com/1142649 https://bugzilla.suse.com/1143609 https://bugzilla.suse.com/1153768 https://bugzilla.suse.com/1153770 https://bugzilla.suse.com/1157755 https://bugzilla.suse.com/1160254 https://bugzilla.suse.com/1160590 https://bugzilla.suse.com/1163333 https://bugzilla.suse.com/1163744 https://bugzilla.suse.com/1179036 From sle-security-updates at lists.suse.com Mon Nov 30 13:17:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Nov 2020 21:17:43 +0100 (CET) Subject: SUSE-SU-2020:3565-1: important: Security update for python-pip Message-ID: <20201130201743.6DC81F7D6@maintenance.suse.de> SUSE Security Update: Security update for python-pip ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3565-1 Rating: important References: #1176262 Cross-References: CVE-2019-20916 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-pip fixes the following issues: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3565=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3565=1 - SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2020-3565=1 - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2020-3565=1 - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-3565=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2020-3565=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3565=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3565=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3565=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3565=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): python2-pip-10.0.1-3.6.1 python3-pip-10.0.1-3.6.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): python2-pip-10.0.1-3.6.1 python3-pip-10.0.1-3.6.1 - SUSE Linux Enterprise Module for Python2 15-SP3 (noarch): python2-pip-10.0.1-3.6.1 - SUSE Linux Enterprise Module for Python2 15-SP2 (noarch): python2-pip-10.0.1-3.6.1 - SUSE Linux Enterprise Module for Python2 15-SP1 (noarch): python2-pip-10.0.1-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): python3-pip-10.0.1-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): python3-pip-10.0.1-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): python3-pip-10.0.1-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): python2-pip-10.0.1-3.6.1 python3-pip-10.0.1-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): python2-pip-10.0.1-3.6.1 python3-pip-10.0.1-3.6.1 References: https://www.suse.com/security/cve/CVE-2019-20916.html https://bugzilla.suse.com/1176262 From sle-security-updates at lists.suse.com Mon Nov 30 13:18:47 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Nov 2020 21:18:47 +0100 (CET) Subject: SUSE-SU-2020:3566-1: important: Security update for python-setuptools Message-ID: <20201130201847.926FDF7D6@maintenance.suse.de> SUSE Security Update: Security update for python-setuptools ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3566-1 Rating: important References: #1176262 Cross-References: CVE-2019-20916 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-setuptools fixes the following issues: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2020-3566=1 - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-3566=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3566=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3566=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP2 (noarch): python2-setuptools-40.5.0-6.3.1 - SUSE Linux Enterprise Module for Python2 15-SP1 (noarch): python2-setuptools-40.5.0-6.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): python3-setuptools-40.5.0-6.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): python3-setuptools-40.5.0-6.3.1 References: https://www.suse.com/security/cve/CVE-2019-20916.html https://bugzilla.suse.com/1176262 From sle-security-updates at lists.suse.com Mon Nov 30 13:21:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Nov 2020 21:21:44 +0100 (CET) Subject: SUSE-SU-2020:3568-1: important: Security update for mutt Message-ID: <20201130202144.B3574F7D6@maintenance.suse.de> SUSE Security Update: Security update for mutt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3568-1 Rating: important References: #1179035 #1179113 Cross-References: CVE-2020-28896 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for mutt fixes the following issues: - CVE-2020-28896: incomplete connection termination could lead to sending credentials over unencrypted connections (bsc#1179035) - Avoid that message with a million tiny parts can freeze MUA for several minutes (bsc#1179113) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3568=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3568=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2020-3568=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3568=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3568=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3568=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3568=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): mutt-1.10.1-3.11.1 mutt-debuginfo-1.10.1-3.11.1 mutt-debugsource-1.10.1-3.11.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): mutt-doc-1.10.1-3.11.1 mutt-lang-1.10.1-3.11.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): mutt-1.10.1-3.11.1 mutt-debuginfo-1.10.1-3.11.1 mutt-debugsource-1.10.1-3.11.