From sle-security-updates at lists.suse.com Thu Apr 1 13:16:33 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Apr 2021 15:16:33 +0200 (CEST) Subject: SUSE-SU-2021:14684-1: important: Security update for MozillaFirefox Message-ID: <20210401131633.A31AAF79F@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14684-1 Rating: important References: #1183942 Cross-References: CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14684=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-14684=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-78.9.0-78.123.1 MozillaFirefox-translations-common-78.9.0-78.123.1 MozillaFirefox-translations-other-78.9.0-78.123.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): MozillaFirefox-debuginfo-78.9.0-78.123.1 References: https://www.suse.com/security/cve/CVE-2021-23981.html https://www.suse.com/security/cve/CVE-2021-23982.html https://www.suse.com/security/cve/CVE-2021-23984.html https://www.suse.com/security/cve/CVE-2021-23987.html https://bugzilla.suse.com/1183942 From sle-security-updates at lists.suse.com Thu Apr 1 19:15:49 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Apr 2021 21:15:49 +0200 (CEST) Subject: SUSE-SU-2021:1008-1: important: Security update for tomcat Message-ID: <20210401191549.EE443F78E@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1008-1 Rating: important References: #1182909 #1182912 Cross-References: CVE-2021-25122 CVE-2021-25329 CVSS scores: CVE-2021-25122 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25122 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25329 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25329 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP3 SUSE Linux Enterprise Module for Web Scripting 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for tomcat fixes the following issues: CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP3: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP3-2021-1008=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2021-1008=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP3 (noarch): tomcat-9.0.36-3.24.1 tomcat-admin-webapps-9.0.36-3.24.1 tomcat-el-3_0-api-9.0.36-3.24.1 tomcat-jsp-2_3-api-9.0.36-3.24.1 tomcat-lib-9.0.36-3.24.1 tomcat-servlet-4_0-api-9.0.36-3.24.1 tomcat-webapps-9.0.36-3.24.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (noarch): tomcat-9.0.36-3.24.1 tomcat-admin-webapps-9.0.36-3.24.1 tomcat-el-3_0-api-9.0.36-3.24.1 tomcat-jsp-2_3-api-9.0.36-3.24.1 tomcat-lib-9.0.36-3.24.1 tomcat-servlet-4_0-api-9.0.36-3.24.1 tomcat-webapps-9.0.36-3.24.1 References: https://www.suse.com/security/cve/CVE-2021-25122.html https://www.suse.com/security/cve/CVE-2021-25329.html https://bugzilla.suse.com/1182909 https://bugzilla.suse.com/1182912 From sle-security-updates at lists.suse.com Thu Apr 1 19:16:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Apr 2021 21:16:54 +0200 (CEST) Subject: SUSE-SU-2021:1006-1: moderate: Security update for curl Message-ID: <20210401191654.D9779F78E@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1006-1 Rating: moderate References: #1183933 #1183934 Cross-References: CVE-2021-22876 CVE-2021-22890 CVSS scores: CVE-2021-22876 (SUSE): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-22890 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1006=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1006=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): curl-7.66.0-4.14.1 curl-debuginfo-7.66.0-4.14.1 curl-debugsource-7.66.0-4.14.1 libcurl4-7.66.0-4.14.1 libcurl4-debuginfo-7.66.0-4.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): curl-7.66.0-4.14.1 curl-debuginfo-7.66.0-4.14.1 curl-debugsource-7.66.0-4.14.1 libcurl-devel-7.66.0-4.14.1 libcurl4-7.66.0-4.14.1 libcurl4-debuginfo-7.66.0-4.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libcurl4-32bit-7.66.0-4.14.1 libcurl4-32bit-debuginfo-7.66.0-4.14.1 References: https://www.suse.com/security/cve/CVE-2021-22876.html https://www.suse.com/security/cve/CVE-2021-22890.html https://bugzilla.suse.com/1183933 https://bugzilla.suse.com/1183934 From sle-security-updates at lists.suse.com Thu Apr 1 19:19:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Apr 2021 21:19:01 +0200 (CEST) Subject: SUSE-SU-2021:1009-1: important: Security update for tomcat Message-ID: <20210401191901.C1E42F78E@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1009-1 Rating: important References: #1180947 #1182909 #1182912 Cross-References: CVE-2021-24122 CVE-2021-25122 CVE-2021-25329 CVSS scores: CVE-2021-24122 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-24122 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25122 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25122 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25329 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25329 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for tomcat fixes the following issues: - CVE-2021-24122: Fixed an information disclosure if resources are served from the NTFS file system (bsc#1180947). - CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) - CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1009=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1009=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1009=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1009=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1009=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1009=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1009=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1009=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1009=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 - SUSE Manager Retail Branch Server 4.0 (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 - SUSE Manager Proxy 4.0 (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 - SUSE Enterprise Storage 6 (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 - SUSE CaaS Platform 4.0 (noarch): tomcat-9.0.36-4.58.1 tomcat-admin-webapps-9.0.36-4.58.1 tomcat-el-3_0-api-9.0.36-4.58.1 tomcat-jsp-2_3-api-9.0.36-4.58.1 tomcat-lib-9.0.36-4.58.1 tomcat-servlet-4_0-api-9.0.36-4.58.1 tomcat-webapps-9.0.36-4.58.1 References: https://www.suse.com/security/cve/CVE-2021-24122.html https://www.suse.com/security/cve/CVE-2021-25122.html https://www.suse.com/security/cve/CVE-2021-25329.html https://bugzilla.suse.com/1180947 https://bugzilla.suse.com/1182909 https://bugzilla.suse.com/1182912 From sle-security-updates at lists.suse.com Thu Apr 1 19:22:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Apr 2021 21:22:26 +0200 (CEST) Subject: SUSE-SU-2021:1007-1: important: Security update for MozillaFirefox Message-ID: <20210401192226.D94C4F78E@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1007-1 Rating: important References: #1183942 Cross-References: CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 Affected Products: SUSE MicroOS 5.0 SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1007=1 - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1007=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1007=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1007=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1007=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1007=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1007=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1007=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1007=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1007=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1007=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1007=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1007=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1007=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1007=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 - SUSE Manager Server 4.0 (ppc64le s390x x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Manager Server 4.0 (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Manager Proxy 4.0 (x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 - SUSE Enterprise Storage 6 (x86_64): mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 - SUSE CaaS Platform 4.0 (x86_64): MozillaFirefox-78.9.0-3.136.1 MozillaFirefox-branding-SLE-78-4.16.1 MozillaFirefox-debuginfo-78.9.0-3.136.1 MozillaFirefox-debugsource-78.9.0-3.136.1 MozillaFirefox-devel-78.9.0-3.136.1 MozillaFirefox-translations-common-78.9.0-3.136.1 MozillaFirefox-translations-other-78.9.0-3.136.1 mozilla-nspr-32bit-4.25.1-3.17.1 mozilla-nspr-32bit-debuginfo-4.25.1-3.17.1 mozilla-nspr-4.25.1-3.17.1 mozilla-nspr-debuginfo-4.25.1-3.17.1 mozilla-nspr-debugsource-4.25.1-3.17.1 mozilla-nspr-devel-4.25.1-3.17.1 References: https://www.suse.com/security/cve/CVE-2021-23981.html https://www.suse.com/security/cve/CVE-2021-23982.html https://www.suse.com/security/cve/CVE-2021-23984.html https://www.suse.com/security/cve/CVE-2021-23987.html https://bugzilla.suse.com/1183942 From sle-security-updates at lists.suse.com Thu Apr 1 19:25:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Apr 2021 21:25:25 +0200 (CEST) Subject: SUSE-SU-2021:1010-1: moderate: Security update for OpenIPMI Message-ID: <20210401192525.722AAF78E@maintenance.suse.de> SUSE Security Update: Security update for OpenIPMI ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1010-1 Rating: moderate References: #1183178 Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for OpenIPMI fixes the following issues: - Fixed an issue where OpenIPMI was creating non-position independent binaries (bsc#1183178). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1010=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1010=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1010=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1010=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1010=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1010=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1010=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1010=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1010=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1010=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1010=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Manager Proxy 4.0 (x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 - SUSE CaaS Platform 4.0 (x86_64): OpenIPMI-2.0.25-7.3.1 OpenIPMI-debuginfo-2.0.25-7.3.1 OpenIPMI-debugsource-2.0.25-7.3.1 OpenIPMI-devel-2.0.25-7.3.1 References: https://bugzilla.suse.com/1183178 From sle-security-updates at lists.suse.com Fri Apr 2 06:40:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Apr 2021 08:40:56 +0200 (CEST) Subject: SUSE-CU-2021:92-1: Security update of suse/sle15 Message-ID: <20210402064056.6317AB462AB@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:92-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.8.2.883 Container Release : 8.2.883 Severity : moderate Type : security References : 1183933 1183934 CVE-2021-22876 CVE-2021-22890 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) From sle-security-updates at lists.suse.com Fri Apr 2 06:42:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 2 Apr 2021 08:42:21 +0200 (CEST) Subject: SUSE-CU-2021:93-1: Security update of suse/sle15 Message-ID: <20210402064221.DC4E3B462A9@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:93-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.13.2.238 Container Release : 13.2.238 Severity : important Type : security References : 1078466 1146705 1172442 1175519 1178775 1180020 1180083 1180596 1181011 1181358 1181831 1183094 1183370 1183371 1183852 CVE-2020-11080 CVE-2021-24031 CVE-2021-24032 CVE-2021-3449 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] From sle-security-updates at lists.suse.com Sat Apr 3 06:08:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Apr 2021 08:08:05 +0200 (CEST) Subject: SUSE-CU-2021:94-1: Security update of suse/sles12sp3 Message-ID: <20210403060805.BC35EB462AB@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:94-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.237 , suse/sles12sp3:latest Container Release : 24.237 Severity : important Type : security References : 1116107 1159635 1174215 1175109 1178727 1178823 1178909 1178925 1178966 1179398 1179398 1179399 1179491 1180073 1181728 1182138 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 CVE-2019-19906 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8231 CVE-2020-8284 CVE-2020-8284 CVE-2020-8285 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3569-1 Released: Mon Nov 30 17:13:16 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1178727 This update for pam fixes the following issue: - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3573-1 Released: Mon Nov 30 18:13:05 2020 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1116107 This update for sg3_utils fixes the following issues: - Fixed wrong device ID for devices using NAA extended format (bsc#1116107) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3763-1 Released: Fri Dec 11 14:17:32 2020 Summary: Security update for openssl Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3794-1 Released: Mon Dec 14 17:40:20 2020 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1174215,1178925,1178966 This update for libzypp, zypper fixes the following issues: Changes in zypper: - Fix typo in `list-patches` help. (bsc#1178925) The options for selecting issues matching the specified string is `--issue[=STRING]`, not `--issues[=STRING]`. Changes in libzypp: - Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966) - Remove from the logs the credentials available from the authorization header. (bsc#1174215) The authorization header may include base64 encoded credentials which could be restored from the log file. The credentials are now stripped from the log. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3800-1 Released: Mon Dec 14 18:55:59 2020 Summary: Security update for curl Type: security Severity: moderate References: 1175109,1179398,CVE-2020-8231,CVE-2020-8284 This update for curl fixes the following issues: - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). - CVE-2020-8231: Fixed an issue with trusting FTP PASV responses (bsc#1175109). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3876-1 Released: Fri Dec 18 16:45:25 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,CVE-2020-8284,CVE-2020-8285 This update for curl fixes the following issue: - CVE-2020-8285: Fixed an FTP wildcard stack overflow (bsc#1179399). - CVE-2020-8284: Adjust trusting FTP PASV responses (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3939-1 Released: Mon Dec 28 14:29:41 2020 Summary: Security update for cyrus-sasl Type: security Severity: important References: 1159635,CVE-2019-19906 This update for cyrus-sasl fixes the following issues: - CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:26-1 Released: Tue Jan 5 14:18:00 2021 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:128-1 Released: Thu Jan 14 11:01:24 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:588-1 Released: Thu Feb 25 06:10:02 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1182138 This update for file fixes the following issues: - Fixed an issue when file is used with a string started with '80'. (bsc#1182138) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:693-1 Released: Wed Mar 3 18:13:33 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:939-1 Released: Wed Mar 24 12:24:38 2021 Summary: Security update for openssl Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:970-1 Released: Mon Mar 29 14:53:14 2021 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1181728 This update for apparmor fixes the following issues: - Add abstraction/base fix to apparmor-profile. (bsc#1181728) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1003-1 Released: Thu Apr 1 15:06:58 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) From sle-security-updates at lists.suse.com Sat Apr 3 06:18:19 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 3 Apr 2021 08:18:19 +0200 (CEST) Subject: SUSE-CU-2021:95-1: Security update of suse/sles12sp4 Message-ID: <20210403061819.6E1A2B462AB@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:95-1 Container Tags : suse/sles12sp4:26.268 , suse/sles12sp4:latest Container Release : 26.268 Severity : important Type : security References : 1082318 1088639 1112438 1125689 1134616 1146182 1146184 1159635 1174215 1178727 1178823 1178909 1178925 1178966 1179491 1180038 1180073 1180777 1180959 1181358 1181365 1181505 1182117 1182138 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 962914 964140 966514 CVE-2016-1544 CVE-2018-1000168 CVE-2019-19906 CVE-2019-25013 CVE-2019-9511 CVE-2019-9513 CVE-2020-11080 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3326 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3569-1 Released: Mon Nov 30 17:13:16 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1178727 This update for pam fixes the following issue: - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3732-1 Released: Wed Dec 9 18:18:03 2020 Summary: Security update for openssl-1_0_0 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_0_0 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3794-1 Released: Mon Dec 14 17:40:20 2020 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1174215,1178925,1178966 This update for libzypp, zypper fixes the following issues: Changes in zypper: - Fix typo in `list-patches` help. (bsc#1178925) The options for selecting issues matching the specified string is `--issue[=STRING]`, not `--issues[=STRING]`. Changes in libzypp: - Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966) - Remove from the logs the credentials available from the authorization header. (bsc#1174215) The authorization header may include base64 encoded credentials which could be restored from the log file. The credentials are now stripped from the log. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3939-1 Released: Mon Dec 28 14:29:41 2020 Summary: Security update for cyrus-sasl Type: security Severity: important References: 1159635,CVE-2019-19906 This update for cyrus-sasl fixes the following issues: - CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:26-1 Released: Tue Jan 5 14:18:00 2021 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:128-1 Released: Thu Jan 14 11:01:24 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:244-1 Released: Fri Jan 29 09:46:42 2021 Summary: Recommended update for openssl-1_0_0 Type: recommended Severity: moderate References: 1180777,1180959 This update for openssl-1_0_0 fixes the following issues: - Add declaration of BN_secure_new() function needed by other packages. (bsc#1180777) - Add FIPS elliptic curve key check necessary for FIPS 140-2 certification. (bsc#1180959) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:588-1 Released: Thu Feb 25 06:10:02 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1182138 This update for file fixes the following issues: - Fixed an issue when file is used with a string started with '80'. (bsc#1182138) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:608-1 Released: Thu Feb 25 21:03:59 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1180038,1181365,1181505,1182117,CVE-2019-25013,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) - powerpc: Add support for POWER10 (bsc#1181365) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:693-1 Released: Wed Mar 3 18:13:33 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:725-1 Released: Mon Mar 8 16:47:37 2021 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_0_0 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:932-1 Released: Wed Mar 24 12:13:01 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1082318,1088639,1112438,1125689,1134616,1146182,1146184,1181358,962914,964140,966514,CVE-2016-1544,CVE-2018-1000168,CVE-2019-9511,CVE-2019-9513,CVE-2020-11080 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358). - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182). - CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639). - CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514). Bug fixes and enhancements: - Packages must not mark license files as %doc (bsc#1082318) - Typo in description of libnghttp2_asio1 (bsc#962914) - Fixed mistake in spec file (bsc#1125689) - Fixed build issue with boost 1.70.0 (bsc#1134616) - Fixed build issue with GCC 6 (bsc#964140) - Feature: Add W&S module (FATE#326776, bsc#1112438) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1003-1 Released: Thu Apr 1 15:06:58 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) From sle-security-updates at lists.suse.com Tue Apr 6 19:15:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Apr 2021 21:15:09 +0200 (CEST) Subject: SUSE-SU-2021:1023-1: important: Security update for xen Message-ID: <20210406191509.02C9DF79F@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1023-1 Rating: important References: #1027519 #1177112 #1177204 #1178591 #1178736 #1179148 #1181254 #1181989 #1182846 #1183072 Cross-References: CVE-2020-28368 CVE-2021-20257 CVE-2021-28687 CVE-2021-3308 CVSS scores: CVE-2020-28368 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2020-28368 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3308 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3308 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves four vulnerabilities and has 6 fixes is now available. Description: This update for xen fixes the following issues: - CVE-2021-3308: VUL-0: xen: IRQ vector leak on x86 (bsc#1181254, XSA-360) - CVE-2021-28687: VUL-0: xen: HVM soft-reset crashes toolstack (bsc#1183072, XSA-368) - CVE-2021-20257: VUL-0: xen: infinite loop issue in the e1000 NIC emulator (bsc#1182846) - CVE-2020-28368: VUL-0: xen: Intel RAPL sidechannel attack aka PLATYPUS attack aka (bsc#1178591, XSA-351) - L3: conring size for XEN HV's with huge memory to small. Inital Xen logs cut (bsc#1177204) - Kdump of HVM fails, soft-reset not handled by libxl (bsc#1179148) - OpenQA job causes libvirtd to dump core when running kdump inside domain (bsc#1181989) - Allow restart of xenwatchdogd, enable tuning of keep-alive interval and timeout options via XENWATCHDOGD_ARGS= (bsc#1178736) - The receiving side did detect holes in a to-be-allocated superpage, but allocated a superpage anyway. This resulted to over-allocation (bsc#1177112) - The receiving side may punch holes incorrectly into optimistically allocated superpages. Also reduce overhead in bitmap handling (bsc#1177112) - Upstream bug fixes (bsc#1027519) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1023=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1023=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 x86_64): xen-debugsource-4.12.4_09-3.39.3 xen-devel-4.12.4_09-3.39.3 - SUSE Linux Enterprise Server 12-SP5 (x86_64): xen-4.12.4_09-3.39.3 xen-debugsource-4.12.4_09-3.39.3 xen-doc-html-4.12.4_09-3.39.3 xen-libs-32bit-4.12.4_09-3.39.3 xen-libs-4.12.4_09-3.39.3 xen-libs-debuginfo-32bit-4.12.4_09-3.39.3 xen-libs-debuginfo-4.12.4_09-3.39.3 xen-tools-4.12.4_09-3.39.3 xen-tools-debuginfo-4.12.4_09-3.39.3 xen-tools-domU-4.12.4_09-3.39.3 xen-tools-domU-debuginfo-4.12.4_09-3.39.3 References: https://www.suse.com/security/cve/CVE-2020-28368.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-28687.html https://www.suse.com/security/cve/CVE-2021-3308.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1177112 https://bugzilla.suse.com/1177204 https://bugzilla.suse.com/1178591 https://bugzilla.suse.com/1178736 https://bugzilla.suse.com/1179148 https://bugzilla.suse.com/1181254 https://bugzilla.suse.com/1181989 https://bugzilla.suse.com/1182846 https://bugzilla.suse.com/1183072 From sle-security-updates at lists.suse.com Tue Apr 6 19:17:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Apr 2021 21:17:46 +0200 (CEST) Subject: SUSE-SU-2021:1028-1: important: Security update for xen Message-ID: <20210406191746.D82FFF79F@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1028-1 Rating: important References: #1027519 #1177204 #1179148 #1180690 #1181254 #1181989 #1182576 #1183072 Cross-References: CVE-2021-28687 CVE-2021-3308 CVSS scores: CVE-2021-3308 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3308 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has 6 fixes is now available. Description: This update for xen fixes the following issues: - CVE-2021-3308: VUL-0: xen: IRQ vector leak on x86 (bsc#1181254, XSA-360) - CVE-2021-28687: HVM soft-reset crashes toolstack (bsc#1183072, XSA-368) - L3: conring size for XEN HV's with huge memory to small. Inital Xen logs cut (bsc#1177204) - L3: XEN domU crashed on resume when using the xl unpause command (bsc#1182576) - L3: xen: no needsreboot flag set (bsc#1180690) - kdump of HVM fails, soft-reset not handled by libxl (bsc#1179148) - openQA job causes libvirtd to dump core when running kdump inside domain (bsc#1181989) - Upstream bug fixes (bsc#1027519) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1028=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1028=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1028=1 Package List: - SUSE MicroOS 5.0 (x86_64): xen-debugsource-4.13.2_08-3.25.3 xen-libs-4.13.2_08-3.25.3 xen-libs-debuginfo-4.13.2_08-3.25.3 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (x86_64): xen-4.13.2_08-3.25.3 xen-debugsource-4.13.2_08-3.25.3 xen-devel-4.13.2_08-3.25.3 xen-tools-4.13.2_08-3.25.3 xen-tools-debuginfo-4.13.2_08-3.25.3 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): xen-tools-xendomains-wait-disk-4.13.2_08-3.25.3 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): xen-debugsource-4.13.2_08-3.25.3 xen-libs-4.13.2_08-3.25.3 xen-libs-debuginfo-4.13.2_08-3.25.3 xen-tools-domU-4.13.2_08-3.25.3 xen-tools-domU-debuginfo-4.13.2_08-3.25.3 References: https://www.suse.com/security/cve/CVE-2021-28687.html https://www.suse.com/security/cve/CVE-2021-3308.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1177204 https://bugzilla.suse.com/1179148 https://bugzilla.suse.com/1180690 https://bugzilla.suse.com/1181254 https://bugzilla.suse.com/1181989 https://bugzilla.suse.com/1182576 https://bugzilla.suse.com/1183072 From sle-security-updates at lists.suse.com Tue Apr 6 22:15:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Apr 2021 00:15:10 +0200 (CEST) Subject: SUSE-SU-2021:1030-1: moderate: Security update for gssproxy Message-ID: <20210406221510.99316F78E@maintenance.suse.de> SUSE Security Update: Security update for gssproxy ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1030-1 Rating: moderate References: #1180515 Cross-References: CVE-2020-12658 CVSS scores: CVE-2020-12658 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-12658 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gssproxy fixes the following issues: - CVE-2020-12658: Fixed an issue where gssproxy was not unlocking cond_mutex before pthread exit in gp_worker_main() (bsc#1180515). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1030=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gssproxy-0.8.2-4.5.1 gssproxy-debuginfo-0.8.2-4.5.1 References: https://www.suse.com/security/cve/CVE-2020-12658.html https://bugzilla.suse.com/1180515 From sle-security-updates at lists.suse.com Tue Apr 6 22:16:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Apr 2021 00:16:10 +0200 (CEST) Subject: SUSE-SU-2021:1029-1: moderate: Security update for gssproxy Message-ID: <20210406221610.982D2F78E@maintenance.suse.de> SUSE Security Update: Security update for gssproxy ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1029-1 Rating: moderate References: #1180515 Cross-References: CVE-2020-12658 CVSS scores: CVE-2020-12658 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-12658 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gssproxy fixes the following issues: - CVE-2020-12658: Fixed an issue where gssproxy was not unlocking cond_mutex before pthread exit in gp_worker_main() (bsc#1180515). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1029=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): gssproxy-0.8.2-3.6.1 gssproxy-debuginfo-0.8.2-3.6.1 gssproxy-debugsource-0.8.2-3.6.1 References: https://www.suse.com/security/cve/CVE-2020-12658.html https://bugzilla.suse.com/1180515 From sle-security-updates at lists.suse.com Wed Apr 7 10:15:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Apr 2021 12:15:51 +0200 (CEST) Subject: SUSE-SU-2021:1046-1: important: Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP5) Message-ID: <20210407101551.89AF0F79F@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1046-1 Rating: important References: #1179664 #1182717 #1183120 #1183491 Cross-References: CVE-2020-29368 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVSS scores: CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_63 fixes several issues. The following security issues were fixed: - CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120). - CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717). - CVE-2020-29368: Fixed a race condition in a THP mapcount check (bsc#1179664). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-1046=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_63-default-2-2.2 References: https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1183120 https://bugzilla.suse.com/1183491 From sle-security-updates at lists.suse.com Wed Apr 7 10:17:12 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Apr 2021 12:17:12 +0200 (CEST) Subject: SUSE-SU-2021:1074-1: important: Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) Message-ID: <20210407101712.BCFE4F79F@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1074-1 Rating: important References: #1165631 #1176931 #1177513 #1182717 #1183120 #1183491 Cross-References: CVE-2020-0429 CVE-2020-1749 CVE-2020-25645 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVSS scores: CVE-2020-0429 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-1749 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-25645 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-25645 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.180-94_141 fixes several issues. The following security issues were fixed: - CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120). - CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bsc#1177513). - CVE-2020-0429: Fixed a memory corruption due to a use after free which could have led to local escalation of privilege with System execution privileges needed (bsc#1176931). - CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165631). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1074=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1074=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_141-default-2-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-2-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_141-default-2-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-2-2.2 References: https://www.suse.com/security/cve/CVE-2020-0429.html https://www.suse.com/security/cve/CVE-2020-1749.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://bugzilla.suse.com/1165631 https://bugzilla.suse.com/1176931 https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1183120 https://bugzilla.suse.com/1183491 From sle-security-updates at lists.suse.com Wed Apr 7 13:16:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Apr 2021 15:16:11 +0200 (CEST) Subject: SUSE-SU-2021:1075-1: important: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP5) Message-ID: <20210407131611.AE277F79F@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1075-1 Rating: important References: #1182717 #1183120 #1183491 Cross-References: CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVSS scores: CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_222 fixes several issues. The following security issues were fixed: - CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120). - CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1067=1 SUSE-SLE-SAP-12-SP3-2021-1068=1 SUSE-SLE-SAP-12-SP3-2021-1069=1 SUSE-SLE-SAP-12-SP3-2021-1070=1 SUSE-SLE-SAP-12-SP3-2021-1071=1 SUSE-SLE-SAP-12-SP3-2021-1072=1 SUSE-SLE-SAP-12-SP3-2021-1073=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1067=1 SUSE-SLE-SERVER-12-SP3-2021-1068=1 SUSE-SLE-SERVER-12-SP3-2021-1069=1 SUSE-SLE-SERVER-12-SP3-2021-1070=1 SUSE-SLE-SERVER-12-SP3-2021-1071=1 SUSE-SLE-SERVER-12-SP3-2021-1072=1 SUSE-SLE-SERVER-12-SP3-2021-1073=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-1064=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1065=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1066=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1084=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1085=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1086=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1087=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1088=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1089=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1090=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1091=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1092=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-1052=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1053=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1054=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1055=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1056=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1057=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1058=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1059=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1060=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1061=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1062=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1063=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1083=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1093=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-1047=1 SUSE-SLE-Module-Live-Patching-15-2021-1048=1 SUSE-SLE-Module-Live-Patching-15-2021-1049=1 SUSE-SLE-Module-Live-Patching-15-2021-1050=1 SUSE-SLE-Module-Live-Patching-15-2021-1051=1 SUSE-SLE-Module-Live-Patching-15-2021-1082=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-1034=1 SUSE-SLE-Live-Patching-12-SP5-2021-1035=1 SUSE-SLE-Live-Patching-12-SP5-2021-1036=1 SUSE-SLE-Live-Patching-12-SP5-2021-1037=1 SUSE-SLE-Live-Patching-12-SP5-2021-1038=1 SUSE-SLE-Live-Patching-12-SP5-2021-1039=1 SUSE-SLE-Live-Patching-12-SP5-2021-1040=1 SUSE-SLE-Live-Patching-12-SP5-2021-1041=1 SUSE-SLE-Live-Patching-12-SP5-2021-1042=1 SUSE-SLE-Live-Patching-12-SP5-2021-1043=1 SUSE-SLE-Live-Patching-12-SP5-2021-1044=1 SUSE-SLE-Live-Patching-12-SP5-2021-1045=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-1075=1 SUSE-SLE-Live-Patching-12-SP4-2021-1076=1 SUSE-SLE-Live-Patching-12-SP4-2021-1077=1 SUSE-SLE-Live-Patching-12-SP4-2021-1078=1 SUSE-SLE-Live-Patching-12-SP4-2021-1079=1 SUSE-SLE-Live-Patching-12-SP4-2021-1080=1 SUSE-SLE-Live-Patching-12-SP4-2021-1081=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_116-default-9-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_121-default-8-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_124-default-8-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_127-default-8-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_130-default-7-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_135-default-5-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-5-2.2 kgraft-patch-4_4_180-94_138-default-3-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-3-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_116-default-9-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_121-default-8-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_124-default-8-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_127-default-8-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_130-default-7-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_135-default-5-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-5-2.2 kgraft-patch-4_4_180-94_138-default-3-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-3-2.2 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-22-default-9-5.2 kernel-livepatch-5_3_18-22-default-debuginfo-9-5.2 kernel-livepatch-5_3_18-24_12-default-7-2.2 kernel-livepatch-5_3_18-24_12-default-debuginfo-7-2.2 kernel-livepatch-5_3_18-24_15-default-7-2.2 kernel-livepatch-5_3_18-24_15-default-debuginfo-7-2.2 kernel-livepatch-5_3_18-24_24-default-7-2.2 kernel-livepatch-5_3_18-24_24-default-debuginfo-7-2.2 kernel-livepatch-5_3_18-24_29-default-5-2.2 kernel-livepatch-5_3_18-24_29-default-debuginfo-5-2.2 kernel-livepatch-5_3_18-24_34-default-5-2.2 kernel-livepatch-5_3_18-24_34-default-debuginfo-5-2.2 kernel-livepatch-5_3_18-24_37-default-5-2.2 kernel-livepatch-5_3_18-24_37-default-debuginfo-5-2.2 kernel-livepatch-5_3_18-24_43-default-4-2.2 kernel-livepatch-5_3_18-24_43-default-debuginfo-4-2.2 kernel-livepatch-5_3_18-24_46-default-4-2.2 kernel-livepatch-5_3_18-24_46-default-debuginfo-4-2.2 kernel-livepatch-5_3_18-24_49-default-3-2.2 kernel-livepatch-5_3_18-24_49-default-debuginfo-3-2.2 kernel-livepatch-5_3_18-24_52-default-2-2.2 kernel-livepatch-5_3_18-24_52-default-debuginfo-2-2.2 kernel-livepatch-5_3_18-24_9-default-8-2.2 kernel-livepatch-5_3_18-24_9-default-debuginfo-8-2.2 kernel-livepatch-SLE15-SP2_Update_0-debugsource-9-5.2 kernel-livepatch-SLE15-SP2_Update_1-debugsource-8-2.2 kernel-livepatch-SLE15-SP2_Update_10-debugsource-3-2.2 kernel-livepatch-SLE15-SP2_Update_11-debugsource-2-2.2 kernel-livepatch-SLE15-SP2_Update_2-debugsource-7-2.2 kernel-livepatch-SLE15-SP2_Update_3-debugsource-7-2.2 kernel-livepatch-SLE15-SP2_Update_4-debugsource-7-2.2 kernel-livepatch-SLE15-SP2_Update_5-debugsource-5-2.2 kernel-livepatch-SLE15-SP2_Update_6-debugsource-5-2.2 kernel-livepatch-SLE15-SP2_Update_7-debugsource-5-2.2 kernel-livepatch-SLE15-SP2_Update_8-debugsource-4-2.2 kernel-livepatch-SLE15-SP2_Update_9-debugsource-4-2.2 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_37-default-11-2.2 kernel-livepatch-4_12_14-197_40-default-10-2.2 kernel-livepatch-4_12_14-197_45-default-8-2.2 kernel-livepatch-4_12_14-197_48-default-8-2.2 kernel-livepatch-4_12_14-197_51-default-8-2.2 kernel-livepatch-4_12_14-197_56-default-7-2.2 kernel-livepatch-4_12_14-197_61-default-6-2.2 kernel-livepatch-4_12_14-197_64-default-5-2.2 kernel-livepatch-4_12_14-197_67-default-5-2.3 kernel-livepatch-4_12_14-197_72-default-4-2.2 kernel-livepatch-4_12_14-197_75-default-4-2.2 kernel-livepatch-4_12_14-197_78-default-4-2.2 kernel-livepatch-4_12_14-197_83-default-3-2.2 kernel-livepatch-4_12_14-197_86-default-2-2.2 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_52-default-8-2.2 kernel-livepatch-4_12_14-150_52-default-debuginfo-8-2.2 kernel-livepatch-4_12_14-150_55-default-8-2.2 kernel-livepatch-4_12_14-150_55-default-debuginfo-8-2.2 kernel-livepatch-4_12_14-150_58-default-7-2.2 kernel-livepatch-4_12_14-150_58-default-debuginfo-7-2.2 kernel-livepatch-4_12_14-150_63-default-5-2.2 kernel-livepatch-4_12_14-150_63-default-debuginfo-5-2.2 kernel-livepatch-4_12_14-150_66-default-3-2.2 kernel-livepatch-4_12_14-150_66-default-debuginfo-3-2.2 kernel-livepatch-4_12_14-150_69-default-2-2.2 kernel-livepatch-4_12_14-150_69-default-debuginfo-2-2.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_20-default-11-2.2 kgraft-patch-4_12_14-122_23-default-10-2.2 kgraft-patch-4_12_14-122_26-default-10-2.2 kgraft-patch-4_12_14-122_29-default-10-2.2 kgraft-patch-4_12_14-122_32-default-10-2.2 kgraft-patch-4_12_14-122_37-default-9-2.2 kgraft-patch-4_12_14-122_41-default-8-2.2 kgraft-patch-4_12_14-122_46-default-6-2.2 kgraft-patch-4_12_14-122_51-default-6-2.2 kgraft-patch-4_12_14-122_54-default-4-2.2 kgraft-patch-4_12_14-122_57-default-4-2.2 kgraft-patch-4_12_14-122_60-default-3-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_51-default-10-2.2 kgraft-patch-4_12_14-95_54-default-8-2.2 kgraft-patch-4_12_14-95_57-default-8-2.2 kgraft-patch-4_12_14-95_60-default-7-2.2 kgraft-patch-4_12_14-95_65-default-4-2.2 kgraft-patch-4_12_14-95_68-default-3-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_71-default-2-2.2 References: https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1183120 https://bugzilla.suse.com/1183491 From sle-security-updates at lists.suse.com Wed Apr 7 16:15:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Apr 2021 18:15:32 +0200 (CEST) Subject: SUSE-SU-2021:1094-1: important: Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk Message-ID: <20210407161532.3ECFAF79F@maintenance.suse.de> SUSE Security Update: Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1094-1 Rating: important References: #1133120 #1133124 #1175899 #1180996 SLE-7171 Cross-References: CVE-2021-21261 CVSS scores: CVE-2021-21261 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-21261 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has three fixes is now available. Description: This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues: libostree: Update to version 2020.8 - Enable LTO. (bsc#1133120) - This update contains scalability improvements and bugfixes. - Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile. - Summaries and delta have been reworked to allow more fine-grained fetching. - Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures. - Static deltas can now be signed to more easily support offline verification. - There's now support for multiple initramfs images; Is it possible to have a "main" initramfs image and a secondary one which represents local configuration. - The documentation is now moved to https://ostreedev.github.io/ostree/ - Fix for an assertion failure when upgrading from systems before ostree supported devicetree. - ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts. - ostree now supports `/` and `/boot` being on the same filesystem. - Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file. - Fix a regression 2020.4 where the "readonly sysroot" changes incorrectly left the sysroot read-only on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least). - The default dracut config now enables reproducibility. - There is a new ostree admin unlock `--transient`. This should to be a foundation for further support for "live" updates. - New `ed25519` signing support, powered by `libsodium`. - stree commit gained a new `--base` argument, which significantly simplifies constructing "derived" commits, particularly for systems using SELinux. - Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the `readonly=true` flag in the repo config is recommended. - Several fixes in locking for the temporary "staging" directories OSTree creates, particularly on NFS. - A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS. - Several fixes and enhancements made for "collection" pulls including a new `--mirror` option. - The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics on all executables. - Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying. - Stop invalid usage of `%_libexecdir`: + Use `%{_prefix}/lib` where appropriate. + Use `_systemdgeneratordir` for the systemd-generators. + Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work. xdg-desktop-portal: Update to version 1.8.0: - Ensure systemd rpm macros are called at install/uninstall times for systemd user services. - Add BuildRequires on systemd-rpm-macros. - openuri: - Allow skipping the chooser for more URL tyles - Robustness fixes - filechooser: - Return the current filter - Add a "directory" option - Document the "writable" option - camera: - Make the client node visible - Don't leak pipewire proxy - Fix file descriptor leaks - Testsuite improvements - Updated translations. - document: - Reduce the use of open fds - Add more tests and fix issues they found - Expose directories with their proper name - Support exporting directories - New fuse implementation - background: Avoid a segfault - screencast: Require pipewire 0.3 - Better support for snap and toolbox - Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect - Fixes for `%_libexecdir` changing to `/usr/libexec` xdg-desktop-portal-gtk: Update to version 1.8.0: - filechooser: - Return the current filter - Handle the "directory" option to select directories - Only show preview when we have an image - screenshot: Fix cancellation - appchooser: Avoid a crash - wallpaper: - Properly preview placement settings - Drop the lockscreen option - printing: Improve the notification - Updated translations. - settings: Fall back to gsettings for enable-animations - screencast: Support Mutter version to 3 (New pipewire api ver 3). flatpak: - Update to version 1.10.2 (jsc#SLE-17238, ECO-3148) - This is a security update which fixes a potential attack where a flatpak application could use custom formated `.desktop` file to gain access to files on the host system. - Fix memory leaks - Documentation and translations updates - Spawn portal better handles non-utf8 filenames - Fix flatpak build on systems with setuid bwrap - Fix crash on updating apps with no deploy data - Remove deprecated texinfo packaging macros. - Support for the new repo format which should make updates faster and download less data. - The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better login performance. - The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh. - Flatpak now finds the pulseaudio sockets better in uncommon configurations. - Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups. - Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead of unsetting it. - The spawn portal now has an option to share the pid namespace with the sub-sandbox. - This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the "flatpak run" command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261) - Fix support for ppc64. - Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package. - Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124) - Fixed progress reporting for OCI and extra-data. - The in-memory summary cache is more efficient. - Fixed authentication getting stuck in a loop in some cases. - Fixed authentication error reporting. - Extract OCI info for runtimes as well as apps. - Fixed crash if anonymous authentication fails and `-y` is specified. - flatpak info now only looks at the specified installation if one is specified. - Better error reporting for server HTTP errors during download. - Uninstall now removes applications before the runtime it depends on. - Avoid updating metadata from the remote when uninstalling. - FlatpakTransaction now verifies all passed in refs to avoid. - Added validation of collection id settings for remotes. - Fix seccomp filters on s390. - Robustness fixes to the spawn portal. - Fix support for masking update in the system installation. - Better support for distros with uncommon models of merged `/usr`. - Cache responses from localed/AccountService. - Fix hangs in cases where `xdg-dbus-proxy` fails to start. - Fix double-free in cups socket detection. - OCI authenticator now doesn't ask for auth in case of http errors. - Fix invalid usage of `%{_libexecdir}` to reference systemd directories. - Fixes for `%_libexecdir` changing to `/usr/libexec` - Avoid calling authenticator in update if ref didn't change - Don't fail transaction if ref is already installed (after transaction start) - Fix flatpak run handling of userns in the `--device=all` case - Fix handling of extensions from different remotes - Fix flatpak run `--no-session-bus` - `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands. - Now the host timezone data is always exposed, fixing several apps that had timezone issues. - There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos. - By default the `gdm env.d` file is no longer installed because the systemd generators work better. - `create-usb` now exports partial commits by default - Fix handling of docker media types in oci remotes - Fix subjects in `remote-info --log` output - This release is also able to host flatpak images on e.g. docker hub. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1094=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1094=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): flatpak-1.10.2-4.6.1 flatpak-debuginfo-1.10.2-4.6.1 flatpak-debugsource-1.10.2-4.6.1 flatpak-devel-1.10.2-4.6.1 flatpak-zsh-completion-1.10.2-4.6.1 libflatpak0-1.10.2-4.6.1 libflatpak0-debuginfo-1.10.2-4.6.1 libostree-2020.8-3.3.2 libostree-debuginfo-2020.8-3.3.2 libostree-debugsource-2020.8-3.3.2 libostree-devel-2020.8-3.3.2 system-user-flatpak-1.10.2-4.6.1 typelib-1_0-Flatpak-1_0-1.10.2-4.6.1 typelib-1_0-OSTree-1_0-2020.8-3.3.2 xdg-desktop-portal-1.8.0-5.3.2 xdg-desktop-portal-debuginfo-1.8.0-5.3.2 xdg-desktop-portal-debugsource-1.8.0-5.3.2 xdg-desktop-portal-devel-1.8.0-5.3.2 xdg-desktop-portal-gtk-1.8.0-3.3.1 xdg-desktop-portal-gtk-debuginfo-1.8.0-3.3.1 xdg-desktop-portal-gtk-debugsource-1.8.0-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch): xdg-desktop-portal-gtk-lang-1.8.0-3.3.1 xdg-desktop-portal-lang-1.8.0-5.3.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libostree-1-1-2020.8-3.3.2 libostree-1-1-debuginfo-2020.8-3.3.2 libostree-debuginfo-2020.8-3.3.2 libostree-debugsource-2020.8-3.3.2 References: https://www.suse.com/security/cve/CVE-2021-21261.html https://bugzilla.suse.com/1133120 https://bugzilla.suse.com/1133124 https://bugzilla.suse.com/1175899 https://bugzilla.suse.com/1180996 From sle-security-updates at lists.suse.com Wed Apr 7 16:19:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Apr 2021 18:19:45 +0200 (CEST) Subject: SUSE-IU-2021:429-1: Security update of suse-sles-15-sp2-chost-byos-v20210405-hvm-ssd-x86_64 Message-ID: <20210407161945.6D677B45F03@westernhagen.suse.de> SUSE Image Update Advisory: suse-sles-15-sp2-chost-byos-v20210405-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:429-1 Image Tags : suse-sles-15-sp2-chost-byos-v20210405-hvm-ssd-x86_64:20210405 Image Release : Severity : important Type : security References : 1065600 1065729 1078466 1078720 1081134 1083473 1084610 1084864 1112500 1115408 1125671 1132477 1132565 1133568 1135130 1135224 1138203 1138487 1140565 1145508 1146705 1146898 1150394 1150612 1151713 1151927 1152052 1152472 1152489 1154121 1154353 1154393 1155518 1156395 1163776 1165780 1169514 1170442 1170998 1172442 1174075 1174514 1175289 1175519 1175970 1176171 1176201 1176248 1176262 1176708 1176711 1176784 1176785 1176855 1177109 1177125 1177127 1177222 1177326 1177440 1177529 1177883 1178142 1178168 1178386 1178775 1178801 1178801 1178969 1178995 1179082 1179137 1179243 1179264 1179265 1179428 1179660 1179694 1179721 1179756 1179847 1179929 1180020 1180038 1180058 1180073 1180083 1180176 1180243 1180336 1180401 1180401 1180403 1180501 1180596 1180686 1180827 1180846 1180933 1180964 1180989 1181011 1181126 1181131 1181133 1181259 1181283 1181313 1181328 1181358 1181505 1181544 1181574 1181622 1181637 1181655 1181671 1181674 1181710 1181720 1181730 1181732 1181735 1181736 1181738 1181747 1181753 1181818 1181831 1181843 1181854 1181896 1181944 1181958 1181960 1181967 1181985 1182047 1182057 1182066 1182110 1182117 1182118 1182128 1182140 1182168 1182171 1182175 1182244 1182246 1182259 1182262 1182263 1182265 1182266 1182267 1182268 1182271 1182272 1182273 1182275 1182276 1182278 1182279 1182283 1182324 1182328 1182331 1182333 1182341 1182362 1182374 1182379 1182380 1182381 1182406 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182430 1182439 1182441 1182442 1182443 1182444 1182445 1182446 1182447 1182449 1182454 1182455 1182456 1182457 1182458 1182459 1182460 1182461 1182462 1182463 1182464 1182465 1182466 1182485 1182489 1182490 1182507 1182547 1182558 1182560 1182561 1182571 1182599 1182602 1182626 1182629 1182650 1182672 1182676 1182683 1182684 1182686 1182688 1182770 1182798 1182800 1182801 1182854 1182856 1182959 1183012 1183073 1183094 1183370 1183371 1183456 1183457 1183572 1183574 1183852 1183933 1183934 CVE-2019-20916 CVE-2019-25013 CVE-2020-11080 CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-12373 CVE-2020-14343 CVE-2020-14372 CVE-2020-15257 CVE-2020-25613 CVE-2020-25632 CVE-2020-25647 CVE-2020-25659 CVE-2020-27618 CVE-2020-27749 CVE-2020-27779 CVE-2020-27840 CVE-2020-28493 CVE-2020-29368 CVE-2020-29374 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-36242 CVE-2020-8625 CVE-2021-20193 CVE-2021-20225 CVE-2021-20231 CVE-2021-20232 CVE-2021-20233 CVE-2021-20277 CVE-2021-21284 CVE-2021-21285 CVE-2021-22876 CVE-2021-22890 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-26720 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3177 CVE-2021-3326 CVE-2021-3449 ----------------------------------------------------------------- The container suse-sles-15-sp2-chost-byos-v20210405-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:419-1 Released: Wed Feb 10 12:03:33 2021 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: 1181313 This update for open-iscsi fixes the following issues: - Fixes a segfault when exiting from iscsiadm (bsc#1181313) - Fix for several memory leaks in iscsiadm - Fix for a crash when function iscsi_rec_update_param() is invoked ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:435-1 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:441-1 Released: Thu Feb 11 16:35:04 2021 Summary: Optional update for python3-jsonschema Type: optional Severity: low References: 1180403 This update provides the python3 variant of the jsonschema module to the SUSE Linux Enterprise 15 SP2 Basesystem module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:507-1 Released: Thu Feb 18 09:34:49 2021 Summary: Security update for bind Type: security Severity: important References: 1182246,CVE-2020-8625 This update for bind fixes the following issues: - CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:516-1 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Type: recommended Severity: moderate References: 1178801,1180401,1182168 This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:519-1 Released: Fri Feb 19 09:44:53 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:551-1 Released: Tue Feb 23 09:31:53 2021 Summary: Security update for avahi Type: security Severity: moderate References: 1180827,CVE-2021-26720 This update for avahi fixes the following issues: - CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Add sudo to requires: used to drop privileges. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:571-1 Released: Tue Feb 23 16:11:33 2021 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1180176 This update for cloud-init contains the following fixes: - Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing. - Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:573-1 Released: Wed Feb 24 09:58:38 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1176171,1180336 This update for dracut fixes the following issues: - arm/arm64: Add reset controllers (bsc#1180336) - Prevent creating unexpected files on the host when running dracut (bsc#1176171) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:594-1 Released: Thu Feb 25 09:29:35 2021 Summary: Security update for python-cryptography Type: security Severity: important References: 1182066,CVE-2020-36242 This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:654-1 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1181944,1182244,CVE-2020-28493 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:683-1 Released: Tue Mar 2 19:04:43 2021 Summary: Security update for grub2 Type: security Severity: important References: 1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233 This update for grub2 fixes the following issues: grub2 implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057) - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:689-1 Released: Tue Mar 2 19:08:40 2021 Summary: Security update for bind Type: security Severity: important References: 1180933 This update for bind fixes the following issues: - dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:741-1 Released: Tue Mar 9 16:11:49 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065600,1065729,1078720,1081134,1084610,1132477,1151927,1152472,1152489,1154353,1155518,1156395,1163776,1169514,1170442,1176248,1176855,1177109,1177326,1177440,1177529,1178142,1178995,1179082,1179137,1179243,1179428,1179660,1179929,1180058,1180846,1180964,1180989,1181133,1181259,1181544,1181574,1181637,1181655,1181671,1181674,1181710,1181720,1181735,1181736,1181738,1181747,1181753,1181818,1181843,1181854,1181896,1181958,1181960,1181985,1182047,1182110,1182118,1182128,1182140,1182171,1182175,1182259,1182265,1182266,1182267,1182268,1182271,1182272,1182273,1182275,1182276,1182278,1182283,1182341,1182374,1182380,1182381,1182406,1182430,1182439,1182441,1182442,1182443,1182444,1182445,1182446,1182447,1182449,1182454,1182455,1182456,1182457,1182458,1182459,1182460,1182461,1182462,1182463,1182464,1182465,1182466,1182485,1182489,1182490,1182507,1182547,1182558,1182560,1182561,1182571,1182599,1182602,1182626,1182650,1182672,1182676,1182683,1182684,1182686,1182770,1182798,1182800,1 182801,1182854,1182856,CVE-2020-12362,CVE-2020-12363,CVE-2020-12364,CVE-2020-12373,CVE-2020-29368,CVE-2020-29374,CVE-2021-26930,CVE-2021-26931,CVE-2021-26932 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). - CVE-2020-12362: Fixed an integer overflow in the firmware which may have allowed a privileged user to potentially enable an escalation of privilege via local access (bsc#1181720). - CVE-2020-12363: Fixed an improper input validation which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181735). - CVE-2020-12364: Fixed a null pointer reference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181736 ). - CVE-2020-12373: Fixed an expired pointer dereference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181738). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). The following non-security bugs were fixed: - ACPI: configfs: add missing check after configfs_register_default_group() (git-fixes). - ACPI: property: Fix fwnode string properties matching (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 1) (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 2) (git-fixes). - ALSA: hda: Add another CometLake-H PCI ID (git-fixes). - ALSA: hda/hdmi: Drop bogus check at closing a stream (git-fixes). - ALSA: hda/realtek: modify EAPD in the ALC886 (git-fixes). - ALSA: pcm: Assure sync with the pending stop operation at suspend (git-fixes). - ALSA: pcm: Call sync_stop at disconnection (git-fixes). - ALSA: pcm: Do not call sync_stop if it hasn't been stopped (git-fixes). - ALSA: usb-audio: Add implicit fb quirk for BOSS GP-10 (git-fixes). - ALSA: usb-audio: Correct document for snd_usb_endpoint_free_all() (git-fixes). - ALSA: usb-audio: Do not avoid stopping the stream at disconnection (git-fixes). - ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (git-fixes). - ALSA: usb-audio: Handle invalid running state at releasing EP (git-fixes). - ALSA: usb-audio: More strict state change in EP (git-fixes). - amba: Fix resource leak for drivers without .remove (git-fixes). - arm64: Update config file. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - ASoC: cpcap: fix microphone timeslot mask (git-fixes). - ASoC: cs42l56: fix up error handling in probe (git-fixes). - ASoC: simple-card-utils: Fix device module clock (git-fixes). - ASoC: SOF: debug: Fix a potential issue on string buffer termination (git-fixes). - ata: ahci_brcm: Add back regulators management (git-fixes). - ata: sata_nv: Fix retrieving of active qcs (git-fixes). - ath10k: Fix error handling in case of CE pipe init failure (git-fixes). - ath9k: fix data bus crash when setting nf_override via debugfs (git-fixes). - bcache: fix overflow in offset_to_stripe() (git-fixes). - blk-mq: call commit_rqs while list empty but error happen (bsc#1182442). - blk-mq: insert request not through ->queue_rq into sw/scheduler queue (bsc#1182443). - blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue (bsc#1182444). - block: fix inflight statistics of part0 (bsc#1182445). - block: respect queue limit of max discard segment (bsc#1182441). - block: virtio_blk: fix handling single range discard request (bsc#1182439). - Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (git-fixes). - Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv (git-fixes). - Bluetooth: drop HCI device reference before return (git-fixes). - Bluetooth: Fix initializing response id after clearing struct (git-fixes). - Bluetooth: hci_uart: Fix a race for write_work scheduling (git-fixes). - Bluetooth: Put HCI device if inquiry procedure interrupts (git-fixes). - bnxt_en: Fix accumulation of bp->net_stats_prev (git-fixes). - bnxt_en: fix error return code in bnxt_init_board() (git-fixes). - bnxt_en: fix error return code in bnxt_init_one() (git-fixes). - bnxt_en: Improve stats context resource accounting with RDMA driver loaded (git-fixes). - bnxt_en: read EEPROM A2h address using page 0 (git-fixes). - bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes). - bonding: Fix reference count leak in bond_sysfs_slave_add (git-fixes). - bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes). - bonding: wait for sysfs kobject destruction before freeing struct slave (git-fixes). - bpf, cgroup: Fix optlen WARN_ON_ONCE toctou (bsc#1155518). - bpf, cgroup: Fix problematic bounds check (bsc#1155518). - btrfs: add assertion for empty list of transactions at late stage of umount (bsc#1182626). - btrfs: Cleanup try_flush_qgroup (bsc#1182047). - btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Fix race between extent freeing/allocation when using bitmaps (bsc#1181574). - btrfs: fix race between RO remount and the cleaner task (bsc#1182626). - btrfs: fix transaction leak and crash after cleaning up orphans on RO mount (bsc#1182626). - btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan (bsc#1182626). - btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: lift read-write mount setup from mount and remount (bsc#1182626). - btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: run delayed iputs when remounting RO to avoid leaking them (bsc#1182626). - btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - caif: no need to check return value of debugfs_create functions (git-fixes). - ceph: fix flush_snap logic after putting caps (bsc#1182854). - cgroup: Fix memory leak when parsing multiple source parameters (bsc#1182683). - cgroup: fix psi monitor for root cgroup (bsc#1182686). - cgroup-v1: add disabled controller check in cgroup1_parse_param() (bsc#1182684). - chelsio/chtls: correct function return and return type (git-fixes). - chelsio/chtls: correct netdevice for vlan interface (git-fixes). - chelsio/chtls: fix a double free in chtls_setkey() (git-fixes). - chelsio/chtls: fix always leaking ctrl_skb (git-fixes). - chelsio/chtls: fix deadlock issue (git-fixes). - chelsio/chtls: fix memory leaks caused by a race (git-fixes). - chelsio/chtls: fix memory leaks in CPL handlers (git-fixes). - chelsio/chtls: fix panic during unload reload chtls (git-fixes). - chelsio/chtls: fix socket lock (git-fixes). - chelsio/chtls: fix tls record info to user (git-fixes). - Cherry-pick ibmvnic patches from SP3 (jsc#SLE-17268). - chtls: Added a check to avoid NULL pointer dereference (git-fixes). - chtls: Fix chtls resources release sequence (git-fixes). - chtls: Fix hardware tid leak (git-fixes). - chtls: Fix panic when route to peer not configured (git-fixes). - chtls: Remove invalid set_tcb call (git-fixes). - chtls: Replace skb_dequeue with skb_peek (git-fixes). - cifs: check all path components in resolved dfs target (bsc#1181710). - cifs: fix nodfs mount option (bsc#1181710). - cifs: introduce helper for finding referral server (bsc#1181710). - cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440). - cirrus: cs89x0: remove set but not used variable 'lp' (git-fixes). - cirrus: cs89x0: use devm_platform_ioremap_resource() to simplify code (git-fixes). - clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL (git-fixes). - clk: meson: clk-pll: make 'ret' a signed integer (git-fixes). - clk: meson: clk-pll: propagate the error from meson_clk_pll_set_rate() (git-fixes). - clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs (git-fixes). - clk: sunxi-ng: h6: Fix CEC clock (git-fixes). - clk: sunxi-ng: h6: Fix clock divider range on some clocks (git-fixes). - clk: sunxi-ng: mp: fix parent rate change flag check (git-fixes). - clocksource/drivers/ixp4xx: Select TIMER_OF when needed (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Free resources in error path (git-fixes). - cpuset: fix race between hotplug work and later CPU offline (bsc#1182676). - crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() (git-fixes). - crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) (git-fixes). - cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes). - cxgb4: fix all-mask IP address comparison (git-fixes). - cxgb4: fix checks for max queues to allocate (git-fixes). - cxgb4: fix endian conversions for L4 ports in filters (git-fixes). - cxgb4: fix set but unused variable when DCB is disabled (git-fixes). - cxgb4: fix SGE queue dump destination buffer context (git-fixes). - cxgb4: fix the panic caused by non smac rewrite (git-fixes). - cxgb4: move DCB version extern to header file (git-fixes). - cxgb4: move handling L2T ARP failures to caller (git-fixes). - cxgb4: move PTP lock and unlock to caller in Tx path (git-fixes). - cxgb4: parse TC-U32 key values and masks natively (git-fixes). - cxgb4: remove cast when saving IPv4 partial checksum (git-fixes). - cxgb4: set up filter action after rewrites (git-fixes). - cxgb4: use correct type for all-mask IP address comparison (git-fixes). - cxgb4: use unaligned conversion for fetching timestamp (git-fixes). - dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function (git-fixes). - dmaengine: fsldma: Fix a resource leak in the remove function (git-fixes). - dmaengine: hsu: disable spurious interrupt (git-fixes). - dmaengine: owl-dma: Fix a resource leak in the remove function (git-fixes). - dm crypt: avoid truncating the logical block size (git-fixes). - dm: fix bio splitting and its bio completion order for regular IO (git-fixes). - dm thin: fix use-after-free in metadata_pre_commit_callback (bsc#1177529). - dm thin metadata: Avoid returning cmd->bm wild pointer on error (bsc#1177529). - dm thin metadata: fix lockdep complaint (bsc#1177529). - dm thin metadata: Fix use-after-free in dm_bm_set_read_only (bsc#1177529). - dm: use noio when sending kobject event (bsc#1177529). - docs: filesystems: vfs: correct flag name (bsc#1182856). - dpaa2-eth: fix return codes used in ndo_setup_tc (git-fixes). - drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes). - drivers: net: davinci_mdio: fix potential NULL dereference in davinci_mdio_probe() (git-fixes). - drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] (git-fixes). - drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs (git-fixes). - drm/amd/display: Change function decide_dp_link_settings to avoid infinite looping (git-fixes). - drm/amd/display: Decrement refcount of dc_sink before reassignment (git-fixes). - drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction (git-fixes). - drm/amd/display: Fix dc_sink kref count in emulated_link_detect (git-fixes). - drm/amd/display: Fix HDMI deep color output for DCE 6-11 (git-fixes). - drm/amd/display: Free atomic state after drm_atomic_commit (git-fixes). - drm/amd/display: Revert 'Fix EDID parsing after resume from suspend' (git-fixes). - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition (git-fixes). - drm/fb-helper: Add missed unlocks in setcmap_legacy() (git-fixes). - drm/gma500: Fix error return code in psb_driver_load() (git-fixes). - drm/meson: Unbind all connectors on module removal (bsc#1152472) - drm/sun4i: dw-hdmi: always set clock rate (bsc#1152472) - drm/sun4i: dw-hdmi: Fix max. frequency for H6 (bsc#1152472) - drm/sun4i: Fix H6 HDMI PHY configuration (bsc#1152472) - drm/sun4i: tcon: set sync polarity for tcon1 channel (bsc#1152472) - drm/vc4: hvs: Fix buffer overflow with the dlist handling (bsc#1152489) - Drop HID logitech patch that caused a regression (bsc#1182259) - exec: Always set cap_ambient in cap_bprm_set_creds (git-fixes). - exfat: Avoid allocating upcase table using kcalloc() (git-fixes). - ext4: do not remount read-only with errors=continue on reboot (bsc#1182464). - ext4: fix a memory leak of ext4_free_data (bsc#1182447). - ext4: fix bug for rename with RENAME_WHITEOUT (bsc#1182449). - ext4: fix deadlock with fs freezing and EA inodes (bsc#1182463). - ext4: fix superblock checksum failure when setting password salt (bsc#1182465). - ext4: prevent creating duplicate encrypted filenames (bsc#1182446). - fgraph: Initialize tracing_graph_pause at task creation (git-fixes). - firmware_loader: align .builtin_fw to 8 (git-fixes). - fscrypt: add fscrypt_is_nokey_name() (bsc#1182446). - fscrypt: rename DCACHE_ENCRYPTED_NAME to DCACHE_NOKEY_NAME (bsc#1182446). - fs: fix lazytime expiration handling in __writeback_single_inode() (bsc#1182466). - gma500: clean up error handling in init (git-fixes). - gpio: pcf857x: Fix missing first interrupt (git-fixes). - HID: core: detect and skip invalid inputs to snto32() (git-fixes). - HID: make arrays usage and value to be the same (git-fixes). - HID: wacom: Ignore attempts to overwrite the touch_max value from HID (git-fixes). - hwrng: timeriomem - Fix cooldown period calculation (git-fixes). - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (git-fixes). - i2c: iproc: handle only slave interrupts which are enabled (git-fixes). - i2c: mediatek: Move suspend and resume handling to NOIRQ phase (git-fixes). - i2c: stm32f7: fix configuration of the digital filter (git-fixes). - i3c: master: dw: Drop redundant disec call (git-fixes). - i40e: acquire VSI pointer only after VF is initialized (jsc#SLE-8025). - i40e: avoid premature Rx buffer reuse (git-fixes). - i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs (git-fixes). - i40e: Fix MAC address setting for a VF via Host/VM (git-fixes). - i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes). - i40e: Revert 'i40e: do not report link up for a VF who hasn't enabled queues' (jsc#SLE-8025). - iavf: fix double-release of rtnl_lock (git-fixes). - iavf: fix error return code in iavf_init_get_resources() (git-fixes). - iavf: fix speed reporting over virtchnl (git-fixes). - iavf: Fix updating statistics (git-fixes). - ibmvnic: add memory barrier to protect long term buffer (bsc#1182485 ltc#191591). - ibmvnic: change IBMVNIC_MAX_IND_DESCS to 16 (bsc#1182485 ltc#191591). - ibmvnic: Clean up TX code and TX buffer data structure (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997). - ibmvnic: compare adapter->init_done_rc with more readable ibmvnic_rc_codes (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Correctly re-enable interrupts in NAPI polling routine (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_control_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_query_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: device remove has higher precedence over reset (bsc#1065729). - ibmvnic: Do not replenish RX buffers after every polling loop (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1182485 ltc#191591). - ibmvnic: Ensure that device queue memory is cache-line aligned (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that SCRQ entry reads are correctly ordered (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - ibmvnic: fix login buffer memory leak (bsc#1081134 ltc#164631). - ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix rx buffer tracking and index management in replenish_rx_pool partial success (bsc#1179929 ltc#189960). - ibmvnic: Fix TX completion error handling (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Fix use-after-free of VNIC login response buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: handle inconsistent login with reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Harden device Command Response Queue handshake (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: improve ibmvnic_init and ibmvnic_reset_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce batched RX buffer descriptor transmission (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce indirect subordinate Command Response Queue buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce xmit_more support using batched subCRQ hcalls (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: merge ibmvnic_reset_init and ibmvnic_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: no reset timeout for 5 seconds after reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: reduce wait for completion time (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: remove never executed if statement (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Remove send_subcrq function (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename ibmvnic_send_req_caps to send_request_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_cap_queries to send_query_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_map_query to send_query_map (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: send_login should check for crq errors (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: serialize access to work queue on remove (bsc#1065729). - ibmvnic: Set to CLOSED state even on error (bsc#1084610 ltc#165122 git-fixes). - ibmvnic: skip send_request_unmap for timeout reset (bsc#1182485 ltc#191591). - ibmvnic: skip tx timeout reset while in resetting (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: stop free_all_rwi on failed reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: track pending login (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: update MAINTAINERS (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Use netdev_alloc_skb instead of alloc_skb to replenish RX buffers (jsc#SLE-17043 bsc#1179243 ltc#189290). - ice: Do not allow more channels than LAN MSI-X available (jsc#SLE-7926). - ice: Fix MSI-X vector fallback logic (jsc#SLE-7926). - igc: check return value of ret_val in igc_config_fc_after_link_up (git-fixes). - igc: fix link speed advertising (git-fixes). - igc: Fix returning wrong statistics (git-fixes). - igc: Report speed and duplex as unknown when device is runtime suspended (git-fixes). - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr (git-fixes). - include/linux/memremap.h: remove stale comments (git-fixes). - Input: elo - fix an error code in elo_connect() (git-fixes). - Input: i8042 - unbreak Pegatron C15B (git-fixes). - Input: joydev - prevent potential read overflow in ioctl (git-fixes). - Input: sur40 - fix an error code in sur40_probe() (git-fixes). - Input: xpad - sync supported devices with fork on GitHub (git-fixes). - iwlwifi: mvm: do not send RFH_QUEUE_CONFIG_CMD with no queues (git-fixes). - iwlwifi: mvm: guard against device removal in reprobe (git-fixes). - iwlwifi: mvm: invalidate IDs of internal stations at mvm start (git-fixes). - iwlwifi: mvm: skip power command when unbinding vif during CSA (git-fixes). - iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() (git-fixes). - iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap (git-fixes). - iwlwifi: pcie: fix context info memory leak (git-fixes). - iwlwifi: pcie: reschedule in long-running memory reads (git-fixes). - iwlwifi: pcie: use jiffies for memory read spin time limit (git-fixes). - ixgbe: avoid premature Rx buffer reuse (git-fixes). - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (git-fixes). - kABI: Fix kABI after AMD SEV PCID fixes (bsc#1178995). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kABI: Fix kABI for extended APIC-ID support (bsc#1181259, jsc#ECO-3191). - kABI: repair, after 'nVMX: Emulate MTF when performinginstruction emulation' kvm_x86_ops is part of kABI as it's used by LTTng. But it's only read and never allocated in there, so growing it (without altering existing members' offsets) is fine. - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ('rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).') - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch (bsc#1181818). - KVM: arm64: Remove S1PTW check from kvm_vcpu_dabt_iswrite() (bsc#1181818). - KVM: nVMX: do not clear mtf_pending when nested events are blocked (bsc#1182489). - KVM: nVMX: Emulate MTF when performing instruction emulation (bsc#1182380). - KVM: nVMX: Handle pending #DB when injecting INIT VM-exit. Pulling in as a dependency of: 'KVM: nVMX: Emulate MTF when performing instruction emulation' (bsc#1182380). - KVM: SVM: Update cr3_lm_rsvd_bits for AMD SEV guests (bsc#1178995). - KVM: tracing: Fix unmatched kvm_entry and kvm_exit events (bsc#1182770). - KVM: VMX: Condition ENCLS-exiting enabling on CPU support for SGX1 (bsc#1182798). - KVM: x86: Allocate new rmap and large page tracking when moving memslot (bsc#1182800). - KVM: x86: allow KVM_STATE_NESTED_MTF_PENDING in kvm_state flags (bsc#1182490). - KVM: x86: clear stale x86_emulate_ctxt->intercept value (bsc#1182381). - KVM: x86: do not notify userspace IOAPIC on edge-triggered interrupt EOI (bsc#1182374). - KVM: x86: Gracefully handle __vmalloc() failure during VM allocation (bsc#1182801). - KVM: x86: Introduce cr3_lm_rsvd_bits in kvm_vcpu_arch (bsc#1178995). - KVM: x86: remove stale comment from struct x86_emulate_ctxt (bsc#1182406). - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - lib/vsprintf: no_hash_pointers prints all addresses as unhashed (bsc#1182599). - linux/clk.h: use correct kernel-doc notation for 2 functions (git-fixes). - mac80211: 160MHz with extended NSS BW in CSA (git-fixes). - mac80211: fix fast-rx encryption check (git-fixes). - mac80211: fix potential overflow when multiplying to u32 integers (git-fixes). - mac80211: pause TX while changing interface type (git-fixes). - macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672). Since rpm 4.16 files installed during build phase are lost. - MAINTAINERS: remove John Allen from ibmvnic (jsc#SLE-17043 bsc#1179243 ltc#189290). - matroxfb: avoid -Warray-bounds warning (bsc#1152472) - media: aspeed: fix error return code in aspeed_video_setup_video() (git-fixes). - media: camss: missing error code in msm_video_register() (git-fixes). - media: cx25821: Fix a bug when reallocating some dma memory (git-fixes). - media: em28xx: Fix use-after-free in em28xx_alloc_urbs (git-fixes). - media: i2c: ov5670: Fix PIXEL_RATE minimum value (git-fixes). - media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() (git-fixes). - media: lmedm04: Fix misuse of comma (git-fixes). - media: media/pci: Fix memleak in empress_init (git-fixes). - media: mt9v111: Remove unneeded device-managed puts (git-fixes). - media: pwc: Use correct device for DMA (bsc#1181133). - media: pxa_camera: declare variable when DEBUG is defined (git-fixes). - media: qm1d1c0042: fix error return code in qm1d1c0042_init() (git-fixes). - media: software_node: Fix refcounts in software_node_get_next_child() (git-fixes). - media: tm6000: Fix memleak in tm6000_start_stream (git-fixes). - media: vsp1: Fix an error handling path in the probe function (git-fixes). - mei: hbm: call mei_set_devstate() on hbm stop response (git-fixes). - memory: ti-aemif: Drop child node when jumping out loop (git-fixes). - mfd: bd9571mwv: Use devm_mfd_add_devices() (git-fixes). - mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (git-fixes). - misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (git-fixes). - misc: eeprom_93xx46: Fix module alias to enable module autoprobe (git-fixes). - mlxsw: core: Add validation of transceiver temperature thresholds (git-fixes). - mlxsw: core: Fix memory leak on module removal (git-fixes). - mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes). - mlxsw: core: Free EMAD transactions using kfree_rcu() (git-fixes). - mlxsw: core: Increase critical threshold for ASIC thermal zone (git-fixes). - mlxsw: core: Increase scope of RCU read-side critical section (git-fixes). - mlxsw: core: Use variable timeout for EMAD retries (git-fixes). - mlxsw: spectrum_acl: Fix mlxsw_sp_acl_tcam_group_add()'s error path (git-fixes). - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (git-fixes). - mmc: core: Limit retries when analyse of SDIO tuples fails (git-fixes). - mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes (git-fixes). - mmc: sdhci-sprd: Fix some resource leaks in the remove function (git-fixes). - mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (git-fixes). - mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled (bsc#1181896 ltc#191273). - mm: proc: Invalidate TLB after clearing soft-dirty page state (bsc#1163776 ltc#183929 git-fixes). - mm: thp: kABI: move the added flag to the end of enum (bsc#1181896 ltc#191273). - mt76: dma: fix a possible memory leak in mt76_add_fragment() (git-fixes). - net: ag71xx: add missed clk_disable_unprepare in error path of probe (git-fixes). - net: axienet: Fix error return code in axienet_probe() (git-fixes). - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - net: bcmgenet: keep MAC in reset until PHY is up (git-fixes). - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - net: bcmgenet: set Rx mode before starting netif (git-fixes). - net: bcmgenet: use hardware padding of runt frames (git-fixes). - net: broadcom CNIC: requires MMU (git-fixes). - net: caif: Fix debugfs on 64-bit platforms (git-fixes). - net/cxgb4: Check the return from t4_query_params properly (git-fixes). - net: cxgb4: fix return error value in t4_prep_fw (git-fixes). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: lantiq_gswip: fix and improve the unsupported interface error (git-fixes). - net: dsa: mt7530: Change the LINK bit to reflect the link status (git-fixes). - net: dsa: mt7530: set CPU port to fallback mode (git-fixes). - net: ena: set initial DMA width to avoid intel iommu issue (git-fixes). - net: ethernet: ave: Fix error returns in ave_init (git-fixes). - net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes). - net: ethernet: ti: ale: fix allmulti for nu type ale (git-fixes). - net: ethernet: ti: ale: fix seeing unreg mcast packets with promisc and allmulti disabled (git-fixes). - net: ethernet: ti: ale: modify vlan/mdb api for switchdev (git-fixes). - net: ethernet: ti: cpsw: allow untagged traffic on host port (git-fixes). - net: ethernet: ti: fix some return value check of cpsw_ale_create() (git-fixes). - net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() (git-fixes). - net: gro: do not keep too many GRO packets in napi->rx_list (bsc#1154353). - net: hns3: add a check for queue_id in hclge_reset_vf_queue() (git-fixes). - net: hns3: add a missing uninit debugfs when unload driver (git-fixes). - net: hns3: add reset check for VF updating port based VLAN (git-fixes). - net: hns3: clear port base VLAN when unload PF (git-fixes). - net: hns3: fix aRFS FD rules leftover after add a user FD rule (git-fixes). - net: hns3: fix a TX timeout issue (git-fixes). - net: hns3: fix desc filling bug when skb is expanded or lineared (git-fixes). - net: hns3: fix for mishandle of asserting VF reset fail (git-fixes). - net: hns3: fix for VLAN config when reset failed (git-fixes). - net: hns3: fix RSS config lost after VF reset (git-fixes). - net: hns3: fix set and get link ksettings issue (git-fixes). - net: hns3: fix 'tc qdisc del' failed issue (git-fixes). - net: hns3: fix the number of queues actually used by ARQ (git-fixes). - net: hns3: fix use-after-free when doing self test (git-fixes). - net: hns3: fix VF VLAN table entries inconsistent issue (git-fixes). - net: hns: fix return value check in __lb_other_process() (git-fixes). - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - net: macb: fix call to pm_runtime in the suspend/resume functions (git-fixes). - net: macb: fix wakeup test in runtime suspend/resume routines (git-fixes). - net: macb: mark device wake capable when 'magic-packet' property present (git-fixes). - net/mlx4_core: fix a memory leak bug (git-fixes). - net/mlx4_core: Fix init_hca fields offset (git-fixes). - net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854). - net/mlx4_en: Handle TX error CQE (bsc#1181854). - net/mlx5: Add handling of port type in rule deletion (git-fixes). - net/mlx5: Annotate mutex destroy for root ns (git-fixes). - net/mlx5: Clear LAG notifier pointer after unregister (git-fixes). - net/mlx5: Disable QoS when min_rates on all VFs are zero (git-fixes). - net/mlx5: Do not call timecounter cyc2time directly from 1PPS flow (git-fixes). - net/mlx5: Do not maintain a case of del_sw_func being null (git-fixes). - net/mlx5e: Correctly handle changing the number of queues when the interface is down (git-fixes). - net/mlx5e: Do not trigger IRQ multiple times on XSK wakeup to avoid WQ overruns (git-fixes). - net/mlx5e: en_accel, Add missing net/geneve.h include (git-fixes). - net/mlx5e: Encapsulate updating netdev queues into a function (git-fixes). - net/mlx5e: E-switch, Fix rate calculation for overflow (jsc#SLE-8464). - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (git-fixes). - net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases (git-fixes). - net/mlx5e: Fix endianness handling in pedit mask (git-fixes). - net/mlx5e: Fix error path of device attach (git-fixes). - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes). - net/mlx5e: Fix two double free cases (git-fixes). - net/mlx5e: Fix VLAN cleanup flow (git-fixes). - net/mlx5e: Fix VLAN create flow (git-fixes). - net/mlx5e: Get the latest values from counters in switchdev mode (git-fixes). - net/mlx5e: IPoIB, Drop multicast packets that this interface sent (git-fixes). - net/mlx5e: kTLS, Fix wrong value in record tracker enum (git-fixes). - net/mlx5e: Reduce tc unsupported key print level (git-fixes). - net/mlx5e: Rename hw_modify to preactivate (git-fixes). - net/mlx5e: Set of completion request bit should not clear other adjacent bits (git-fixes). - net/mlx5: E-switch, Destroy TSAR after reload interface (git-fixes). - net/mlx5: E-Switch, Hold mutex when querying drop counter in legacy mode (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching by default (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching only when mandatory (git-fixes). - net/mlx5e: Use preactivate hook to set the indirection table (git-fixes). - net/mlx5e: vxlan: Use RCU for vxlan table lookup (git-fixes). - net/mlx5: Fix a bug of using ptp channel index as pin index (git-fixes). - net/mlx5: Fix deletion of duplicate rules (git-fixes). - net/mlx5: Fix failing fw tracer allocation on s390 (git-fixes). - net/mlx5: Fix memory leak on flow table creation error flow (git-fixes). - net/mlx5: Fix request_irqs error flow (git-fixes). - net/mlx5: Fix wrong address reclaim when command interface is down (git-fixes). - net/mlx5: Query PPS pin operational status before registering it (git-fixes). - net/mlx5: Verify Hardware supports requested ptp function on a given pin (git-fixes). - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms (git-fixes). - net: mscc: ocelot: fix address ageing time (again) (git-fixes). - net: mscc: ocelot: properly account for VLAN header length when setting MRU (git-fixes). - net: mvpp2: Add TCAM entry to drop flow control pause frames (git-fixes). - net: mvpp2: disable force link UP during port init procedure (git-fixes). - net: mvpp2: Fix error return code in mvpp2_open() (git-fixes). - net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (git-fixes). - net: mvpp2: fix memory leak in mvpp2_rx (git-fixes). - net: mvpp2: fix pkt coalescing int-threshold configuration (git-fixes). - net: mvpp2: prs: fix PPPoE with ipv6 packet parse (git-fixes). - net: mvpp2: Remove Pause and Asym_Pause support (git-fixes). - net: mvpp2: TCAM entry enable should be written after SRAM data (git-fixes). - net: netsec: Correct dma sync for XDP_TX frames (git-fixes). - net: nixge: fix potential memory leak in nixge_probe() (git-fixes). - net: octeon: mgmt: Repair filling of RX ring (git-fixes). - net: phy: at803x: use operating parameters from PHY-specific status (git-fixes). - net: phy: extract link partner advertisement reading (git-fixes). - net: phy: extract pause mode (git-fixes). - net: phy: marvell10g: fix null pointer dereference (git-fixes). - net: phy: marvell10g: fix temperature sensor on 2110 (git-fixes). - net: phy: read MII_CTRL1000 in genphy_read_status only if needed (git-fixes). - net: qca_spi: fix receive buffer size check (git-fixes). - net: qca_spi: Move reset_count to struct qcaspi (git-fixes). - net: qede: fix PTP initialization on recovery (git-fixes). - net: qede: fix use-after-free on recovery and AER handling (git-fixes). - net: qede: stop adding events on an already destroyed workqueue (git-fixes). - net: qed: fix async event callbacks unregistering (git-fixes). - net: qed: fix excessive QM ILT lines consumption (git-fixes). - net: qed: fix 'maybe uninitialized' warning (git-fixes). - net: qed: fix NVMe login fails over VFs (git-fixes). - net: qed: RDMA personality shouldn't fail VF load (git-fixes). - net: re-solve some conflicts after net -> net-next merge (bsc#1176855 ltc#187293). - net: rmnet: do not allow to add multiple bridge interfaces (git-fixes). - net: rmnet: do not allow to change mux id if mux id is duplicated (git-fixes). - net: rmnet: fix bridge mode bugs (git-fixes). - net: rmnet: fix lower interface leak (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_changelink() (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_newlink() (git-fixes). - net: rmnet: fix packet forwarding in rmnet bridge mode (git-fixes). - net: rmnet: fix suspicious RCU usage (git-fixes). - net: rmnet: print error message when command fails (git-fixes). - net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device() (git-fixes). - net: rmnet: use upper/lower device infrastructure (git-fixes). - net, sctp, filter: remap copy_from_user failure error (bsc#1181637). - net: smc91x: Fix possible memory leak in smc_drv_probe() (git-fixes). - net/sonic: Add mutual exclusion for accessing shared state (git-fixes). - net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes). - net: stmmac: Always arm TX Timer at end of transmission start (git-fixes). - net: stmmac: Do not accept invalid MTU values (git-fixes). - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes). - net: stmmac: Enable 16KB buffer size (git-fixes). - net: stmmac: fix disabling flexible PPS output (git-fixes). - net: stmmac: fix length of PTP clock's name string (git-fixes). - net: stmmac: Fix the TX IOC in xmit path (git-fixes). - net: stmmac: RX buffer size must be 16 byte aligned (git-fixes). - net: stmmac: selftests: Flow Control test can also run with ASYM Pause (git-fixes). - net: stmmac: selftests: Needs to check the number of Multicast regs (git-fixes). - net: stmmac: xgmac: Clear previous RX buffer size (git-fixes). - net: sun: fix missing release regions in cas_init_one() (git-fixes). - net: team: fix memory leak in __team_options_register (git-fixes). - net: thunderx: initialize VF's mailbox mutex before first usage (git-fixes). - net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family (git-fixes). - net: usb: qmi_wwan: Adding support for Cinterion MV31 (git-fixes). - nvme-hwmon: rework to avoid devm allocation (bsc#1177326). - nvme-multipath: Early exit if no path is available (bsc#1180964). - nvme: re-read ANA log on NS CHANGED AEN (bsc#1179137). - nvmet-tcp: Fix NULL dereference when a connect data comes in h2cdata pdu (bsc#1182547). - objtool: Do not fail on missing symbol table (bsc#1169514). - perf/x86/intel/uncore: Factor out uncore_pci_find_dev_pmu() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_get_dev_die_info() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_register() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_unregister() (bsc#1180989). - perf/x86/intel/uncore: Generic support for the PCI sub driver (bsc#1180989). - perf/x86/intel/uncore: Store the logical die id instead of the physical die id (bsc#1180989). - perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info (bsc#1180989). - phy: cpcap-usb: Fix warning for missing regulator_disable (git-fixes). - phy: rockchip-emmc: emmc_phy_init() always return 0 (git-fixes). - platform/x86: hp-wmi: Disable tablet-mode reporting by default (git-fixes). - platform/x86: intel-vbtn: Support for tablet mode on Dell Inspiron 7352 (git-fixes). - platform/x86: touchscreen_dmi: Add swap-x-y quirk for Goodix touchscreen on Estar Beauty HD tablet (git-fixes). - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning (bsc#1182571 ltc#191345). - powerpc/boot: Delete unneeded .globl _zimage_start (bsc#1156395). - powerpc: Fix alignment bug within the init sections (bsc#1065729). - powerpc/fpu: Drop cvt_fd() and cvt_df() (bsc#1156395). - powerpc/hvcall: add token and codes for H_VASI_SIGNAL (bsc#1181674 ltc#189159). - powerpc: kABI: add back suspend_disable_cpu in machdep_calls (bsc#1181674 ltc#189159). - powerpc/machdep: remove suspend_disable_cpu() (bsc#1181674 ltc#189159). - powerpc/mm/pkeys: Make pkey access check work on execute_only_key (bsc#1181544 ltc#191080 git-fixes). - powerpc/numa: Fix build when CONFIG_NUMA=n (bsc#1132477 ltc#175530). - powerpc/numa: make vphn_enabled, prrn_enabled flags const (bsc#1181674 ltc#189159). - powerpc/numa: remove ability to enable topology updates (bsc#1181674 ltc#189159). - powerpc/numa: remove arch_update_cpu_topology (bsc#1181674 ltc#189159). - powerpc/numa: Remove late request for home node associativity (bsc#1181674 ltc#189159). - powerpc/numa: remove prrn_is_enabled() (bsc#1181674 ltc#189159). - powerpc/numa: remove start/stop_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove timed_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology timer code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology update code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology workqueue code (bsc#1181674 ltc#189159). - powerpc/numa: remove vphn_enabled and prrn_enabled internal flags (bsc#1181674 ltc#189159). - powerpc/numa: stub out numa_update_cpu_topology() (bsc#1181674 ltc#189159). - powerpc/perf: Exclude kernel samples while counting events in user space (bsc#1065729). - powerpc/perf/hv-24x7: Dont create sysfs event files for dummy events (bsc#1182118 ltc#190624). - powerpc/pkeys: Avoid using lockless page table walk (bsc#1181544 ltc#191080). - powerpc/pkeys: Check vma before returning key fault error to the user (bsc#1181544 ltc#191080). - powerpc/powernv/memtrace: Do not leak kernel memory to user space (bsc#1156395). - powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently (bsc#1156395). - powerpc/powernv/npu: Do not attempt NPU2 setup on POWER8NVL NPU (bsc#1156395). - powerpc/prom: Fix 'ibm,arch-vec-5-platform-support' scan (bsc#1182602 ltc#190924). - powerpc/pseries/dlpar: handle ibm, configure-connector delay status (bsc#1181985 ltc#188074). - powerpc/pseries: Do not enforce MSI affinity with kdump (bsc#1181655 ltc#190855). - powerpc/pseries/eeh: Make pseries_pcibios_bus_add_device() static (bsc#1078720, git-fixes). - powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900). - powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: pass stream id via function arguments (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: perform post-suspend fixups later (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove prepare_late() callback (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove pseries_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: switch to rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: add missing break to default case (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Add pr_debug() for device tree changes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: do not error on absence of ibm, update-nodes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: error message improvements (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: extract VASI session polling logic (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: refactor node lookup during DT update (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: retry partition suspend after error (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Set pr_fmt() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: signal suspend cancellation to platform (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use rtas_activate_firmware() on resume (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use stop_machine for join/suspend (bsc#1181674 ltc#189159). - powerpc/pseries/ras: Make init_ras_hotplug_IRQ() static (bsc#1065729. git-fixes). - powerpc/pseries: remove dlpar_cpu_readd() (bsc#1181674 ltc#189159). - powerpc/pseries: remove memory 're-add' implementation (bsc#1181674 ltc#189159). - powerpc/pseries: remove obsolete memory hotplug DT notifier code (bsc#1181674 ltc#189159). - powerpc/pseries: remove prrn special case from DT update path (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_activate_firmware() (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/rtas: complete ibm,suspend-me status codes (bsc#1181674 ltc#189159). - powerpc/rtas: dispatch partition migration requests to pseries (bsc#1181674 ltc#189159). - powerpc/rtasd: simplify handle_rtas_event(), emit message on events (bsc#1181674 ltc#189159). - powerpc/rtas: prevent suspend-related sys_rtas use on LE (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_ibm_suspend_me_unsafe() (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_last_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_me_data (bsc#1181674 ltc#189159). - powerpc/rtas: rtas_ibm_suspend_me -> rtas_ibm_suspend_me_unsafe (bsc#1181674 ltc#189159). - power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (git-fixes). - pseries/drmem: do not cache node id in drmem_lmb struct (bsc#1132477 ltc#175530). - pseries/hotplug-memory: hot-add: skip redundant LMB lookup (bsc#1132477 ltc#175530). - qed: fix error return code in qed_iwarp_ll2_start() (git-fixes). - qed: Fix race condition between scheduling and destroying the slowpath workqueue (git-fixes). - qed: Populate nvm-file attributes while reading nvm config partition (git-fixes). - qed: select CONFIG_CRC32 (git-fixes). - qlcnic: fix missing release in qlcnic_83xx_interrupt_test (git-fixes). - quota: Fix memory leak when handling corrupted quota file (bsc#1182650). - quota: Sanity-check quota file headers on load (bsc#1182461). - r8169: fix resuming from suspend on RTL8105e if machine runs on battery (git-fixes). - r8169: fix WoL on shutdown if CONFIG_DEBUG_SHIRQ is set (git-fixes). - rcu/nocb: Perform deferred wake up before last idle's (git-fixes) - rcu/nocb: Trigger self-IPI on late deferred wake up before (git-fixes) - rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers (git-fixes) - RDMA/efa: Add EFA 0xefa1 PCI ID (bsc#1176248). - RDMA/efa: Count admin commands errors (bsc#1176248). - RDMA/efa: Count mmap failures (bsc#1176248). - RDMA/efa: Do not delay freeing of DMA pages (bsc#1176248). - RDMA/efa: Drop double zeroing for sg_init_table() (bsc#1176248). - RDMA/efa: Expose maximum TX doorbell batch (bsc#1176248). - RDMA/efa: Expose minimum SQ size (bsc#1176248). - RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1176248). - RDMA/efa: Properly document the interrupt mask register (bsc#1176248). - RDMA/efa: Remove redundant udata check from alloc ucontext response (bsc#1176248). - RDMA/efa: Report create CQ error counter (bsc#1176248). - RDMA/efa: Report host information to the device (bsc#1176248). - RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1176248). - RDMA/efa: Use in-kernel offsetofend() to check field availability (bsc#1176248). - RDMA/efa: User/kernel compatibility handshake mechanism (bsc#1176248). - RDMA/efa: Use the correct current and new states in modify QP (git-fixes). - regulator: axp20x: Fix reference cout leak (git-fixes). - regulator: core: Avoid debugfs: Directory ... already present! error (git-fixes). - regulator: core: avoid regulator_resolve_supply() race condition (git-fixes). - regulator: Fix lockdep warning resolving supplies (git-fixes). - regulator: s5m8767: Drop regulators OF node reference (git-fixes). - regulator: s5m8767: Fix reference count leak (git-fixes). - reiserfs: add check for an invalid ih_entry_count (bsc#1182462). - reset: hisilicon: correct vendor prefix (git-fixes). - Revert 'ibmvnic: remove never executed if statement' (jsc#SLE-17043 bsc#1179243 ltc#189290). - Revert 'net: bcmgenet: remove unused function in bcmgenet.c' (git-fixes). - Revert 'platform/x86: ideapad-laptop: Switch touchpad attribute to be RO' (git-fixes). - Revert 'RDMA/mlx5: Fix devlink deadlock on net namespace deletion' (jsc#SLE-8464). - rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439) - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - rtc: s5m: select REGMAP_I2C (git-fixes). - rxrpc: Fix memory leak in rxrpc_lookup_local (bsc#1154353 bnc#1151927 5.3.9). - s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated (git-fixes). - s390/vfio-ap: No need to disable IRQ after queue reset (git-fixes). - sched: Reenable interrupts in do_sched_yield() (git-fixes) - scsi: lpfc: Fix EEH encountering oops with NVMe traffic (bsc#1181958). - sh_eth: check sh_eth_cpu_data::cexcr when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_tx_cntrs when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_xdfar when dumping registers (git-fixes). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - smsc95xx: avoid memory leak in smsc95xx_bind (git-fixes). - smsc95xx: check return value of smsc95xx_reset (git-fixes). - soc: aspeed: snoop: Add clock control logic (git-fixes). - spi: atmel: Put allocated master before return (git-fixes). - spi: pxa2xx: Fix the controller numbering for Wildcat Point (git-fixes). - spi: spi-synquacer: fix set_cs handling (git-fixes). - spi: stm32: properly handle 0 byte transfer (git-fixes). - squashfs: add more sanity checks in id lookup (git-fixes bsc#1182266). - squashfs: add more sanity checks in inode lookup (git-fixes bsc#1182267). - squashfs: add more sanity checks in xattr id lookup (git-fixes bsc#1182268). - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (git-fixes). - target: disallow emulate_legacy_capacity with RBD object-map (bsc#1177109). - team: set dev->needed_headroom in team_setup_by_port() (git-fixes). - tpm: Remove tpm_dev_wq_lock (git-fixes). - tpm_tis: Clean up locality release (git-fixes). - tpm_tis: Fix check_locality for correct locality acquisition (git-fixes). - tracing: Check length before giving out the filter buffer (git-fixes). - tracing: Do not count ftrace events in top level enable output (git-fixes). - tracing/kprobe: Fix to support kretprobe events on unloaded modules (git-fixes). - tracing/kprobes: Do the notrace functions check without kprobes on ftrace (git-fixes). - tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (git-fixes). - ubifs: Fix error return code in ubifs_init_authentication() (bsc#1182459). - ubifs: Fix ubifs_tnc_lookup() usage in do_kill_orphans() (bsc#1182454). - ubifs: prevent creating duplicate encrypted filenames (bsc#1182457). - ubifs: ubifs_add_orphan: Fix a memory leak bug (bsc#1182456). - ubifs: ubifs_jnl_write_inode: Fix a memory leak bug (bsc#1182455). - ubifs: wbuf: Do not leak kernel memory to flash (bsc#1182458). - Update config files: activate CONFIG_CSD_LOCK_WAIT_DEBUG for x86 (bsc#1180846). - Update config files: Set ledtrig-default-on as builtin (bsc#1182128) - USB: dwc2: Abort transaction after errors with unknown reason (git-fixes). - USB: dwc2: Fix endpoint direction check in ep_from_windex (git-fixes). - USB: dwc2: Make 'trimming xfer length' a debug message (git-fixes). - USB: dwc3: fix clock issue during resume in OTG mode (git-fixes). - USB: gadget: legacy: fix an error code in eth_bind() (git-fixes). - USB: gadget: u_audio: Free requests only after callback (git-fixes). - USB: mUSB: Fix runtime PM race in musb_queue_resume_work (git-fixes). - USB: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (git-fixes). - USB: quirks: sort quirk entries (git-fixes). - USB: renesas_usbhs: Clear pipe running flag in USBhs_pkt_pop() (git-fixes). - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 (git-fixes). - USB: serial: cp210x: add pid/vid for WSDA-200-USB (git-fixes). - USB: serial: mos7720: fix error code in mos7720_write() (git-fixes). - USB: serial: mos7720: improve OOM-handling in read_mos_reg() (git-fixes). - USB: serial: mos7840: fix error code in mos7840_write() (git-fixes). - USB: serial: option: Adding support for Cinterion MV31 (git-fixes). - USB: usblp: do not call usb_set_interface if there's a single alt (git-fixes). - veth: Adjust hard_start offset on redirect XDP frames (git-fixes). - vfs: Convert squashfs to use the new mount API (git-fixes bsc#1182265). - virtio_net: Fix error code in probe() (git-fixes). - virtio_net: Fix recursive call to cpus_read_lock() (git-fixes). - virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes). - virt: vbox: Do not use wait_event_interruptible when called from kernel context (git-fixes). - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - vxlan: fix memleak of fdb (git-fixes). - wext: fix NULL-ptr-dereference with cfg80211's lack of commit() (git-fixes). - writeback: Drop I_DIRTY_TIME_EXPIRE (bsc#1182460). - x86/alternatives: Sync bp_patching update for avoiding NULL pointer exception (bsc#1152489). - x86/apic: Add extra serialization for non-serializing MSRs (bsc#1152489). - x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181259, jsc#ECO-3191). - x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181259, jsc#ECO-3191). - x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259, jsc#ECO-3191). - x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259 jsc#ECO-3191). - x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181259, jsc#ECO-3191). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xfs: ensure inobt record walks always make forward progress (git-fixes bsc#1182272). - xfs: fix an ABBA deadlock in xfs_rename (git-fixes bsc#1182558). - xfs: fix parent pointer scrubber bailing out on unallocated inodes (git-fixes bsc#1182276). - xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks (git-fixes bsc#1182430). - xfs: fix the minrecs logic when dealing with inode root child blocks (git-fixes bsc#1182273). - xfs: ratelimit xfs_discard_page messages (bsc#1182283). - xfs: reduce quota reservation when doing a dax unwritten extent conversion (git-fixes bsc#1182561). - xfs: return corresponding errcode if xfs_initialize_perag() fail (git-fixes bsc#1182275). - xfs: scrub should mark a directory corrupt if any entries cannot be iget'd (git-fixes bsc#1182278). - xfs: strengthen rmap record flags checking (git-fixes bsc#1182271). - xhci: fix bounce buffer usage for non-sg list case (git-fixes). The kernel-default-base packaging was changed: - Added squashfs for kiwi installiso support (bsc#1182341) - Added fuse (bsc#1182507) - Added modules which got lost when migrating away from supported.conf (bsc#1182110): * am53c974 had a typo * cls_bpf, iscsi_ibft, libahci, libata, openvswitch, sch_ingress - Also added vport-* modules for Open vSwitch ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:758-1 Released: Wed Mar 10 12:16:27 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1182688 This update for dracut fixes the following issues: - network-legacy: fix route parsing issues in ifup. (bsc#1182688) -0kernel-modules: arm/arm64: Add reset controllers - Prevent creating unexpected files on the host when running dracut - As of 'v246' of systemd 'syslog' and 'syslog-console' switches have been deprecated. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:784-1 Released: Mon Mar 15 11:19:08 2021 Summary: Recommended update for efivar Type: recommended Severity: moderate References: 1181967 This update for efivar fixes the following issues: - Fixed an issue with the NVME path parsing (bsc#1181967) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:802-1 Released: Tue Mar 16 16:54:12 2021 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1183073 This update for grub2 fixes the following issues: - Fixed chainloading windows on dual boot machine (bsc#1183073) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:881-1 Released: Fri Mar 19 04:16:42 2021 Summary: Recommended update for yast2-adcommon-python, yast2-aduc, samba Type: recommended Severity: moderate References: 1084864,1132565,1133568,1135130,1135224,1138203,1138487,1145508,1146898,1150394,1150612,1151713,1152052,1154121,1170998 This update for yast2-adcommon-python, yast2-aduc, samba fixes the following issues: - Update 'aduc' for 'realmd' customer. (jsc#SLE-5527) - Add ability to change/enable/unlock user's passwords. (bsc#1152052) - Fixes a Failure to authenticate on first try and throws a MemoryError on Ubuntu. (bsc#1151713) - Fixes an issue when unused 'xset' may cause exception in 'appimage'. (bsc#1150612) - Include other object creaiton options. (bsc#1138203) - Use the domain name stored in the samba credentials object. (bsc#1138487) - Display a backtrace if the connection fails. - Use new schema of desktop files. (bsc#1084864) - Move the module to Network Services. - Use common authentication from yast2-adcommon-python. - Switch to using a unified file/actions menu, instead of random buttons - Remove 'ad-dc' dependency. (jsc#ECO-2527) - Fix slow load of 'ADUC' caused by chatty ldap traffic. (bsc#1170998) - The domain label should be a text field, for manually entering the domain name. (bsc#1154121) - Fix to reconnect the 'ldap' session if it times out. (bsc#1150394) - 'AD' modules should connect to an AD-DC via the SamDB interface, instead of 'python-ldap'. (bsc#1146898) - Fix incorrectly placed domain in change domain dialog (bsc#1145508) - YaST 'aduc/adsi/gpmc' should not exit after entering empty password and explicitly state that an Active Directory administrator should sign in. (bsc#1132565) - Move schema parsing code from adsi to the common code. (bsc#1138203) - 'TypeError: Expected a string or unicode object' during auth. (bsc#1135224) - Authentication fails with 'Failed to initialize ldap connection'. (bsc#1135130) - Fix for an issue when 'yast2-adcommon-python' 'ldap' does not correctly parse 'ldap' urls. (bsc#1133568) - Initial version ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:933-1 Released: Wed Mar 24 12:16:14 2021 Summary: Security update for ruby2.5 Type: security Severity: important References: 1177125,1177222,CVE-2020-25613 This update for ruby2.5 fixes the following issues: - CVE-2020-25613: Fixed a potential HTTP Request Smuggling in WEBrick (bsc#1177125). - Enable optimizations also on ARM64 (bsc#1177222) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:945-1 Released: Wed Mar 24 13:43:08 2021 Summary: Security update for ldb Type: security Severity: important References: 1183572,1183574,CVE-2020-27840,CVE-2021-20277 This update for ldb fixes the following issues: - CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572). - CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:960-1 Released: Mon Mar 29 11:16:28 2021 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1181283 This update for cloud-init fixes the following issues: - Does no longer include the sudoers.d directory twice (bsc#1181283) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:974-1 Released: Mon Mar 29 19:31:27 2021 Summary: Security update for tar Type: security Severity: low References: 1181131,CVE-2021-20193 This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:42:46 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:991-1 Released: Wed Mar 31 13:28:37 2021 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1182324 This update for vim provides the following fixes: - Install SUSE vimrc in /usr. (bsc#1182324) - Source correct suse.vimrc file. (bsc#1182324) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) From sle-security-updates at lists.suse.com Wed Apr 7 16:20:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Apr 2021 18:20:55 +0200 (CEST) Subject: SUSE-IU-2021:430-1: Security update of sles-15-sp2-chost-byos-v20210405 Message-ID: <20210407162055.9D44FB462AB@westernhagen.suse.de> SUSE Image Update Advisory: sles-15-sp2-chost-byos-v20210405 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:430-1 Image Tags : sles-15-sp2-chost-byos-v20210405:20210405 Image Release : Severity : important Type : security References : 1065600 1065729 1078466 1078720 1081134 1083473 1084610 1084864 1112500 1115408 1132477 1132565 1133568 1135130 1135224 1138203 1138487 1145508 1146705 1146898 1150394 1150612 1151713 1151927 1152052 1152472 1152489 1154121 1154353 1155518 1156395 1163776 1165780 1169514 1170442 1170998 1172442 1174075 1175519 1175970 1176171 1176201 1176248 1176262 1176708 1176711 1176855 1177109 1177125 1177127 1177222 1177326 1177440 1177529 1177883 1178142 1178386 1178775 1178801 1178801 1178969 1178995 1179082 1179137 1179243 1179264 1179265 1179428 1179660 1179694 1179721 1179756 1179847 1179929 1180020 1180038 1180058 1180073 1180083 1180243 1180336 1180401 1180401 1180501 1180596 1180686 1180827 1180846 1180933 1180964 1180989 1181011 1181126 1181131 1181133 1181259 1181313 1181328 1181358 1181505 1181544 1181574 1181622 1181637 1181655 1181671 1181674 1181710 1181720 1181730 1181732 1181735 1181736 1181738 1181747 1181753 1181818 1181831 1181843 1181854 1181896 1181958 1181960 1181967 1181985 1182047 1182057 1182110 1182117 1182118 1182128 1182140 1182168 1182171 1182175 1182246 1182259 1182262 1182263 1182265 1182266 1182267 1182268 1182271 1182272 1182273 1182275 1182276 1182278 1182279 1182283 1182324 1182328 1182331 1182333 1182341 1182362 1182374 1182379 1182380 1182381 1182406 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182430 1182439 1182441 1182442 1182443 1182444 1182445 1182446 1182447 1182449 1182454 1182455 1182456 1182457 1182458 1182459 1182460 1182461 1182462 1182463 1182464 1182465 1182466 1182485 1182489 1182490 1182507 1182547 1182558 1182560 1182561 1182571 1182599 1182602 1182626 1182629 1182650 1182672 1182676 1182683 1182684 1182686 1182688 1182770 1182798 1182800 1182801 1182854 1182856 1182959 1183012 1183073 1183094 1183370 1183371 1183456 1183457 1183572 1183574 1183852 1183933 1183934 CVE-2019-20916 CVE-2019-25013 CVE-2020-11080 CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-12373 CVE-2020-14372 CVE-2020-15257 CVE-2020-25613 CVE-2020-25632 CVE-2020-25647 CVE-2020-27618 CVE-2020-27749 CVE-2020-27779 CVE-2020-27840 CVE-2020-29368 CVE-2020-29374 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8625 CVE-2021-20193 CVE-2021-20225 CVE-2021-20231 CVE-2021-20232 CVE-2021-20233 CVE-2021-20277 CVE-2021-21284 CVE-2021-21285 CVE-2021-22876 CVE-2021-22890 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-26720 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3177 CVE-2021-3326 CVE-2021-3449 ----------------------------------------------------------------- The container sles-15-sp2-chost-byos-v20210405 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:419-1 Released: Wed Feb 10 12:03:33 2021 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: 1181313 This update for open-iscsi fixes the following issues: - Fixes a segfault when exiting from iscsiadm (bsc#1181313) - Fix for several memory leaks in iscsiadm - Fix for a crash when function iscsi_rec_update_param() is invoked ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:435-1 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:507-1 Released: Thu Feb 18 09:34:49 2021 Summary: Security update for bind Type: security Severity: important References: 1182246,CVE-2020-8625 This update for bind fixes the following issues: - CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:516-1 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Type: recommended Severity: moderate References: 1178801,1180401,1182168 This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:519-1 Released: Fri Feb 19 09:44:53 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:551-1 Released: Tue Feb 23 09:31:53 2021 Summary: Security update for avahi Type: security Severity: moderate References: 1180827,CVE-2021-26720 This update for avahi fixes the following issues: - CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Add sudo to requires: used to drop privileges. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:573-1 Released: Wed Feb 24 09:58:38 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1176171,1180336 This update for dracut fixes the following issues: - arm/arm64: Add reset controllers (bsc#1180336) - Prevent creating unexpected files on the host when running dracut (bsc#1176171) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:683-1 Released: Tue Mar 2 19:04:43 2021 Summary: Security update for grub2 Type: security Severity: important References: 1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233 This update for grub2 fixes the following issues: grub2 implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057) - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:689-1 Released: Tue Mar 2 19:08:40 2021 Summary: Security update for bind Type: security Severity: important References: 1180933 This update for bind fixes the following issues: - dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:741-1 Released: Tue Mar 9 16:11:49 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065600,1065729,1078720,1081134,1084610,1132477,1151927,1152472,1152489,1154353,1155518,1156395,1163776,1169514,1170442,1176248,1176855,1177109,1177326,1177440,1177529,1178142,1178995,1179082,1179137,1179243,1179428,1179660,1179929,1180058,1180846,1180964,1180989,1181133,1181259,1181544,1181574,1181637,1181655,1181671,1181674,1181710,1181720,1181735,1181736,1181738,1181747,1181753,1181818,1181843,1181854,1181896,1181958,1181960,1181985,1182047,1182110,1182118,1182128,1182140,1182171,1182175,1182259,1182265,1182266,1182267,1182268,1182271,1182272,1182273,1182275,1182276,1182278,1182283,1182341,1182374,1182380,1182381,1182406,1182430,1182439,1182441,1182442,1182443,1182444,1182445,1182446,1182447,1182449,1182454,1182455,1182456,1182457,1182458,1182459,1182460,1182461,1182462,1182463,1182464,1182465,1182466,1182485,1182489,1182490,1182507,1182547,1182558,1182560,1182561,1182571,1182599,1182602,1182626,1182650,1182672,1182676,1182683,1182684,1182686,1182770,1182798,1182800,1 182801,1182854,1182856,CVE-2020-12362,CVE-2020-12363,CVE-2020-12364,CVE-2020-12373,CVE-2020-29368,CVE-2020-29374,CVE-2021-26930,CVE-2021-26931,CVE-2021-26932 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). - CVE-2020-12362: Fixed an integer overflow in the firmware which may have allowed a privileged user to potentially enable an escalation of privilege via local access (bsc#1181720). - CVE-2020-12363: Fixed an improper input validation which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181735). - CVE-2020-12364: Fixed a null pointer reference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181736 ). - CVE-2020-12373: Fixed an expired pointer dereference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181738). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). The following non-security bugs were fixed: - ACPI: configfs: add missing check after configfs_register_default_group() (git-fixes). - ACPI: property: Fix fwnode string properties matching (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 1) (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 2) (git-fixes). - ALSA: hda: Add another CometLake-H PCI ID (git-fixes). - ALSA: hda/hdmi: Drop bogus check at closing a stream (git-fixes). - ALSA: hda/realtek: modify EAPD in the ALC886 (git-fixes). - ALSA: pcm: Assure sync with the pending stop operation at suspend (git-fixes). - ALSA: pcm: Call sync_stop at disconnection (git-fixes). - ALSA: pcm: Do not call sync_stop if it hasn't been stopped (git-fixes). - ALSA: usb-audio: Add implicit fb quirk for BOSS GP-10 (git-fixes). - ALSA: usb-audio: Correct document for snd_usb_endpoint_free_all() (git-fixes). - ALSA: usb-audio: Do not avoid stopping the stream at disconnection (git-fixes). - ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (git-fixes). - ALSA: usb-audio: Handle invalid running state at releasing EP (git-fixes). - ALSA: usb-audio: More strict state change in EP (git-fixes). - amba: Fix resource leak for drivers without .remove (git-fixes). - arm64: Update config file. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - ASoC: cpcap: fix microphone timeslot mask (git-fixes). - ASoC: cs42l56: fix up error handling in probe (git-fixes). - ASoC: simple-card-utils: Fix device module clock (git-fixes). - ASoC: SOF: debug: Fix a potential issue on string buffer termination (git-fixes). - ata: ahci_brcm: Add back regulators management (git-fixes). - ata: sata_nv: Fix retrieving of active qcs (git-fixes). - ath10k: Fix error handling in case of CE pipe init failure (git-fixes). - ath9k: fix data bus crash when setting nf_override via debugfs (git-fixes). - bcache: fix overflow in offset_to_stripe() (git-fixes). - blk-mq: call commit_rqs while list empty but error happen (bsc#1182442). - blk-mq: insert request not through ->queue_rq into sw/scheduler queue (bsc#1182443). - blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue (bsc#1182444). - block: fix inflight statistics of part0 (bsc#1182445). - block: respect queue limit of max discard segment (bsc#1182441). - block: virtio_blk: fix handling single range discard request (bsc#1182439). - Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (git-fixes). - Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv (git-fixes). - Bluetooth: drop HCI device reference before return (git-fixes). - Bluetooth: Fix initializing response id after clearing struct (git-fixes). - Bluetooth: hci_uart: Fix a race for write_work scheduling (git-fixes). - Bluetooth: Put HCI device if inquiry procedure interrupts (git-fixes). - bnxt_en: Fix accumulation of bp->net_stats_prev (git-fixes). - bnxt_en: fix error return code in bnxt_init_board() (git-fixes). - bnxt_en: fix error return code in bnxt_init_one() (git-fixes). - bnxt_en: Improve stats context resource accounting with RDMA driver loaded (git-fixes). - bnxt_en: read EEPROM A2h address using page 0 (git-fixes). - bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes). - bonding: Fix reference count leak in bond_sysfs_slave_add (git-fixes). - bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes). - bonding: wait for sysfs kobject destruction before freeing struct slave (git-fixes). - bpf, cgroup: Fix optlen WARN_ON_ONCE toctou (bsc#1155518). - bpf, cgroup: Fix problematic bounds check (bsc#1155518). - btrfs: add assertion for empty list of transactions at late stage of umount (bsc#1182626). - btrfs: Cleanup try_flush_qgroup (bsc#1182047). - btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Fix race between extent freeing/allocation when using bitmaps (bsc#1181574). - btrfs: fix race between RO remount and the cleaner task (bsc#1182626). - btrfs: fix transaction leak and crash after cleaning up orphans on RO mount (bsc#1182626). - btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan (bsc#1182626). - btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: lift read-write mount setup from mount and remount (bsc#1182626). - btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: run delayed iputs when remounting RO to avoid leaking them (bsc#1182626). - btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - caif: no need to check return value of debugfs_create functions (git-fixes). - ceph: fix flush_snap logic after putting caps (bsc#1182854). - cgroup: Fix memory leak when parsing multiple source parameters (bsc#1182683). - cgroup: fix psi monitor for root cgroup (bsc#1182686). - cgroup-v1: add disabled controller check in cgroup1_parse_param() (bsc#1182684). - chelsio/chtls: correct function return and return type (git-fixes). - chelsio/chtls: correct netdevice for vlan interface (git-fixes). - chelsio/chtls: fix a double free in chtls_setkey() (git-fixes). - chelsio/chtls: fix always leaking ctrl_skb (git-fixes). - chelsio/chtls: fix deadlock issue (git-fixes). - chelsio/chtls: fix memory leaks caused by a race (git-fixes). - chelsio/chtls: fix memory leaks in CPL handlers (git-fixes). - chelsio/chtls: fix panic during unload reload chtls (git-fixes). - chelsio/chtls: fix socket lock (git-fixes). - chelsio/chtls: fix tls record info to user (git-fixes). - Cherry-pick ibmvnic patches from SP3 (jsc#SLE-17268). - chtls: Added a check to avoid NULL pointer dereference (git-fixes). - chtls: Fix chtls resources release sequence (git-fixes). - chtls: Fix hardware tid leak (git-fixes). - chtls: Fix panic when route to peer not configured (git-fixes). - chtls: Remove invalid set_tcb call (git-fixes). - chtls: Replace skb_dequeue with skb_peek (git-fixes). - cifs: check all path components in resolved dfs target (bsc#1181710). - cifs: fix nodfs mount option (bsc#1181710). - cifs: introduce helper for finding referral server (bsc#1181710). - cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440). - cirrus: cs89x0: remove set but not used variable 'lp' (git-fixes). - cirrus: cs89x0: use devm_platform_ioremap_resource() to simplify code (git-fixes). - clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL (git-fixes). - clk: meson: clk-pll: make 'ret' a signed integer (git-fixes). - clk: meson: clk-pll: propagate the error from meson_clk_pll_set_rate() (git-fixes). - clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs (git-fixes). - clk: sunxi-ng: h6: Fix CEC clock (git-fixes). - clk: sunxi-ng: h6: Fix clock divider range on some clocks (git-fixes). - clk: sunxi-ng: mp: fix parent rate change flag check (git-fixes). - clocksource/drivers/ixp4xx: Select TIMER_OF when needed (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Free resources in error path (git-fixes). - cpuset: fix race between hotplug work and later CPU offline (bsc#1182676). - crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() (git-fixes). - crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) (git-fixes). - cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes). - cxgb4: fix all-mask IP address comparison (git-fixes). - cxgb4: fix checks for max queues to allocate (git-fixes). - cxgb4: fix endian conversions for L4 ports in filters (git-fixes). - cxgb4: fix set but unused variable when DCB is disabled (git-fixes). - cxgb4: fix SGE queue dump destination buffer context (git-fixes). - cxgb4: fix the panic caused by non smac rewrite (git-fixes). - cxgb4: move DCB version extern to header file (git-fixes). - cxgb4: move handling L2T ARP failures to caller (git-fixes). - cxgb4: move PTP lock and unlock to caller in Tx path (git-fixes). - cxgb4: parse TC-U32 key values and masks natively (git-fixes). - cxgb4: remove cast when saving IPv4 partial checksum (git-fixes). - cxgb4: set up filter action after rewrites (git-fixes). - cxgb4: use correct type for all-mask IP address comparison (git-fixes). - cxgb4: use unaligned conversion for fetching timestamp (git-fixes). - dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function (git-fixes). - dmaengine: fsldma: Fix a resource leak in the remove function (git-fixes). - dmaengine: hsu: disable spurious interrupt (git-fixes). - dmaengine: owl-dma: Fix a resource leak in the remove function (git-fixes). - dm crypt: avoid truncating the logical block size (git-fixes). - dm: fix bio splitting and its bio completion order for regular IO (git-fixes). - dm thin: fix use-after-free in metadata_pre_commit_callback (bsc#1177529). - dm thin metadata: Avoid returning cmd->bm wild pointer on error (bsc#1177529). - dm thin metadata: fix lockdep complaint (bsc#1177529). - dm thin metadata: Fix use-after-free in dm_bm_set_read_only (bsc#1177529). - dm: use noio when sending kobject event (bsc#1177529). - docs: filesystems: vfs: correct flag name (bsc#1182856). - dpaa2-eth: fix return codes used in ndo_setup_tc (git-fixes). - drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes). - drivers: net: davinci_mdio: fix potential NULL dereference in davinci_mdio_probe() (git-fixes). - drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] (git-fixes). - drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs (git-fixes). - drm/amd/display: Change function decide_dp_link_settings to avoid infinite looping (git-fixes). - drm/amd/display: Decrement refcount of dc_sink before reassignment (git-fixes). - drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction (git-fixes). - drm/amd/display: Fix dc_sink kref count in emulated_link_detect (git-fixes). - drm/amd/display: Fix HDMI deep color output for DCE 6-11 (git-fixes). - drm/amd/display: Free atomic state after drm_atomic_commit (git-fixes). - drm/amd/display: Revert 'Fix EDID parsing after resume from suspend' (git-fixes). - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition (git-fixes). - drm/fb-helper: Add missed unlocks in setcmap_legacy() (git-fixes). - drm/gma500: Fix error return code in psb_driver_load() (git-fixes). - drm/meson: Unbind all connectors on module removal (bsc#1152472) - drm/sun4i: dw-hdmi: always set clock rate (bsc#1152472) - drm/sun4i: dw-hdmi: Fix max. frequency for H6 (bsc#1152472) - drm/sun4i: Fix H6 HDMI PHY configuration (bsc#1152472) - drm/sun4i: tcon: set sync polarity for tcon1 channel (bsc#1152472) - drm/vc4: hvs: Fix buffer overflow with the dlist handling (bsc#1152489) - Drop HID logitech patch that caused a regression (bsc#1182259) - exec: Always set cap_ambient in cap_bprm_set_creds (git-fixes). - exfat: Avoid allocating upcase table using kcalloc() (git-fixes). - ext4: do not remount read-only with errors=continue on reboot (bsc#1182464). - ext4: fix a memory leak of ext4_free_data (bsc#1182447). - ext4: fix bug for rename with RENAME_WHITEOUT (bsc#1182449). - ext4: fix deadlock with fs freezing and EA inodes (bsc#1182463). - ext4: fix superblock checksum failure when setting password salt (bsc#1182465). - ext4: prevent creating duplicate encrypted filenames (bsc#1182446). - fgraph: Initialize tracing_graph_pause at task creation (git-fixes). - firmware_loader: align .builtin_fw to 8 (git-fixes). - fscrypt: add fscrypt_is_nokey_name() (bsc#1182446). - fscrypt: rename DCACHE_ENCRYPTED_NAME to DCACHE_NOKEY_NAME (bsc#1182446). - fs: fix lazytime expiration handling in __writeback_single_inode() (bsc#1182466). - gma500: clean up error handling in init (git-fixes). - gpio: pcf857x: Fix missing first interrupt (git-fixes). - HID: core: detect and skip invalid inputs to snto32() (git-fixes). - HID: make arrays usage and value to be the same (git-fixes). - HID: wacom: Ignore attempts to overwrite the touch_max value from HID (git-fixes). - hwrng: timeriomem - Fix cooldown period calculation (git-fixes). - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (git-fixes). - i2c: iproc: handle only slave interrupts which are enabled (git-fixes). - i2c: mediatek: Move suspend and resume handling to NOIRQ phase (git-fixes). - i2c: stm32f7: fix configuration of the digital filter (git-fixes). - i3c: master: dw: Drop redundant disec call (git-fixes). - i40e: acquire VSI pointer only after VF is initialized (jsc#SLE-8025). - i40e: avoid premature Rx buffer reuse (git-fixes). - i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs (git-fixes). - i40e: Fix MAC address setting for a VF via Host/VM (git-fixes). - i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes). - i40e: Revert 'i40e: do not report link up for a VF who hasn't enabled queues' (jsc#SLE-8025). - iavf: fix double-release of rtnl_lock (git-fixes). - iavf: fix error return code in iavf_init_get_resources() (git-fixes). - iavf: fix speed reporting over virtchnl (git-fixes). - iavf: Fix updating statistics (git-fixes). - ibmvnic: add memory barrier to protect long term buffer (bsc#1182485 ltc#191591). - ibmvnic: change IBMVNIC_MAX_IND_DESCS to 16 (bsc#1182485 ltc#191591). - ibmvnic: Clean up TX code and TX buffer data structure (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997). - ibmvnic: compare adapter->init_done_rc with more readable ibmvnic_rc_codes (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Correctly re-enable interrupts in NAPI polling routine (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_control_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_query_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: device remove has higher precedence over reset (bsc#1065729). - ibmvnic: Do not replenish RX buffers after every polling loop (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1182485 ltc#191591). - ibmvnic: Ensure that device queue memory is cache-line aligned (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that SCRQ entry reads are correctly ordered (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - ibmvnic: fix login buffer memory leak (bsc#1081134 ltc#164631). - ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix rx buffer tracking and index management in replenish_rx_pool partial success (bsc#1179929 ltc#189960). - ibmvnic: Fix TX completion error handling (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Fix use-after-free of VNIC login response buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: handle inconsistent login with reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Harden device Command Response Queue handshake (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: improve ibmvnic_init and ibmvnic_reset_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce batched RX buffer descriptor transmission (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce indirect subordinate Command Response Queue buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce xmit_more support using batched subCRQ hcalls (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: merge ibmvnic_reset_init and ibmvnic_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: no reset timeout for 5 seconds after reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: reduce wait for completion time (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: remove never executed if statement (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Remove send_subcrq function (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename ibmvnic_send_req_caps to send_request_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_cap_queries to send_query_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_map_query to send_query_map (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: send_login should check for crq errors (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: serialize access to work queue on remove (bsc#1065729). - ibmvnic: Set to CLOSED state even on error (bsc#1084610 ltc#165122 git-fixes). - ibmvnic: skip send_request_unmap for timeout reset (bsc#1182485 ltc#191591). - ibmvnic: skip tx timeout reset while in resetting (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: stop free_all_rwi on failed reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: track pending login (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: update MAINTAINERS (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Use netdev_alloc_skb instead of alloc_skb to replenish RX buffers (jsc#SLE-17043 bsc#1179243 ltc#189290). - ice: Do not allow more channels than LAN MSI-X available (jsc#SLE-7926). - ice: Fix MSI-X vector fallback logic (jsc#SLE-7926). - igc: check return value of ret_val in igc_config_fc_after_link_up (git-fixes). - igc: fix link speed advertising (git-fixes). - igc: Fix returning wrong statistics (git-fixes). - igc: Report speed and duplex as unknown when device is runtime suspended (git-fixes). - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr (git-fixes). - include/linux/memremap.h: remove stale comments (git-fixes). - Input: elo - fix an error code in elo_connect() (git-fixes). - Input: i8042 - unbreak Pegatron C15B (git-fixes). - Input: joydev - prevent potential read overflow in ioctl (git-fixes). - Input: sur40 - fix an error code in sur40_probe() (git-fixes). - Input: xpad - sync supported devices with fork on GitHub (git-fixes). - iwlwifi: mvm: do not send RFH_QUEUE_CONFIG_CMD with no queues (git-fixes). - iwlwifi: mvm: guard against device removal in reprobe (git-fixes). - iwlwifi: mvm: invalidate IDs of internal stations at mvm start (git-fixes). - iwlwifi: mvm: skip power command when unbinding vif during CSA (git-fixes). - iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() (git-fixes). - iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap (git-fixes). - iwlwifi: pcie: fix context info memory leak (git-fixes). - iwlwifi: pcie: reschedule in long-running memory reads (git-fixes). - iwlwifi: pcie: use jiffies for memory read spin time limit (git-fixes). - ixgbe: avoid premature Rx buffer reuse (git-fixes). - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (git-fixes). - kABI: Fix kABI after AMD SEV PCID fixes (bsc#1178995). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kABI: Fix kABI for extended APIC-ID support (bsc#1181259, jsc#ECO-3191). - kABI: repair, after 'nVMX: Emulate MTF when performinginstruction emulation' kvm_x86_ops is part of kABI as it's used by LTTng. But it's only read and never allocated in there, so growing it (without altering existing members' offsets) is fine. - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ('rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).') - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch (bsc#1181818). - KVM: arm64: Remove S1PTW check from kvm_vcpu_dabt_iswrite() (bsc#1181818). - KVM: nVMX: do not clear mtf_pending when nested events are blocked (bsc#1182489). - KVM: nVMX: Emulate MTF when performing instruction emulation (bsc#1182380). - KVM: nVMX: Handle pending #DB when injecting INIT VM-exit. Pulling in as a dependency of: 'KVM: nVMX: Emulate MTF when performing instruction emulation' (bsc#1182380). - KVM: SVM: Update cr3_lm_rsvd_bits for AMD SEV guests (bsc#1178995). - KVM: tracing: Fix unmatched kvm_entry and kvm_exit events (bsc#1182770). - KVM: VMX: Condition ENCLS-exiting enabling on CPU support for SGX1 (bsc#1182798). - KVM: x86: Allocate new rmap and large page tracking when moving memslot (bsc#1182800). - KVM: x86: allow KVM_STATE_NESTED_MTF_PENDING in kvm_state flags (bsc#1182490). - KVM: x86: clear stale x86_emulate_ctxt->intercept value (bsc#1182381). - KVM: x86: do not notify userspace IOAPIC on edge-triggered interrupt EOI (bsc#1182374). - KVM: x86: Gracefully handle __vmalloc() failure during VM allocation (bsc#1182801). - KVM: x86: Introduce cr3_lm_rsvd_bits in kvm_vcpu_arch (bsc#1178995). - KVM: x86: remove stale comment from struct x86_emulate_ctxt (bsc#1182406). - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - lib/vsprintf: no_hash_pointers prints all addresses as unhashed (bsc#1182599). - linux/clk.h: use correct kernel-doc notation for 2 functions (git-fixes). - mac80211: 160MHz with extended NSS BW in CSA (git-fixes). - mac80211: fix fast-rx encryption check (git-fixes). - mac80211: fix potential overflow when multiplying to u32 integers (git-fixes). - mac80211: pause TX while changing interface type (git-fixes). - macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672). Since rpm 4.16 files installed during build phase are lost. - MAINTAINERS: remove John Allen from ibmvnic (jsc#SLE-17043 bsc#1179243 ltc#189290). - matroxfb: avoid -Warray-bounds warning (bsc#1152472) - media: aspeed: fix error return code in aspeed_video_setup_video() (git-fixes). - media: camss: missing error code in msm_video_register() (git-fixes). - media: cx25821: Fix a bug when reallocating some dma memory (git-fixes). - media: em28xx: Fix use-after-free in em28xx_alloc_urbs (git-fixes). - media: i2c: ov5670: Fix PIXEL_RATE minimum value (git-fixes). - media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() (git-fixes). - media: lmedm04: Fix misuse of comma (git-fixes). - media: media/pci: Fix memleak in empress_init (git-fixes). - media: mt9v111: Remove unneeded device-managed puts (git-fixes). - media: pwc: Use correct device for DMA (bsc#1181133). - media: pxa_camera: declare variable when DEBUG is defined (git-fixes). - media: qm1d1c0042: fix error return code in qm1d1c0042_init() (git-fixes). - media: software_node: Fix refcounts in software_node_get_next_child() (git-fixes). - media: tm6000: Fix memleak in tm6000_start_stream (git-fixes). - media: vsp1: Fix an error handling path in the probe function (git-fixes). - mei: hbm: call mei_set_devstate() on hbm stop response (git-fixes). - memory: ti-aemif: Drop child node when jumping out loop (git-fixes). - mfd: bd9571mwv: Use devm_mfd_add_devices() (git-fixes). - mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (git-fixes). - misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (git-fixes). - misc: eeprom_93xx46: Fix module alias to enable module autoprobe (git-fixes). - mlxsw: core: Add validation of transceiver temperature thresholds (git-fixes). - mlxsw: core: Fix memory leak on module removal (git-fixes). - mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes). - mlxsw: core: Free EMAD transactions using kfree_rcu() (git-fixes). - mlxsw: core: Increase critical threshold for ASIC thermal zone (git-fixes). - mlxsw: core: Increase scope of RCU read-side critical section (git-fixes). - mlxsw: core: Use variable timeout for EMAD retries (git-fixes). - mlxsw: spectrum_acl: Fix mlxsw_sp_acl_tcam_group_add()'s error path (git-fixes). - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (git-fixes). - mmc: core: Limit retries when analyse of SDIO tuples fails (git-fixes). - mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes (git-fixes). - mmc: sdhci-sprd: Fix some resource leaks in the remove function (git-fixes). - mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (git-fixes). - mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled (bsc#1181896 ltc#191273). - mm: proc: Invalidate TLB after clearing soft-dirty page state (bsc#1163776 ltc#183929 git-fixes). - mm: thp: kABI: move the added flag to the end of enum (bsc#1181896 ltc#191273). - mt76: dma: fix a possible memory leak in mt76_add_fragment() (git-fixes). - net: ag71xx: add missed clk_disable_unprepare in error path of probe (git-fixes). - net: axienet: Fix error return code in axienet_probe() (git-fixes). - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - net: bcmgenet: keep MAC in reset until PHY is up (git-fixes). - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - net: bcmgenet: set Rx mode before starting netif (git-fixes). - net: bcmgenet: use hardware padding of runt frames (git-fixes). - net: broadcom CNIC: requires MMU (git-fixes). - net: caif: Fix debugfs on 64-bit platforms (git-fixes). - net/cxgb4: Check the return from t4_query_params properly (git-fixes). - net: cxgb4: fix return error value in t4_prep_fw (git-fixes). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: lantiq_gswip: fix and improve the unsupported interface error (git-fixes). - net: dsa: mt7530: Change the LINK bit to reflect the link status (git-fixes). - net: dsa: mt7530: set CPU port to fallback mode (git-fixes). - net: ena: set initial DMA width to avoid intel iommu issue (git-fixes). - net: ethernet: ave: Fix error returns in ave_init (git-fixes). - net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes). - net: ethernet: ti: ale: fix allmulti for nu type ale (git-fixes). - net: ethernet: ti: ale: fix seeing unreg mcast packets with promisc and allmulti disabled (git-fixes). - net: ethernet: ti: ale: modify vlan/mdb api for switchdev (git-fixes). - net: ethernet: ti: cpsw: allow untagged traffic on host port (git-fixes). - net: ethernet: ti: fix some return value check of cpsw_ale_create() (git-fixes). - net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() (git-fixes). - net: gro: do not keep too many GRO packets in napi->rx_list (bsc#1154353). - net: hns3: add a check for queue_id in hclge_reset_vf_queue() (git-fixes). - net: hns3: add a missing uninit debugfs when unload driver (git-fixes). - net: hns3: add reset check for VF updating port based VLAN (git-fixes). - net: hns3: clear port base VLAN when unload PF (git-fixes). - net: hns3: fix aRFS FD rules leftover after add a user FD rule (git-fixes). - net: hns3: fix a TX timeout issue (git-fixes). - net: hns3: fix desc filling bug when skb is expanded or lineared (git-fixes). - net: hns3: fix for mishandle of asserting VF reset fail (git-fixes). - net: hns3: fix for VLAN config when reset failed (git-fixes). - net: hns3: fix RSS config lost after VF reset (git-fixes). - net: hns3: fix set and get link ksettings issue (git-fixes). - net: hns3: fix 'tc qdisc del' failed issue (git-fixes). - net: hns3: fix the number of queues actually used by ARQ (git-fixes). - net: hns3: fix use-after-free when doing self test (git-fixes). - net: hns3: fix VF VLAN table entries inconsistent issue (git-fixes). - net: hns: fix return value check in __lb_other_process() (git-fixes). - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - net: macb: fix call to pm_runtime in the suspend/resume functions (git-fixes). - net: macb: fix wakeup test in runtime suspend/resume routines (git-fixes). - net: macb: mark device wake capable when 'magic-packet' property present (git-fixes). - net/mlx4_core: fix a memory leak bug (git-fixes). - net/mlx4_core: Fix init_hca fields offset (git-fixes). - net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854). - net/mlx4_en: Handle TX error CQE (bsc#1181854). - net/mlx5: Add handling of port type in rule deletion (git-fixes). - net/mlx5: Annotate mutex destroy for root ns (git-fixes). - net/mlx5: Clear LAG notifier pointer after unregister (git-fixes). - net/mlx5: Disable QoS when min_rates on all VFs are zero (git-fixes). - net/mlx5: Do not call timecounter cyc2time directly from 1PPS flow (git-fixes). - net/mlx5: Do not maintain a case of del_sw_func being null (git-fixes). - net/mlx5e: Correctly handle changing the number of queues when the interface is down (git-fixes). - net/mlx5e: Do not trigger IRQ multiple times on XSK wakeup to avoid WQ overruns (git-fixes). - net/mlx5e: en_accel, Add missing net/geneve.h include (git-fixes). - net/mlx5e: Encapsulate updating netdev queues into a function (git-fixes). - net/mlx5e: E-switch, Fix rate calculation for overflow (jsc#SLE-8464). - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (git-fixes). - net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases (git-fixes). - net/mlx5e: Fix endianness handling in pedit mask (git-fixes). - net/mlx5e: Fix error path of device attach (git-fixes). - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes). - net/mlx5e: Fix two double free cases (git-fixes). - net/mlx5e: Fix VLAN cleanup flow (git-fixes). - net/mlx5e: Fix VLAN create flow (git-fixes). - net/mlx5e: Get the latest values from counters in switchdev mode (git-fixes). - net/mlx5e: IPoIB, Drop multicast packets that this interface sent (git-fixes). - net/mlx5e: kTLS, Fix wrong value in record tracker enum (git-fixes). - net/mlx5e: Reduce tc unsupported key print level (git-fixes). - net/mlx5e: Rename hw_modify to preactivate (git-fixes). - net/mlx5e: Set of completion request bit should not clear other adjacent bits (git-fixes). - net/mlx5: E-switch, Destroy TSAR after reload interface (git-fixes). - net/mlx5: E-Switch, Hold mutex when querying drop counter in legacy mode (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching by default (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching only when mandatory (git-fixes). - net/mlx5e: Use preactivate hook to set the indirection table (git-fixes). - net/mlx5e: vxlan: Use RCU for vxlan table lookup (git-fixes). - net/mlx5: Fix a bug of using ptp channel index as pin index (git-fixes). - net/mlx5: Fix deletion of duplicate rules (git-fixes). - net/mlx5: Fix failing fw tracer allocation on s390 (git-fixes). - net/mlx5: Fix memory leak on flow table creation error flow (git-fixes). - net/mlx5: Fix request_irqs error flow (git-fixes). - net/mlx5: Fix wrong address reclaim when command interface is down (git-fixes). - net/mlx5: Query PPS pin operational status before registering it (git-fixes). - net/mlx5: Verify Hardware supports requested ptp function on a given pin (git-fixes). - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms (git-fixes). - net: mscc: ocelot: fix address ageing time (again) (git-fixes). - net: mscc: ocelot: properly account for VLAN header length when setting MRU (git-fixes). - net: mvpp2: Add TCAM entry to drop flow control pause frames (git-fixes). - net: mvpp2: disable force link UP during port init procedure (git-fixes). - net: mvpp2: Fix error return code in mvpp2_open() (git-fixes). - net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (git-fixes). - net: mvpp2: fix memory leak in mvpp2_rx (git-fixes). - net: mvpp2: fix pkt coalescing int-threshold configuration (git-fixes). - net: mvpp2: prs: fix PPPoE with ipv6 packet parse (git-fixes). - net: mvpp2: Remove Pause and Asym_Pause support (git-fixes). - net: mvpp2: TCAM entry enable should be written after SRAM data (git-fixes). - net: netsec: Correct dma sync for XDP_TX frames (git-fixes). - net: nixge: fix potential memory leak in nixge_probe() (git-fixes). - net: octeon: mgmt: Repair filling of RX ring (git-fixes). - net: phy: at803x: use operating parameters from PHY-specific status (git-fixes). - net: phy: extract link partner advertisement reading (git-fixes). - net: phy: extract pause mode (git-fixes). - net: phy: marvell10g: fix null pointer dereference (git-fixes). - net: phy: marvell10g: fix temperature sensor on 2110 (git-fixes). - net: phy: read MII_CTRL1000 in genphy_read_status only if needed (git-fixes). - net: qca_spi: fix receive buffer size check (git-fixes). - net: qca_spi: Move reset_count to struct qcaspi (git-fixes). - net: qede: fix PTP initialization on recovery (git-fixes). - net: qede: fix use-after-free on recovery and AER handling (git-fixes). - net: qede: stop adding events on an already destroyed workqueue (git-fixes). - net: qed: fix async event callbacks unregistering (git-fixes). - net: qed: fix excessive QM ILT lines consumption (git-fixes). - net: qed: fix 'maybe uninitialized' warning (git-fixes). - net: qed: fix NVMe login fails over VFs (git-fixes). - net: qed: RDMA personality shouldn't fail VF load (git-fixes). - net: re-solve some conflicts after net -> net-next merge (bsc#1176855 ltc#187293). - net: rmnet: do not allow to add multiple bridge interfaces (git-fixes). - net: rmnet: do not allow to change mux id if mux id is duplicated (git-fixes). - net: rmnet: fix bridge mode bugs (git-fixes). - net: rmnet: fix lower interface leak (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_changelink() (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_newlink() (git-fixes). - net: rmnet: fix packet forwarding in rmnet bridge mode (git-fixes). - net: rmnet: fix suspicious RCU usage (git-fixes). - net: rmnet: print error message when command fails (git-fixes). - net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device() (git-fixes). - net: rmnet: use upper/lower device infrastructure (git-fixes). - net, sctp, filter: remap copy_from_user failure error (bsc#1181637). - net: smc91x: Fix possible memory leak in smc_drv_probe() (git-fixes). - net/sonic: Add mutual exclusion for accessing shared state (git-fixes). - net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes). - net: stmmac: Always arm TX Timer at end of transmission start (git-fixes). - net: stmmac: Do not accept invalid MTU values (git-fixes). - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes). - net: stmmac: Enable 16KB buffer size (git-fixes). - net: stmmac: fix disabling flexible PPS output (git-fixes). - net: stmmac: fix length of PTP clock's name string (git-fixes). - net: stmmac: Fix the TX IOC in xmit path (git-fixes). - net: stmmac: RX buffer size must be 16 byte aligned (git-fixes). - net: stmmac: selftests: Flow Control test can also run with ASYM Pause (git-fixes). - net: stmmac: selftests: Needs to check the number of Multicast regs (git-fixes). - net: stmmac: xgmac: Clear previous RX buffer size (git-fixes). - net: sun: fix missing release regions in cas_init_one() (git-fixes). - net: team: fix memory leak in __team_options_register (git-fixes). - net: thunderx: initialize VF's mailbox mutex before first usage (git-fixes). - net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family (git-fixes). - net: usb: qmi_wwan: Adding support for Cinterion MV31 (git-fixes). - nvme-hwmon: rework to avoid devm allocation (bsc#1177326). - nvme-multipath: Early exit if no path is available (bsc#1180964). - nvme: re-read ANA log on NS CHANGED AEN (bsc#1179137). - nvmet-tcp: Fix NULL dereference when a connect data comes in h2cdata pdu (bsc#1182547). - objtool: Do not fail on missing symbol table (bsc#1169514). - perf/x86/intel/uncore: Factor out uncore_pci_find_dev_pmu() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_get_dev_die_info() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_register() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_unregister() (bsc#1180989). - perf/x86/intel/uncore: Generic support for the PCI sub driver (bsc#1180989). - perf/x86/intel/uncore: Store the logical die id instead of the physical die id (bsc#1180989). - perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info (bsc#1180989). - phy: cpcap-usb: Fix warning for missing regulator_disable (git-fixes). - phy: rockchip-emmc: emmc_phy_init() always return 0 (git-fixes). - platform/x86: hp-wmi: Disable tablet-mode reporting by default (git-fixes). - platform/x86: intel-vbtn: Support for tablet mode on Dell Inspiron 7352 (git-fixes). - platform/x86: touchscreen_dmi: Add swap-x-y quirk for Goodix touchscreen on Estar Beauty HD tablet (git-fixes). - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning (bsc#1182571 ltc#191345). - powerpc/boot: Delete unneeded .globl _zimage_start (bsc#1156395). - powerpc: Fix alignment bug within the init sections (bsc#1065729). - powerpc/fpu: Drop cvt_fd() and cvt_df() (bsc#1156395). - powerpc/hvcall: add token and codes for H_VASI_SIGNAL (bsc#1181674 ltc#189159). - powerpc: kABI: add back suspend_disable_cpu in machdep_calls (bsc#1181674 ltc#189159). - powerpc/machdep: remove suspend_disable_cpu() (bsc#1181674 ltc#189159). - powerpc/mm/pkeys: Make pkey access check work on execute_only_key (bsc#1181544 ltc#191080 git-fixes). - powerpc/numa: Fix build when CONFIG_NUMA=n (bsc#1132477 ltc#175530). - powerpc/numa: make vphn_enabled, prrn_enabled flags const (bsc#1181674 ltc#189159). - powerpc/numa: remove ability to enable topology updates (bsc#1181674 ltc#189159). - powerpc/numa: remove arch_update_cpu_topology (bsc#1181674 ltc#189159). - powerpc/numa: Remove late request for home node associativity (bsc#1181674 ltc#189159). - powerpc/numa: remove prrn_is_enabled() (bsc#1181674 ltc#189159). - powerpc/numa: remove start/stop_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove timed_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology timer code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology update code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology workqueue code (bsc#1181674 ltc#189159). - powerpc/numa: remove vphn_enabled and prrn_enabled internal flags (bsc#1181674 ltc#189159). - powerpc/numa: stub out numa_update_cpu_topology() (bsc#1181674 ltc#189159). - powerpc/perf: Exclude kernel samples while counting events in user space (bsc#1065729). - powerpc/perf/hv-24x7: Dont create sysfs event files for dummy events (bsc#1182118 ltc#190624). - powerpc/pkeys: Avoid using lockless page table walk (bsc#1181544 ltc#191080). - powerpc/pkeys: Check vma before returning key fault error to the user (bsc#1181544 ltc#191080). - powerpc/powernv/memtrace: Do not leak kernel memory to user space (bsc#1156395). - powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently (bsc#1156395). - powerpc/powernv/npu: Do not attempt NPU2 setup on POWER8NVL NPU (bsc#1156395). - powerpc/prom: Fix 'ibm,arch-vec-5-platform-support' scan (bsc#1182602 ltc#190924). - powerpc/pseries/dlpar: handle ibm, configure-connector delay status (bsc#1181985 ltc#188074). - powerpc/pseries: Do not enforce MSI affinity with kdump (bsc#1181655 ltc#190855). - powerpc/pseries/eeh: Make pseries_pcibios_bus_add_device() static (bsc#1078720, git-fixes). - powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900). - powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: pass stream id via function arguments (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: perform post-suspend fixups later (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove prepare_late() callback (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove pseries_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: switch to rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: add missing break to default case (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Add pr_debug() for device tree changes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: do not error on absence of ibm, update-nodes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: error message improvements (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: extract VASI session polling logic (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: refactor node lookup during DT update (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: retry partition suspend after error (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Set pr_fmt() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: signal suspend cancellation to platform (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use rtas_activate_firmware() on resume (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use stop_machine for join/suspend (bsc#1181674 ltc#189159). - powerpc/pseries/ras: Make init_ras_hotplug_IRQ() static (bsc#1065729. git-fixes). - powerpc/pseries: remove dlpar_cpu_readd() (bsc#1181674 ltc#189159). - powerpc/pseries: remove memory 're-add' implementation (bsc#1181674 ltc#189159). - powerpc/pseries: remove obsolete memory hotplug DT notifier code (bsc#1181674 ltc#189159). - powerpc/pseries: remove prrn special case from DT update path (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_activate_firmware() (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/rtas: complete ibm,suspend-me status codes (bsc#1181674 ltc#189159). - powerpc/rtas: dispatch partition migration requests to pseries (bsc#1181674 ltc#189159). - powerpc/rtasd: simplify handle_rtas_event(), emit message on events (bsc#1181674 ltc#189159). - powerpc/rtas: prevent suspend-related sys_rtas use on LE (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_ibm_suspend_me_unsafe() (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_last_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_me_data (bsc#1181674 ltc#189159). - powerpc/rtas: rtas_ibm_suspend_me -> rtas_ibm_suspend_me_unsafe (bsc#1181674 ltc#189159). - power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (git-fixes). - pseries/drmem: do not cache node id in drmem_lmb struct (bsc#1132477 ltc#175530). - pseries/hotplug-memory: hot-add: skip redundant LMB lookup (bsc#1132477 ltc#175530). - qed: fix error return code in qed_iwarp_ll2_start() (git-fixes). - qed: Fix race condition between scheduling and destroying the slowpath workqueue (git-fixes). - qed: Populate nvm-file attributes while reading nvm config partition (git-fixes). - qed: select CONFIG_CRC32 (git-fixes). - qlcnic: fix missing release in qlcnic_83xx_interrupt_test (git-fixes). - quota: Fix memory leak when handling corrupted quota file (bsc#1182650). - quota: Sanity-check quota file headers on load (bsc#1182461). - r8169: fix resuming from suspend on RTL8105e if machine runs on battery (git-fixes). - r8169: fix WoL on shutdown if CONFIG_DEBUG_SHIRQ is set (git-fixes). - rcu/nocb: Perform deferred wake up before last idle's (git-fixes) - rcu/nocb: Trigger self-IPI on late deferred wake up before (git-fixes) - rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers (git-fixes) - RDMA/efa: Add EFA 0xefa1 PCI ID (bsc#1176248). - RDMA/efa: Count admin commands errors (bsc#1176248). - RDMA/efa: Count mmap failures (bsc#1176248). - RDMA/efa: Do not delay freeing of DMA pages (bsc#1176248). - RDMA/efa: Drop double zeroing for sg_init_table() (bsc#1176248). - RDMA/efa: Expose maximum TX doorbell batch (bsc#1176248). - RDMA/efa: Expose minimum SQ size (bsc#1176248). - RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1176248). - RDMA/efa: Properly document the interrupt mask register (bsc#1176248). - RDMA/efa: Remove redundant udata check from alloc ucontext response (bsc#1176248). - RDMA/efa: Report create CQ error counter (bsc#1176248). - RDMA/efa: Report host information to the device (bsc#1176248). - RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1176248). - RDMA/efa: Use in-kernel offsetofend() to check field availability (bsc#1176248). - RDMA/efa: User/kernel compatibility handshake mechanism (bsc#1176248). - RDMA/efa: Use the correct current and new states in modify QP (git-fixes). - regulator: axp20x: Fix reference cout leak (git-fixes). - regulator: core: Avoid debugfs: Directory ... already present! error (git-fixes). - regulator: core: avoid regulator_resolve_supply() race condition (git-fixes). - regulator: Fix lockdep warning resolving supplies (git-fixes). - regulator: s5m8767: Drop regulators OF node reference (git-fixes). - regulator: s5m8767: Fix reference count leak (git-fixes). - reiserfs: add check for an invalid ih_entry_count (bsc#1182462). - reset: hisilicon: correct vendor prefix (git-fixes). - Revert 'ibmvnic: remove never executed if statement' (jsc#SLE-17043 bsc#1179243 ltc#189290). - Revert 'net: bcmgenet: remove unused function in bcmgenet.c' (git-fixes). - Revert 'platform/x86: ideapad-laptop: Switch touchpad attribute to be RO' (git-fixes). - Revert 'RDMA/mlx5: Fix devlink deadlock on net namespace deletion' (jsc#SLE-8464). - rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439) - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - rtc: s5m: select REGMAP_I2C (git-fixes). - rxrpc: Fix memory leak in rxrpc_lookup_local (bsc#1154353 bnc#1151927 5.3.9). - s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated (git-fixes). - s390/vfio-ap: No need to disable IRQ after queue reset (git-fixes). - sched: Reenable interrupts in do_sched_yield() (git-fixes) - scsi: lpfc: Fix EEH encountering oops with NVMe traffic (bsc#1181958). - sh_eth: check sh_eth_cpu_data::cexcr when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_tx_cntrs when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_xdfar when dumping registers (git-fixes). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - smsc95xx: avoid memory leak in smsc95xx_bind (git-fixes). - smsc95xx: check return value of smsc95xx_reset (git-fixes). - soc: aspeed: snoop: Add clock control logic (git-fixes). - spi: atmel: Put allocated master before return (git-fixes). - spi: pxa2xx: Fix the controller numbering for Wildcat Point (git-fixes). - spi: spi-synquacer: fix set_cs handling (git-fixes). - spi: stm32: properly handle 0 byte transfer (git-fixes). - squashfs: add more sanity checks in id lookup (git-fixes bsc#1182266). - squashfs: add more sanity checks in inode lookup (git-fixes bsc#1182267). - squashfs: add more sanity checks in xattr id lookup (git-fixes bsc#1182268). - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (git-fixes). - target: disallow emulate_legacy_capacity with RBD object-map (bsc#1177109). - team: set dev->needed_headroom in team_setup_by_port() (git-fixes). - tpm: Remove tpm_dev_wq_lock (git-fixes). - tpm_tis: Clean up locality release (git-fixes). - tpm_tis: Fix check_locality for correct locality acquisition (git-fixes). - tracing: Check length before giving out the filter buffer (git-fixes). - tracing: Do not count ftrace events in top level enable output (git-fixes). - tracing/kprobe: Fix to support kretprobe events on unloaded modules (git-fixes). - tracing/kprobes: Do the notrace functions check without kprobes on ftrace (git-fixes). - tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (git-fixes). - ubifs: Fix error return code in ubifs_init_authentication() (bsc#1182459). - ubifs: Fix ubifs_tnc_lookup() usage in do_kill_orphans() (bsc#1182454). - ubifs: prevent creating duplicate encrypted filenames (bsc#1182457). - ubifs: ubifs_add_orphan: Fix a memory leak bug (bsc#1182456). - ubifs: ubifs_jnl_write_inode: Fix a memory leak bug (bsc#1182455). - ubifs: wbuf: Do not leak kernel memory to flash (bsc#1182458). - Update config files: activate CONFIG_CSD_LOCK_WAIT_DEBUG for x86 (bsc#1180846). - Update config files: Set ledtrig-default-on as builtin (bsc#1182128) - USB: dwc2: Abort transaction after errors with unknown reason (git-fixes). - USB: dwc2: Fix endpoint direction check in ep_from_windex (git-fixes). - USB: dwc2: Make 'trimming xfer length' a debug message (git-fixes). - USB: dwc3: fix clock issue during resume in OTG mode (git-fixes). - USB: gadget: legacy: fix an error code in eth_bind() (git-fixes). - USB: gadget: u_audio: Free requests only after callback (git-fixes). - USB: mUSB: Fix runtime PM race in musb_queue_resume_work (git-fixes). - USB: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (git-fixes). - USB: quirks: sort quirk entries (git-fixes). - USB: renesas_usbhs: Clear pipe running flag in USBhs_pkt_pop() (git-fixes). - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 (git-fixes). - USB: serial: cp210x: add pid/vid for WSDA-200-USB (git-fixes). - USB: serial: mos7720: fix error code in mos7720_write() (git-fixes). - USB: serial: mos7720: improve OOM-handling in read_mos_reg() (git-fixes). - USB: serial: mos7840: fix error code in mos7840_write() (git-fixes). - USB: serial: option: Adding support for Cinterion MV31 (git-fixes). - USB: usblp: do not call usb_set_interface if there's a single alt (git-fixes). - veth: Adjust hard_start offset on redirect XDP frames (git-fixes). - vfs: Convert squashfs to use the new mount API (git-fixes bsc#1182265). - virtio_net: Fix error code in probe() (git-fixes). - virtio_net: Fix recursive call to cpus_read_lock() (git-fixes). - virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes). - virt: vbox: Do not use wait_event_interruptible when called from kernel context (git-fixes). - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - vxlan: fix memleak of fdb (git-fixes). - wext: fix NULL-ptr-dereference with cfg80211's lack of commit() (git-fixes). - writeback: Drop I_DIRTY_TIME_EXPIRE (bsc#1182460). - x86/alternatives: Sync bp_patching update for avoiding NULL pointer exception (bsc#1152489). - x86/apic: Add extra serialization for non-serializing MSRs (bsc#1152489). - x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181259, jsc#ECO-3191). - x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181259, jsc#ECO-3191). - x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259, jsc#ECO-3191). - x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259 jsc#ECO-3191). - x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181259, jsc#ECO-3191). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xfs: ensure inobt record walks always make forward progress (git-fixes bsc#1182272). - xfs: fix an ABBA deadlock in xfs_rename (git-fixes bsc#1182558). - xfs: fix parent pointer scrubber bailing out on unallocated inodes (git-fixes bsc#1182276). - xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks (git-fixes bsc#1182430). - xfs: fix the minrecs logic when dealing with inode root child blocks (git-fixes bsc#1182273). - xfs: ratelimit xfs_discard_page messages (bsc#1182283). - xfs: reduce quota reservation when doing a dax unwritten extent conversion (git-fixes bsc#1182561). - xfs: return corresponding errcode if xfs_initialize_perag() fail (git-fixes bsc#1182275). - xfs: scrub should mark a directory corrupt if any entries cannot be iget'd (git-fixes bsc#1182278). - xfs: strengthen rmap record flags checking (git-fixes bsc#1182271). - xhci: fix bounce buffer usage for non-sg list case (git-fixes). The kernel-default-base packaging was changed: - Added squashfs for kiwi installiso support (bsc#1182341) - Added fuse (bsc#1182507) - Added modules which got lost when migrating away from supported.conf (bsc#1182110): * am53c974 had a typo * cls_bpf, iscsi_ibft, libahci, libata, openvswitch, sch_ingress - Also added vport-* modules for Open vSwitch ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:758-1 Released: Wed Mar 10 12:16:27 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1182688 This update for dracut fixes the following issues: - network-legacy: fix route parsing issues in ifup. (bsc#1182688) -0kernel-modules: arm/arm64: Add reset controllers - Prevent creating unexpected files on the host when running dracut - As of 'v246' of systemd 'syslog' and 'syslog-console' switches have been deprecated. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:784-1 Released: Mon Mar 15 11:19:08 2021 Summary: Recommended update for efivar Type: recommended Severity: moderate References: 1181967 This update for efivar fixes the following issues: - Fixed an issue with the NVME path parsing (bsc#1181967) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:802-1 Released: Tue Mar 16 16:54:12 2021 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1183073 This update for grub2 fixes the following issues: - Fixed chainloading windows on dual boot machine (bsc#1183073) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:881-1 Released: Fri Mar 19 04:16:42 2021 Summary: Recommended update for yast2-adcommon-python, yast2-aduc, samba Type: recommended Severity: moderate References: 1084864,1132565,1133568,1135130,1135224,1138203,1138487,1145508,1146898,1150394,1150612,1151713,1152052,1154121,1170998 This update for yast2-adcommon-python, yast2-aduc, samba fixes the following issues: - Update 'aduc' for 'realmd' customer. (jsc#SLE-5527) - Add ability to change/enable/unlock user's passwords. (bsc#1152052) - Fixes a Failure to authenticate on first try and throws a MemoryError on Ubuntu. (bsc#1151713) - Fixes an issue when unused 'xset' may cause exception in 'appimage'. (bsc#1150612) - Include other object creaiton options. (bsc#1138203) - Use the domain name stored in the samba credentials object. (bsc#1138487) - Display a backtrace if the connection fails. - Use new schema of desktop files. (bsc#1084864) - Move the module to Network Services. - Use common authentication from yast2-adcommon-python. - Switch to using a unified file/actions menu, instead of random buttons - Remove 'ad-dc' dependency. (jsc#ECO-2527) - Fix slow load of 'ADUC' caused by chatty ldap traffic. (bsc#1170998) - The domain label should be a text field, for manually entering the domain name. (bsc#1154121) - Fix to reconnect the 'ldap' session if it times out. (bsc#1150394) - 'AD' modules should connect to an AD-DC via the SamDB interface, instead of 'python-ldap'. (bsc#1146898) - Fix incorrectly placed domain in change domain dialog (bsc#1145508) - YaST 'aduc/adsi/gpmc' should not exit after entering empty password and explicitly state that an Active Directory administrator should sign in. (bsc#1132565) - Move schema parsing code from adsi to the common code. (bsc#1138203) - 'TypeError: Expected a string or unicode object' during auth. (bsc#1135224) - Authentication fails with 'Failed to initialize ldap connection'. (bsc#1135130) - Fix for an issue when 'yast2-adcommon-python' 'ldap' does not correctly parse 'ldap' urls. (bsc#1133568) - Initial version ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:933-1 Released: Wed Mar 24 12:16:14 2021 Summary: Security update for ruby2.5 Type: security Severity: important References: 1177125,1177222,CVE-2020-25613 This update for ruby2.5 fixes the following issues: - CVE-2020-25613: Fixed a potential HTTP Request Smuggling in WEBrick (bsc#1177125). - Enable optimizations also on ARM64 (bsc#1177222) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:945-1 Released: Wed Mar 24 13:43:08 2021 Summary: Security update for ldb Type: security Severity: important References: 1183572,1183574,CVE-2020-27840,CVE-2021-20277 This update for ldb fixes the following issues: - CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572). - CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:974-1 Released: Mon Mar 29 19:31:27 2021 Summary: Security update for tar Type: security Severity: low References: 1181131,CVE-2021-20193 This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:991-1 Released: Wed Mar 31 13:28:37 2021 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1182324 This update for vim provides the following fixes: - Install SUSE vimrc in /usr. (bsc#1182324) - Source correct suse.vimrc file. (bsc#1182324) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) From sle-security-updates at lists.suse.com Thu Apr 8 01:14:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Apr 2021 03:14:55 +0200 (CEST) Subject: SUSE-SU-2021:1097-1: moderate: Security update for openexr Message-ID: <20210408011455.A60BCF78E@maintenance.suse.de> SUSE Security Update: Security update for openexr ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1097-1 Rating: moderate References: #1184172 #1184173 #1184174 Cross-References: CVE-2021-3474 CVE-2021-3475 CVE-2021-3476 CVSS scores: CVE-2021-3474 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3474 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3475 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3475 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3476 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3476 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for openexr fixes the following issues: - CVE-2021-3474: Undefined-shift in Imf_2_5::FastHufDecoder::FastHufDecoder (bsc#1184174) - CVE-2021-3475: Integer-overflow in Imf_2_5::calculateNumTiles (bsc#1184173) - CVE-2021-3476: Undefined-shift in Imf_2_5::unpack14 (bsc#1184172) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1097=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libIlmImf-2_2-23-2.2.1-3.24.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.24.1 libIlmImfUtil-2_2-23-2.2.1-3.24.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.24.1 openexr-debuginfo-2.2.1-3.24.1 openexr-debugsource-2.2.1-3.24.1 openexr-devel-2.2.1-3.24.1 References: https://www.suse.com/security/cve/CVE-2021-3474.html https://www.suse.com/security/cve/CVE-2021-3475.html https://www.suse.com/security/cve/CVE-2021-3476.html https://bugzilla.suse.com/1184172 https://bugzilla.suse.com/1184173 https://bugzilla.suse.com/1184174 From sle-security-updates at lists.suse.com Thu Apr 8 13:15:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Apr 2021 15:15:27 +0200 (CEST) Subject: SUSE-SU-2021:1107-1: important: Security update for fwupd Message-ID: <20210408131527.AFB73F78E@maintenance.suse.de> SUSE Security Update: Security update for fwupd ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1107-1 Rating: important References: #1172643 #1182057 SLE-16809 Cross-References: CVE-2020-10759 CVSS scores: CVE-2020-10759 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVE-2020-10759 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has one errata is now available. Description: This update for fwupd fixes the following issues: - Update to version 1.2.14: (bsc#1182057) - Add SBAT section to EFI images (bsc#1182057) - CVE-2020-10759: Validate that gpgme_op_verify_result() returned at least one signature (bsc#1172643) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1107=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): fwupd-1.2.14-5.8.2 fwupd-debuginfo-1.2.14-5.8.2 fwupd-debugsource-1.2.14-5.8.2 fwupd-devel-1.2.14-5.8.2 libfwupd2-1.2.14-5.8.2 libfwupd2-debuginfo-1.2.14-5.8.2 typelib-1_0-Fwupd-2_0-1.2.14-5.8.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch): fwupd-lang-1.2.14-5.8.2 References: https://www.suse.com/security/cve/CVE-2020-10759.html https://bugzilla.suse.com/1172643 https://bugzilla.suse.com/1182057 From sle-security-updates at lists.suse.com Thu Apr 8 13:16:31 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Apr 2021 15:16:31 +0200 (CEST) Subject: SUSE-SU-2021:1103-1: important: Security update for fwupdate Message-ID: <20210408131631.2ED83F78E@maintenance.suse.de> SUSE Security Update: Security update for fwupdate ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1103-1 Rating: important References: #1182057 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for fwupdate fixes the following issues: - Add SBAT section to EFI images (bsc#1182057) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1103=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1103=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1103=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1103=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): fwupdate-9+git21.gcd8f7d7-6.8.2 fwupdate-debuginfo-9+git21.gcd8f7d7-6.8.2 fwupdate-debugsource-9+git21.gcd8f7d7-6.8.2 fwupdate-devel-9+git21.gcd8f7d7-6.8.2 fwupdate-efi-9+git21.gcd8f7d7-6.8.2 fwupdate-efi-debuginfo-9+git21.gcd8f7d7-6.8.2 libfwup1-9+git21.gcd8f7d7-6.8.2 libfwup1-debuginfo-9+git21.gcd8f7d7-6.8.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64): fwupdate-9+git21.gcd8f7d7-6.8.2 fwupdate-debuginfo-9+git21.gcd8f7d7-6.8.2 fwupdate-debugsource-9+git21.gcd8f7d7-6.8.2 fwupdate-devel-9+git21.gcd8f7d7-6.8.2 fwupdate-efi-9+git21.gcd8f7d7-6.8.2 fwupdate-efi-debuginfo-9+git21.gcd8f7d7-6.8.2 libfwup1-9+git21.gcd8f7d7-6.8.2 libfwup1-debuginfo-9+git21.gcd8f7d7-6.8.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): fwupdate-9+git21.gcd8f7d7-6.8.2 fwupdate-debuginfo-9+git21.gcd8f7d7-6.8.2 fwupdate-debugsource-9+git21.gcd8f7d7-6.8.2 fwupdate-devel-9+git21.gcd8f7d7-6.8.2 fwupdate-efi-9+git21.gcd8f7d7-6.8.2 fwupdate-efi-debuginfo-9+git21.gcd8f7d7-6.8.2 libfwup1-9+git21.gcd8f7d7-6.8.2 libfwup1-debuginfo-9+git21.gcd8f7d7-6.8.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): fwupdate-9+git21.gcd8f7d7-6.8.2 fwupdate-debuginfo-9+git21.gcd8f7d7-6.8.2 fwupdate-debugsource-9+git21.gcd8f7d7-6.8.2 fwupdate-devel-9+git21.gcd8f7d7-6.8.2 fwupdate-efi-9+git21.gcd8f7d7-6.8.2 fwupdate-efi-debuginfo-9+git21.gcd8f7d7-6.8.2 libfwup1-9+git21.gcd8f7d7-6.8.2 libfwup1-debuginfo-9+git21.gcd8f7d7-6.8.2 References: https://bugzilla.suse.com/1182057 From sle-security-updates at lists.suse.com Thu Apr 8 13:17:30 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Apr 2021 15:17:30 +0200 (CEST) Subject: SUSE-SU-2021:1108-1: moderate: Security update for ceph Message-ID: <20210408131730.7B660F78E@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1108-1 Rating: moderate References: #1172926 #1176390 #1176489 #1176679 #1176828 #1177360 #1177857 #1178837 #1178860 #1178905 #1178932 #1179569 #1179997 #1182766 Cross-References: CVE-2020-25678 CVE-2020-27839 CVSS scores: CVE-2020-25678 (NVD) : 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2020-27839 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Enterprise Storage 7 ______________________________________________________________________________ An update that solves two vulnerabilities and has 12 fixes is now available. Description: This update for ceph fixes the following issues: - ceph was updated to to 15.2.9 - cephadm: fix 'inspect' and 'pull' (bsc#1182766) - CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997) - CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905) - mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926) - mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679) - mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489) - cephadm: command_unit: call systemctl with verbose=True (bsc#1176828) - cephadm: silence "Failed to evict container" log msg (bsc#1177360) - mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857) - rgw: cls/user: set from_index for reset stats calls (bsc#1178837) - mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) - cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1108=1 - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2021-1108=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): ceph-common-15.2.9.83+g4275378de0-3.17.1 ceph-common-debuginfo-15.2.9.83+g4275378de0-3.17.1 ceph-debugsource-15.2.9.83+g4275378de0-3.17.1 libcephfs-devel-15.2.9.83+g4275378de0-3.17.1 libcephfs2-15.2.9.83+g4275378de0-3.17.1 libcephfs2-debuginfo-15.2.9.83+g4275378de0-3.17.1 librados-devel-15.2.9.83+g4275378de0-3.17.1 librados-devel-debuginfo-15.2.9.83+g4275378de0-3.17.1 librados2-15.2.9.83+g4275378de0-3.17.1 librados2-debuginfo-15.2.9.83+g4275378de0-3.17.1 libradospp-devel-15.2.9.83+g4275378de0-3.17.1 librbd-devel-15.2.9.83+g4275378de0-3.17.1 librbd1-15.2.9.83+g4275378de0-3.17.1 librbd1-debuginfo-15.2.9.83+g4275378de0-3.17.1 librgw-devel-15.2.9.83+g4275378de0-3.17.1 librgw2-15.2.9.83+g4275378de0-3.17.1 librgw2-debuginfo-15.2.9.83+g4275378de0-3.17.1 python3-ceph-argparse-15.2.9.83+g4275378de0-3.17.1 python3-ceph-common-15.2.9.83+g4275378de0-3.17.1 python3-cephfs-15.2.9.83+g4275378de0-3.17.1 python3-cephfs-debuginfo-15.2.9.83+g4275378de0-3.17.1 python3-rados-15.2.9.83+g4275378de0-3.17.1 python3-rados-debuginfo-15.2.9.83+g4275378de0-3.17.1 python3-rbd-15.2.9.83+g4275378de0-3.17.1 python3-rbd-debuginfo-15.2.9.83+g4275378de0-3.17.1 python3-rgw-15.2.9.83+g4275378de0-3.17.1 python3-rgw-debuginfo-15.2.9.83+g4275378de0-3.17.1 rados-objclass-devel-15.2.9.83+g4275378de0-3.17.1 rbd-nbd-15.2.9.83+g4275378de0-3.17.1 rbd-nbd-debuginfo-15.2.9.83+g4275378de0-3.17.1 - SUSE Enterprise Storage 7 (aarch64 x86_64): ceph-base-15.2.9.83+g4275378de0-3.17.1 ceph-base-debuginfo-15.2.9.83+g4275378de0-3.17.1 ceph-common-15.2.9.83+g4275378de0-3.17.1 ceph-common-debuginfo-15.2.9.83+g4275378de0-3.17.1 ceph-debugsource-15.2.9.83+g4275378de0-3.17.1 libcephfs2-15.2.9.83+g4275378de0-3.17.1 libcephfs2-debuginfo-15.2.9.83+g4275378de0-3.17.1 librados2-15.2.9.83+g4275378de0-3.17.1 librados2-debuginfo-15.2.9.83+g4275378de0-3.17.1 librbd1-15.2.9.83+g4275378de0-3.17.1 librbd1-debuginfo-15.2.9.83+g4275378de0-3.17.1 librgw2-15.2.9.83+g4275378de0-3.17.1 librgw2-debuginfo-15.2.9.83+g4275378de0-3.17.1 python3-ceph-argparse-15.2.9.83+g4275378de0-3.17.1 python3-ceph-common-15.2.9.83+g4275378de0-3.17.1 python3-cephfs-15.2.9.83+g4275378de0-3.17.1 python3-cephfs-debuginfo-15.2.9.83+g4275378de0-3.17.1 python3-rados-15.2.9.83+g4275378de0-3.17.1 python3-rados-debuginfo-15.2.9.83+g4275378de0-3.17.1 python3-rbd-15.2.9.83+g4275378de0-3.17.1 python3-rbd-debuginfo-15.2.9.83+g4275378de0-3.17.1 python3-rgw-15.2.9.83+g4275378de0-3.17.1 python3-rgw-debuginfo-15.2.9.83+g4275378de0-3.17.1 rbd-nbd-15.2.9.83+g4275378de0-3.17.1 rbd-nbd-debuginfo-15.2.9.83+g4275378de0-3.17.1 - SUSE Enterprise Storage 7 (noarch): cephadm-15.2.9.83+g4275378de0-3.17.1 References: https://www.suse.com/security/cve/CVE-2020-25678.html https://www.suse.com/security/cve/CVE-2020-27839.html https://bugzilla.suse.com/1172926 https://bugzilla.suse.com/1176390 https://bugzilla.suse.com/1176489 https://bugzilla.suse.com/1176679 https://bugzilla.suse.com/1176828 https://bugzilla.suse.com/1177360 https://bugzilla.suse.com/1177857 https://bugzilla.suse.com/1178837 https://bugzilla.suse.com/1178860 https://bugzilla.suse.com/1178905 https://bugzilla.suse.com/1178932 https://bugzilla.suse.com/1179569 https://bugzilla.suse.com/1179997 https://bugzilla.suse.com/1182766 From sle-security-updates at lists.suse.com Thu Apr 8 13:21:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Apr 2021 15:21:01 +0200 (CEST) Subject: SUSE-SU-2021:1104-1: important: Security update for fwupdate Message-ID: <20210408132101.6184CF78E@maintenance.suse.de> SUSE Security Update: Security update for fwupdate ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1104-1 Rating: important References: #1182057 Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for fwupdate fixes the following issues: - Add SBAT section to EFI images (bsc#1182057) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1104=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1104=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1104=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1104=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1104=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1104=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1104=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1104=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1104=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1104=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1104=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Manager Retail Branch Server 4.0 (x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Manager Proxy 4.0 (x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 - SUSE CaaS Platform 4.0 (x86_64): fwupdate-12-11.8.2 fwupdate-debuginfo-12-11.8.2 fwupdate-debugsource-12-11.8.2 fwupdate-devel-12-11.8.2 fwupdate-efi-12-11.8.2 fwupdate-efi-debuginfo-12-11.8.2 libfwup1-12-11.8.2 libfwup1-debuginfo-12-11.8.2 References: https://bugzilla.suse.com/1182057 From sle-security-updates at lists.suse.com Thu Apr 8 19:18:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Apr 2021 21:18:15 +0200 (CEST) Subject: SUSE-SU-2021:1111-1: important: Security update for fwupdate Message-ID: <20210408191815.69871F78E@maintenance.suse.de> SUSE Security Update: Security update for fwupdate ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1111-1 Rating: important References: #1182057 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for fwupdate fixes the following issues: - Add SBAT section to EFI images (bsc#1182057) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1111=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1111=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1111=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1111=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1111=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1111=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1111=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1111=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1111=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1111=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1111=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - SUSE OpenStack Cloud 9 (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - SUSE OpenStack Cloud 8 (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 - HPE Helion Openstack 8 (x86_64): fwupdate-0.5-10.10.1 fwupdate-debuginfo-0.5-10.10.1 fwupdate-debugsource-0.5-10.10.1 fwupdate-efi-0.5-10.10.1 fwupdate-efi-debuginfo-0.5-10.10.1 libfwup0-0.5-10.10.1 libfwup0-debuginfo-0.5-10.10.1 References: https://bugzilla.suse.com/1182057 From sle-security-updates at lists.suse.com Thu Apr 8 19:20:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Apr 2021 21:20:22 +0200 (CEST) Subject: SUSE-SU-2021:1113-1: moderate: Security update for tpm2-tss-engine Message-ID: <20210408192022.DFBD6F78E@maintenance.suse.de> SUSE Security Update: Security update for tpm2-tss-engine ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1113-1 Rating: moderate References: #1183895 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for tpm2-tss-engine fixes the following issues: - Added support to disable fixed compilation flags - Added --disable-defaultflags during compilation to avoid breakage of our gcc-PIE profile (resulted in non-position-independent executable tpm2-tss-genkey, bsc#1183895) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1113=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): tpm2-tss-engine-1.0.1-4.3.1 tpm2-tss-engine-debuginfo-1.0.1-4.3.1 tpm2-tss-engine-debugsource-1.0.1-4.3.1 tpm2-tss-engine-devel-1.0.1-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): tpm2-tss-engine-bash-completion-1.0.1-4.3.1 References: https://bugzilla.suse.com/1183895 From sle-security-updates at lists.suse.com Fri Apr 9 05:53:31 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Apr 2021 07:53:31 +0200 (CEST) Subject: SUSE-IU-2021:435-1: Security update of suse-sles-15-sp2-chost-byos-v20210405-gen2 Message-ID: <20210409055331.44E44B45E9B@westernhagen.suse.de> SUSE Image Update Advisory: suse-sles-15-sp2-chost-byos-v20210405-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:435-1 Image Tags : suse-sles-15-sp2-chost-byos-v20210405-gen2:20210405 Image Release : Severity : important Type : security References : 1065600 1065729 1078466 1078720 1081134 1083473 1084610 1084864 1112500 1115408 1125671 1132477 1132565 1133568 1135130 1135224 1138203 1138487 1140565 1145508 1146705 1146898 1150394 1150612 1151713 1151927 1152052 1152472 1152489 1154121 1154353 1154393 1155518 1156395 1163776 1165780 1169514 1170442 1170998 1172442 1174075 1174514 1175289 1175519 1175970 1176171 1176201 1176248 1176262 1176708 1176711 1176784 1176785 1176855 1177109 1177125 1177127 1177222 1177326 1177440 1177529 1177883 1178142 1178168 1178386 1178775 1178801 1178801 1178969 1178995 1179082 1179137 1179243 1179264 1179265 1179428 1179660 1179694 1179721 1179756 1179847 1179929 1180020 1180038 1180058 1180073 1180083 1180176 1180243 1180336 1180401 1180401 1180403 1180501 1180596 1180686 1180827 1180846 1180933 1180964 1180989 1181011 1181126 1181131 1181133 1181259 1181283 1181313 1181328 1181358 1181505 1181544 1181574 1181622 1181637 1181655 1181671 1181674 1181710 1181720 1181730 1181732 1181735 1181736 1181738 1181747 1181753 1181818 1181831 1181843 1181854 1181896 1181944 1181958 1181960 1181967 1181985 1182047 1182057 1182066 1182110 1182117 1182118 1182128 1182140 1182168 1182171 1182175 1182244 1182246 1182259 1182262 1182263 1182265 1182266 1182267 1182268 1182271 1182272 1182273 1182275 1182276 1182278 1182279 1182283 1182324 1182328 1182331 1182333 1182341 1182362 1182374 1182379 1182380 1182381 1182406 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182430 1182439 1182441 1182442 1182443 1182444 1182445 1182446 1182447 1182449 1182454 1182455 1182456 1182457 1182458 1182459 1182460 1182461 1182462 1182463 1182464 1182465 1182466 1182485 1182489 1182490 1182507 1182547 1182558 1182560 1182561 1182571 1182599 1182602 1182626 1182629 1182650 1182672 1182676 1182683 1182684 1182686 1182688 1182770 1182798 1182800 1182801 1182854 1182856 1182959 1183012 1183073 1183094 1183370 1183371 1183456 1183457 1183572 1183574 1183852 1183933 1183934 CVE-2019-20916 CVE-2019-25013 CVE-2020-11080 CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-12373 CVE-2020-14343 CVE-2020-14372 CVE-2020-15257 CVE-2020-25613 CVE-2020-25632 CVE-2020-25647 CVE-2020-25659 CVE-2020-27618 CVE-2020-27749 CVE-2020-27779 CVE-2020-27840 CVE-2020-28493 CVE-2020-29368 CVE-2020-29374 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-36242 CVE-2020-8625 CVE-2021-20193 CVE-2021-20225 CVE-2021-20231 CVE-2021-20232 CVE-2021-20233 CVE-2021-20277 CVE-2021-21284 CVE-2021-21285 CVE-2021-22876 CVE-2021-22890 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-26720 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3177 CVE-2021-3326 CVE-2021-3449 ----------------------------------------------------------------- The container suse-sles-15-sp2-chost-byos-v20210405-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:419-1 Released: Wed Feb 10 12:03:33 2021 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: 1181313 This update for open-iscsi fixes the following issues: - Fixes a segfault when exiting from iscsiadm (bsc#1181313) - Fix for several memory leaks in iscsiadm - Fix for a crash when function iscsi_rec_update_param() is invoked ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:435-1 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:441-1 Released: Thu Feb 11 16:35:04 2021 Summary: Optional update for python3-jsonschema Type: optional Severity: low References: 1180403 This update provides the python3 variant of the jsonschema module to the SUSE Linux Enterprise 15 SP2 Basesystem module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:507-1 Released: Thu Feb 18 09:34:49 2021 Summary: Security update for bind Type: security Severity: important References: 1182246,CVE-2020-8625 This update for bind fixes the following issues: - CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:516-1 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Type: recommended Severity: moderate References: 1178801,1180401,1182168 This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:519-1 Released: Fri Feb 19 09:44:53 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:526-1 Released: Fri Feb 19 12:46:27 2021 Summary: Recommended update for python-distro Type: recommended Severity: moderate References: This update for python-distro fixes the following issues: Upgrade from version 1.2.0 to 1.5.0 (jsc#ECO-3212) - Backward compatibility: - Keep output as native string so we can compatible with python2 interface - Prefer the `VERSION_CODENAME` field of `os-release` to parsing it from `VERSION` - Bug Fixes: - Fix detection of RHEL 6 `ComputeNode` - Fix Oracle 4/5 `lsb_release` id and names - Ignore `/etc/plesk-release` file while parsing distribution - Return `_uname_info` from the `uname_info()` method - Fixed `CloudLinux` id discovery - Update Oracle matching - Warn about wrong locale. - Documentation: - Distro is the recommended replacement for `platform.linux_distribution` - Add Ansible reference implementation and fix arch-linux link - Add facter reference implementation ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:551-1 Released: Tue Feb 23 09:31:53 2021 Summary: Security update for avahi Type: security Severity: moderate References: 1180827,CVE-2021-26720 This update for avahi fixes the following issues: - CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Add sudo to requires: used to drop privileges. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:571-1 Released: Tue Feb 23 16:11:33 2021 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1180176 This update for cloud-init contains the following fixes: - Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing. - Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:573-1 Released: Wed Feb 24 09:58:38 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1176171,1180336 This update for dracut fixes the following issues: - arm/arm64: Add reset controllers (bsc#1180336) - Prevent creating unexpected files on the host when running dracut (bsc#1176171) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:594-1 Released: Thu Feb 25 09:29:35 2021 Summary: Security update for python-cryptography Type: security Severity: important References: 1182066,CVE-2020-36242 This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:654-1 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1181944,1182244,CVE-2020-28493 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:683-1 Released: Tue Mar 2 19:04:43 2021 Summary: Security update for grub2 Type: security Severity: important References: 1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233 This update for grub2 fixes the following issues: grub2 implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057) - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:689-1 Released: Tue Mar 2 19:08:40 2021 Summary: Security update for bind Type: security Severity: important References: 1180933 This update for bind fixes the following issues: - dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:741-1 Released: Tue Mar 9 16:11:49 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065600,1065729,1078720,1081134,1084610,1132477,1151927,1152472,1152489,1154353,1155518,1156395,1163776,1169514,1170442,1176248,1176855,1177109,1177326,1177440,1177529,1178142,1178995,1179082,1179137,1179243,1179428,1179660,1179929,1180058,1180846,1180964,1180989,1181133,1181259,1181544,1181574,1181637,1181655,1181671,1181674,1181710,1181720,1181735,1181736,1181738,1181747,1181753,1181818,1181843,1181854,1181896,1181958,1181960,1181985,1182047,1182110,1182118,1182128,1182140,1182171,1182175,1182259,1182265,1182266,1182267,1182268,1182271,1182272,1182273,1182275,1182276,1182278,1182283,1182341,1182374,1182380,1182381,1182406,1182430,1182439,1182441,1182442,1182443,1182444,1182445,1182446,1182447,1182449,1182454,1182455,1182456,1182457,1182458,1182459,1182460,1182461,1182462,1182463,1182464,1182465,1182466,1182485,1182489,1182490,1182507,1182547,1182558,1182560,1182561,1182571,1182599,1182602,1182626,1182650,1182672,1182676,1182683,1182684,1182686,1182770,1182798,1182800,1 182801,1182854,1182856,CVE-2020-12362,CVE-2020-12363,CVE-2020-12364,CVE-2020-12373,CVE-2020-29368,CVE-2020-29374,CVE-2021-26930,CVE-2021-26931,CVE-2021-26932 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). - CVE-2020-12362: Fixed an integer overflow in the firmware which may have allowed a privileged user to potentially enable an escalation of privilege via local access (bsc#1181720). - CVE-2020-12363: Fixed an improper input validation which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181735). - CVE-2020-12364: Fixed a null pointer reference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181736 ). - CVE-2020-12373: Fixed an expired pointer dereference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181738). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). The following non-security bugs were fixed: - ACPI: configfs: add missing check after configfs_register_default_group() (git-fixes). - ACPI: property: Fix fwnode string properties matching (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 1) (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 2) (git-fixes). - ALSA: hda: Add another CometLake-H PCI ID (git-fixes). - ALSA: hda/hdmi: Drop bogus check at closing a stream (git-fixes). - ALSA: hda/realtek: modify EAPD in the ALC886 (git-fixes). - ALSA: pcm: Assure sync with the pending stop operation at suspend (git-fixes). - ALSA: pcm: Call sync_stop at disconnection (git-fixes). - ALSA: pcm: Do not call sync_stop if it hasn't been stopped (git-fixes). - ALSA: usb-audio: Add implicit fb quirk for BOSS GP-10 (git-fixes). - ALSA: usb-audio: Correct document for snd_usb_endpoint_free_all() (git-fixes). - ALSA: usb-audio: Do not avoid stopping the stream at disconnection (git-fixes). - ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (git-fixes). - ALSA: usb-audio: Handle invalid running state at releasing EP (git-fixes). - ALSA: usb-audio: More strict state change in EP (git-fixes). - amba: Fix resource leak for drivers without .remove (git-fixes). - arm64: Update config file. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - ASoC: cpcap: fix microphone timeslot mask (git-fixes). - ASoC: cs42l56: fix up error handling in probe (git-fixes). - ASoC: simple-card-utils: Fix device module clock (git-fixes). - ASoC: SOF: debug: Fix a potential issue on string buffer termination (git-fixes). - ata: ahci_brcm: Add back regulators management (git-fixes). - ata: sata_nv: Fix retrieving of active qcs (git-fixes). - ath10k: Fix error handling in case of CE pipe init failure (git-fixes). - ath9k: fix data bus crash when setting nf_override via debugfs (git-fixes). - bcache: fix overflow in offset_to_stripe() (git-fixes). - blk-mq: call commit_rqs while list empty but error happen (bsc#1182442). - blk-mq: insert request not through ->queue_rq into sw/scheduler queue (bsc#1182443). - blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue (bsc#1182444). - block: fix inflight statistics of part0 (bsc#1182445). - block: respect queue limit of max discard segment (bsc#1182441). - block: virtio_blk: fix handling single range discard request (bsc#1182439). - Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (git-fixes). - Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv (git-fixes). - Bluetooth: drop HCI device reference before return (git-fixes). - Bluetooth: Fix initializing response id after clearing struct (git-fixes). - Bluetooth: hci_uart: Fix a race for write_work scheduling (git-fixes). - Bluetooth: Put HCI device if inquiry procedure interrupts (git-fixes). - bnxt_en: Fix accumulation of bp->net_stats_prev (git-fixes). - bnxt_en: fix error return code in bnxt_init_board() (git-fixes). - bnxt_en: fix error return code in bnxt_init_one() (git-fixes). - bnxt_en: Improve stats context resource accounting with RDMA driver loaded (git-fixes). - bnxt_en: read EEPROM A2h address using page 0 (git-fixes). - bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes). - bonding: Fix reference count leak in bond_sysfs_slave_add (git-fixes). - bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes). - bonding: wait for sysfs kobject destruction before freeing struct slave (git-fixes). - bpf, cgroup: Fix optlen WARN_ON_ONCE toctou (bsc#1155518). - bpf, cgroup: Fix problematic bounds check (bsc#1155518). - btrfs: add assertion for empty list of transactions at late stage of umount (bsc#1182626). - btrfs: Cleanup try_flush_qgroup (bsc#1182047). - btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Fix race between extent freeing/allocation when using bitmaps (bsc#1181574). - btrfs: fix race between RO remount and the cleaner task (bsc#1182626). - btrfs: fix transaction leak and crash after cleaning up orphans on RO mount (bsc#1182626). - btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan (bsc#1182626). - btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: lift read-write mount setup from mount and remount (bsc#1182626). - btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: run delayed iputs when remounting RO to avoid leaking them (bsc#1182626). - btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - caif: no need to check return value of debugfs_create functions (git-fixes). - ceph: fix flush_snap logic after putting caps (bsc#1182854). - cgroup: Fix memory leak when parsing multiple source parameters (bsc#1182683). - cgroup: fix psi monitor for root cgroup (bsc#1182686). - cgroup-v1: add disabled controller check in cgroup1_parse_param() (bsc#1182684). - chelsio/chtls: correct function return and return type (git-fixes). - chelsio/chtls: correct netdevice for vlan interface (git-fixes). - chelsio/chtls: fix a double free in chtls_setkey() (git-fixes). - chelsio/chtls: fix always leaking ctrl_skb (git-fixes). - chelsio/chtls: fix deadlock issue (git-fixes). - chelsio/chtls: fix memory leaks caused by a race (git-fixes). - chelsio/chtls: fix memory leaks in CPL handlers (git-fixes). - chelsio/chtls: fix panic during unload reload chtls (git-fixes). - chelsio/chtls: fix socket lock (git-fixes). - chelsio/chtls: fix tls record info to user (git-fixes). - Cherry-pick ibmvnic patches from SP3 (jsc#SLE-17268). - chtls: Added a check to avoid NULL pointer dereference (git-fixes). - chtls: Fix chtls resources release sequence (git-fixes). - chtls: Fix hardware tid leak (git-fixes). - chtls: Fix panic when route to peer not configured (git-fixes). - chtls: Remove invalid set_tcb call (git-fixes). - chtls: Replace skb_dequeue with skb_peek (git-fixes). - cifs: check all path components in resolved dfs target (bsc#1181710). - cifs: fix nodfs mount option (bsc#1181710). - cifs: introduce helper for finding referral server (bsc#1181710). - cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440). - cirrus: cs89x0: remove set but not used variable 'lp' (git-fixes). - cirrus: cs89x0: use devm_platform_ioremap_resource() to simplify code (git-fixes). - clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL (git-fixes). - clk: meson: clk-pll: make 'ret' a signed integer (git-fixes). - clk: meson: clk-pll: propagate the error from meson_clk_pll_set_rate() (git-fixes). - clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs (git-fixes). - clk: sunxi-ng: h6: Fix CEC clock (git-fixes). - clk: sunxi-ng: h6: Fix clock divider range on some clocks (git-fixes). - clk: sunxi-ng: mp: fix parent rate change flag check (git-fixes). - clocksource/drivers/ixp4xx: Select TIMER_OF when needed (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Free resources in error path (git-fixes). - cpuset: fix race between hotplug work and later CPU offline (bsc#1182676). - crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() (git-fixes). - crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) (git-fixes). - cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes). - cxgb4: fix all-mask IP address comparison (git-fixes). - cxgb4: fix checks for max queues to allocate (git-fixes). - cxgb4: fix endian conversions for L4 ports in filters (git-fixes). - cxgb4: fix set but unused variable when DCB is disabled (git-fixes). - cxgb4: fix SGE queue dump destination buffer context (git-fixes). - cxgb4: fix the panic caused by non smac rewrite (git-fixes). - cxgb4: move DCB version extern to header file (git-fixes). - cxgb4: move handling L2T ARP failures to caller (git-fixes). - cxgb4: move PTP lock and unlock to caller in Tx path (git-fixes). - cxgb4: parse TC-U32 key values and masks natively (git-fixes). - cxgb4: remove cast when saving IPv4 partial checksum (git-fixes). - cxgb4: set up filter action after rewrites (git-fixes). - cxgb4: use correct type for all-mask IP address comparison (git-fixes). - cxgb4: use unaligned conversion for fetching timestamp (git-fixes). - dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function (git-fixes). - dmaengine: fsldma: Fix a resource leak in the remove function (git-fixes). - dmaengine: hsu: disable spurious interrupt (git-fixes). - dmaengine: owl-dma: Fix a resource leak in the remove function (git-fixes). - dm crypt: avoid truncating the logical block size (git-fixes). - dm: fix bio splitting and its bio completion order for regular IO (git-fixes). - dm thin: fix use-after-free in metadata_pre_commit_callback (bsc#1177529). - dm thin metadata: Avoid returning cmd->bm wild pointer on error (bsc#1177529). - dm thin metadata: fix lockdep complaint (bsc#1177529). - dm thin metadata: Fix use-after-free in dm_bm_set_read_only (bsc#1177529). - dm: use noio when sending kobject event (bsc#1177529). - docs: filesystems: vfs: correct flag name (bsc#1182856). - dpaa2-eth: fix return codes used in ndo_setup_tc (git-fixes). - drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes). - drivers: net: davinci_mdio: fix potential NULL dereference in davinci_mdio_probe() (git-fixes). - drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] (git-fixes). - drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs (git-fixes). - drm/amd/display: Change function decide_dp_link_settings to avoid infinite looping (git-fixes). - drm/amd/display: Decrement refcount of dc_sink before reassignment (git-fixes). - drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction (git-fixes). - drm/amd/display: Fix dc_sink kref count in emulated_link_detect (git-fixes). - drm/amd/display: Fix HDMI deep color output for DCE 6-11 (git-fixes). - drm/amd/display: Free atomic state after drm_atomic_commit (git-fixes). - drm/amd/display: Revert 'Fix EDID parsing after resume from suspend' (git-fixes). - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition (git-fixes). - drm/fb-helper: Add missed unlocks in setcmap_legacy() (git-fixes). - drm/gma500: Fix error return code in psb_driver_load() (git-fixes). - drm/meson: Unbind all connectors on module removal (bsc#1152472) - drm/sun4i: dw-hdmi: always set clock rate (bsc#1152472) - drm/sun4i: dw-hdmi: Fix max. frequency for H6 (bsc#1152472) - drm/sun4i: Fix H6 HDMI PHY configuration (bsc#1152472) - drm/sun4i: tcon: set sync polarity for tcon1 channel (bsc#1152472) - drm/vc4: hvs: Fix buffer overflow with the dlist handling (bsc#1152489) - Drop HID logitech patch that caused a regression (bsc#1182259) - exec: Always set cap_ambient in cap_bprm_set_creds (git-fixes). - exfat: Avoid allocating upcase table using kcalloc() (git-fixes). - ext4: do not remount read-only with errors=continue on reboot (bsc#1182464). - ext4: fix a memory leak of ext4_free_data (bsc#1182447). - ext4: fix bug for rename with RENAME_WHITEOUT (bsc#1182449). - ext4: fix deadlock with fs freezing and EA inodes (bsc#1182463). - ext4: fix superblock checksum failure when setting password salt (bsc#1182465). - ext4: prevent creating duplicate encrypted filenames (bsc#1182446). - fgraph: Initialize tracing_graph_pause at task creation (git-fixes). - firmware_loader: align .builtin_fw to 8 (git-fixes). - fscrypt: add fscrypt_is_nokey_name() (bsc#1182446). - fscrypt: rename DCACHE_ENCRYPTED_NAME to DCACHE_NOKEY_NAME (bsc#1182446). - fs: fix lazytime expiration handling in __writeback_single_inode() (bsc#1182466). - gma500: clean up error handling in init (git-fixes). - gpio: pcf857x: Fix missing first interrupt (git-fixes). - HID: core: detect and skip invalid inputs to snto32() (git-fixes). - HID: make arrays usage and value to be the same (git-fixes). - HID: wacom: Ignore attempts to overwrite the touch_max value from HID (git-fixes). - hwrng: timeriomem - Fix cooldown period calculation (git-fixes). - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (git-fixes). - i2c: iproc: handle only slave interrupts which are enabled (git-fixes). - i2c: mediatek: Move suspend and resume handling to NOIRQ phase (git-fixes). - i2c: stm32f7: fix configuration of the digital filter (git-fixes). - i3c: master: dw: Drop redundant disec call (git-fixes). - i40e: acquire VSI pointer only after VF is initialized (jsc#SLE-8025). - i40e: avoid premature Rx buffer reuse (git-fixes). - i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs (git-fixes). - i40e: Fix MAC address setting for a VF via Host/VM (git-fixes). - i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes). - i40e: Revert 'i40e: do not report link up for a VF who hasn't enabled queues' (jsc#SLE-8025). - iavf: fix double-release of rtnl_lock (git-fixes). - iavf: fix error return code in iavf_init_get_resources() (git-fixes). - iavf: fix speed reporting over virtchnl (git-fixes). - iavf: Fix updating statistics (git-fixes). - ibmvnic: add memory barrier to protect long term buffer (bsc#1182485 ltc#191591). - ibmvnic: change IBMVNIC_MAX_IND_DESCS to 16 (bsc#1182485 ltc#191591). - ibmvnic: Clean up TX code and TX buffer data structure (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997). - ibmvnic: compare adapter->init_done_rc with more readable ibmvnic_rc_codes (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Correctly re-enable interrupts in NAPI polling routine (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_control_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_query_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: device remove has higher precedence over reset (bsc#1065729). - ibmvnic: Do not replenish RX buffers after every polling loop (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1182485 ltc#191591). - ibmvnic: Ensure that device queue memory is cache-line aligned (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that SCRQ entry reads are correctly ordered (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - ibmvnic: fix login buffer memory leak (bsc#1081134 ltc#164631). - ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix rx buffer tracking and index management in replenish_rx_pool partial success (bsc#1179929 ltc#189960). - ibmvnic: Fix TX completion error handling (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Fix use-after-free of VNIC login response buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: handle inconsistent login with reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Harden device Command Response Queue handshake (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: improve ibmvnic_init and ibmvnic_reset_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce batched RX buffer descriptor transmission (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce indirect subordinate Command Response Queue buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce xmit_more support using batched subCRQ hcalls (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: merge ibmvnic_reset_init and ibmvnic_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: no reset timeout for 5 seconds after reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: reduce wait for completion time (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: remove never executed if statement (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Remove send_subcrq function (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename ibmvnic_send_req_caps to send_request_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_cap_queries to send_query_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_map_query to send_query_map (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: send_login should check for crq errors (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: serialize access to work queue on remove (bsc#1065729). - ibmvnic: Set to CLOSED state even on error (bsc#1084610 ltc#165122 git-fixes). - ibmvnic: skip send_request_unmap for timeout reset (bsc#1182485 ltc#191591). - ibmvnic: skip tx timeout reset while in resetting (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: stop free_all_rwi on failed reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: track pending login (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: update MAINTAINERS (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Use netdev_alloc_skb instead of alloc_skb to replenish RX buffers (jsc#SLE-17043 bsc#1179243 ltc#189290). - ice: Do not allow more channels than LAN MSI-X available (jsc#SLE-7926). - ice: Fix MSI-X vector fallback logic (jsc#SLE-7926). - igc: check return value of ret_val in igc_config_fc_after_link_up (git-fixes). - igc: fix link speed advertising (git-fixes). - igc: Fix returning wrong statistics (git-fixes). - igc: Report speed and duplex as unknown when device is runtime suspended (git-fixes). - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr (git-fixes). - include/linux/memremap.h: remove stale comments (git-fixes). - Input: elo - fix an error code in elo_connect() (git-fixes). - Input: i8042 - unbreak Pegatron C15B (git-fixes). - Input: joydev - prevent potential read overflow in ioctl (git-fixes). - Input: sur40 - fix an error code in sur40_probe() (git-fixes). - Input: xpad - sync supported devices with fork on GitHub (git-fixes). - iwlwifi: mvm: do not send RFH_QUEUE_CONFIG_CMD with no queues (git-fixes). - iwlwifi: mvm: guard against device removal in reprobe (git-fixes). - iwlwifi: mvm: invalidate IDs of internal stations at mvm start (git-fixes). - iwlwifi: mvm: skip power command when unbinding vif during CSA (git-fixes). - iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() (git-fixes). - iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap (git-fixes). - iwlwifi: pcie: fix context info memory leak (git-fixes). - iwlwifi: pcie: reschedule in long-running memory reads (git-fixes). - iwlwifi: pcie: use jiffies for memory read spin time limit (git-fixes). - ixgbe: avoid premature Rx buffer reuse (git-fixes). - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (git-fixes). - kABI: Fix kABI after AMD SEV PCID fixes (bsc#1178995). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kABI: Fix kABI for extended APIC-ID support (bsc#1181259, jsc#ECO-3191). - kABI: repair, after 'nVMX: Emulate MTF when performinginstruction emulation' kvm_x86_ops is part of kABI as it's used by LTTng. But it's only read and never allocated in there, so growing it (without altering existing members' offsets) is fine. - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ('rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).') - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch (bsc#1181818). - KVM: arm64: Remove S1PTW check from kvm_vcpu_dabt_iswrite() (bsc#1181818). - KVM: nVMX: do not clear mtf_pending when nested events are blocked (bsc#1182489). - KVM: nVMX: Emulate MTF when performing instruction emulation (bsc#1182380). - KVM: nVMX: Handle pending #DB when injecting INIT VM-exit. Pulling in as a dependency of: 'KVM: nVMX: Emulate MTF when performing instruction emulation' (bsc#1182380). - KVM: SVM: Update cr3_lm_rsvd_bits for AMD SEV guests (bsc#1178995). - KVM: tracing: Fix unmatched kvm_entry and kvm_exit events (bsc#1182770). - KVM: VMX: Condition ENCLS-exiting enabling on CPU support for SGX1 (bsc#1182798). - KVM: x86: Allocate new rmap and large page tracking when moving memslot (bsc#1182800). - KVM: x86: allow KVM_STATE_NESTED_MTF_PENDING in kvm_state flags (bsc#1182490). - KVM: x86: clear stale x86_emulate_ctxt->intercept value (bsc#1182381). - KVM: x86: do not notify userspace IOAPIC on edge-triggered interrupt EOI (bsc#1182374). - KVM: x86: Gracefully handle __vmalloc() failure during VM allocation (bsc#1182801). - KVM: x86: Introduce cr3_lm_rsvd_bits in kvm_vcpu_arch (bsc#1178995). - KVM: x86: remove stale comment from struct x86_emulate_ctxt (bsc#1182406). - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - lib/vsprintf: no_hash_pointers prints all addresses as unhashed (bsc#1182599). - linux/clk.h: use correct kernel-doc notation for 2 functions (git-fixes). - mac80211: 160MHz with extended NSS BW in CSA (git-fixes). - mac80211: fix fast-rx encryption check (git-fixes). - mac80211: fix potential overflow when multiplying to u32 integers (git-fixes). - mac80211: pause TX while changing interface type (git-fixes). - macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672). Since rpm 4.16 files installed during build phase are lost. - MAINTAINERS: remove John Allen from ibmvnic (jsc#SLE-17043 bsc#1179243 ltc#189290). - matroxfb: avoid -Warray-bounds warning (bsc#1152472) - media: aspeed: fix error return code in aspeed_video_setup_video() (git-fixes). - media: camss: missing error code in msm_video_register() (git-fixes). - media: cx25821: Fix a bug when reallocating some dma memory (git-fixes). - media: em28xx: Fix use-after-free in em28xx_alloc_urbs (git-fixes). - media: i2c: ov5670: Fix PIXEL_RATE minimum value (git-fixes). - media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() (git-fixes). - media: lmedm04: Fix misuse of comma (git-fixes). - media: media/pci: Fix memleak in empress_init (git-fixes). - media: mt9v111: Remove unneeded device-managed puts (git-fixes). - media: pwc: Use correct device for DMA (bsc#1181133). - media: pxa_camera: declare variable when DEBUG is defined (git-fixes). - media: qm1d1c0042: fix error return code in qm1d1c0042_init() (git-fixes). - media: software_node: Fix refcounts in software_node_get_next_child() (git-fixes). - media: tm6000: Fix memleak in tm6000_start_stream (git-fixes). - media: vsp1: Fix an error handling path in the probe function (git-fixes). - mei: hbm: call mei_set_devstate() on hbm stop response (git-fixes). - memory: ti-aemif: Drop child node when jumping out loop (git-fixes). - mfd: bd9571mwv: Use devm_mfd_add_devices() (git-fixes). - mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (git-fixes). - misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (git-fixes). - misc: eeprom_93xx46: Fix module alias to enable module autoprobe (git-fixes). - mlxsw: core: Add validation of transceiver temperature thresholds (git-fixes). - mlxsw: core: Fix memory leak on module removal (git-fixes). - mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes). - mlxsw: core: Free EMAD transactions using kfree_rcu() (git-fixes). - mlxsw: core: Increase critical threshold for ASIC thermal zone (git-fixes). - mlxsw: core: Increase scope of RCU read-side critical section (git-fixes). - mlxsw: core: Use variable timeout for EMAD retries (git-fixes). - mlxsw: spectrum_acl: Fix mlxsw_sp_acl_tcam_group_add()'s error path (git-fixes). - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (git-fixes). - mmc: core: Limit retries when analyse of SDIO tuples fails (git-fixes). - mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes (git-fixes). - mmc: sdhci-sprd: Fix some resource leaks in the remove function (git-fixes). - mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (git-fixes). - mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled (bsc#1181896 ltc#191273). - mm: proc: Invalidate TLB after clearing soft-dirty page state (bsc#1163776 ltc#183929 git-fixes). - mm: thp: kABI: move the added flag to the end of enum (bsc#1181896 ltc#191273). - mt76: dma: fix a possible memory leak in mt76_add_fragment() (git-fixes). - net: ag71xx: add missed clk_disable_unprepare in error path of probe (git-fixes). - net: axienet: Fix error return code in axienet_probe() (git-fixes). - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - net: bcmgenet: keep MAC in reset until PHY is up (git-fixes). - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - net: bcmgenet: set Rx mode before starting netif (git-fixes). - net: bcmgenet: use hardware padding of runt frames (git-fixes). - net: broadcom CNIC: requires MMU (git-fixes). - net: caif: Fix debugfs on 64-bit platforms (git-fixes). - net/cxgb4: Check the return from t4_query_params properly (git-fixes). - net: cxgb4: fix return error value in t4_prep_fw (git