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): mutt-doc-1.10.1-3.11.1 mutt-lang-1.10.1-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): mutt-1.10.1-3.11.1 mutt-debuginfo-1.10.1-3.11.1 mutt-debugsource-1.10.1-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): mutt-doc-1.10.1-3.11.1 mutt-lang-1.10.1-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): mutt-1.10.1-3.11.1 mutt-debuginfo-1.10.1-3.11.1 mutt-debugsource-1.10.1-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): mutt-doc-1.10.1-3.11.1 mutt-lang-1.10.1-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): mutt-1.10.1-3.11.1 mutt-debuginfo-1.10.1-3.11.1 mutt-debugsource-1.10.1-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): mutt-doc-1.10.1-3.11.1 mutt-lang-1.10.1-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): mutt-1.10.1-3.11.1 mutt-debuginfo-1.10.1-3.11.1 mutt-debugsource-1.10.1-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): mutt-doc-1.10.1-3.11.1 mutt-lang-1.10.1-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): mutt-1.10.1-3.11.1 mutt-debuginfo-1.10.1-3.11.1 mutt-debugsource-1.10.1-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): mutt-doc-1.10.1-3.11.1 mutt-lang-1.10.1-3.11.1 References: https://www.suse.com/security/cve/CVE-2020-28896.html https://bugzilla.suse.com/1179035 https://bugzilla.suse.com/1179113 From sle-security-updates at lists.suse.com Mon Nov 30 13:22:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Nov 2020 21:22:50 +0100 (CET) Subject: SUSE-SU-2020:3563-1: important: Security update for python36 Message-ID: <20201130202250.7C0CEF7D6@maintenance.suse.de> SUSE Security Update: Security update for python36 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3563-1 Rating: important References: #1149955 #1165894 #1174091 #1176262 #1177211 ECO-2799 SLE-13738 Cross-References: CVE-2019-16056 CVE-2019-20907 CVE-2019-20916 CVE-2019-5010 CVE-2020-14422 CVE-2020-26116 CVE-2020-8492 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 7 vulnerabilities, contains two features is now available. Description: This update for python36 fixes the following issues: Update to 3.6.12, including the following fixes: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) - Fixed CRLF injection via HTTP request method in httplib/http.client (bsc#1177211 CVE-2020-26116) - Fixed possible infinite loop in specifically crafted tarball (bsc#1174091 CVE-2019-20907) - Fixed a CRLF injection via the host part of the url passed to urlopen() (bsc#1155094 CVE-2019-18348) - Reamed idle icons to idle3 in order to avoid conflicts with python2 (bsc#1165894) - Handful of compatibility changes between SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738, bsc#1179193) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-3563=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython3_6m1_0-3.6.12-4.22.2 libpython3_6m1_0-debuginfo-3.6.12-4.22.2 python36-3.6.12-4.22.2 python36-base-3.6.12-4.22.2 python36-base-debuginfo-3.6.12-4.22.2 python36-debuginfo-3.6.12-4.22.2 python36-debugsource-3.6.12-4.22.2 References: https://www.suse.com/security/cve/CVE-2019-16056.html https://www.suse.com/security/cve/CVE-2019-20907.html https://www.suse.com/security/cve/CVE-2019-20916.html https://www.suse.com/security/cve/CVE-2019-5010.html https://www.suse.com/security/cve/CVE-2020-14422.html https://www.suse.com/security/cve/CVE-2020-26116.html https://www.suse.com/security/cve/CVE-2020-8492.html https://bugzilla.suse.com/1149955 https://bugzilla.suse.com/1165894 https://bugzilla.suse.com/1174091 https://bugzilla.suse.com/1176262 https://bugzilla.suse.com/1177211 From sle-security-updates at lists.suse.com Mon Nov 30 13:24:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Nov 2020 21:24:12 +0100 (CET) Subject: SUSE-SU-2020:3564-1: important: Security update for mariadb Message-ID: <20201130202412.56309F7D6@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3564-1 Rating: important References: #1177472 #1178428 Cross-References: CVE-2020-14765 CVE-2020-14776 CVE-2020-14789 CVE-2020-14812 CVE-2020-15180 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for mariadb fixes the following issues: Update to 10.4.17 [bsc#1177472] and [bsc#1178428] - fixing for the following security vulnerabilities: CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789, CVE-2020-15180 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-3564=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libmariadbd-devel-10.4.17-3.6.1 libmariadbd19-10.4.17-3.6.1 libmariadbd19-debuginfo-10.4.17-3.6.1 mariadb-10.4.17-3.6.1 mariadb-client-10.4.17-3.6.1 mariadb-client-debuginfo-10.4.17-3.6.1 mariadb-debuginfo-10.4.17-3.6.1 mariadb-debugsource-10.4.17-3.6.1 mariadb-tools-10.4.17-3.6.1 mariadb-tools-debuginfo-10.4.17-3.6.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): mariadb-errormessages-10.4.17-3.6.1 References: https://www.suse.com/security/cve/CVE-2020-14765.html https://www.suse.com/security/cve/CVE-2020-14776.html https://www.suse.com/security/cve/CVE-2020-14789.html https://www.suse.com/security/cve/CVE-2020-14812.html https://www.suse.com/security/cve/CVE-2020-15180.html https://bugzilla.suse.com/1177472 https://bugzilla.suse.com/1178428 From sle-security-updates at lists.suse.com Mon Nov 30 13:25:16 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Nov 2020 21:25:16 +0100 (CET) Subject: SUSE-SU-2020:14551-1: important: Security update for mutt Message-ID: <20201130202516.1FA2EF7D6@maintenance.suse.de> SUSE Security Update: Security update for mutt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14551-1 Rating: important References: #1179035 #1179113 Cross-References: CVE-2020-28896 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for mutt fixes the following issues: - CVE-2020-28896: incomplete connection termination could lead to sending credentials over unencrypted connections (bsc#1179035) - Avoid that message with a million tiny parts can freeze MUA for several minutes (bsc#1179113) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-mutt-14551=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-mutt-14551=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mutt-14551=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-mutt-14551=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): mutt-1.5.17-42.56.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): mutt-1.5.17-42.56.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): mutt-debuginfo-1.5.17-42.56.1 mutt-debugsource-1.5.17-42.56.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): mutt-debuginfo-1.5.17-42.56.1 mutt-debugsource-1.5.17-42.56.1 References: https://www.suse.com/security/cve/CVE-2020-28896.html https://bugzilla.suse.com/1179035 https://bugzilla.suse.com/1179113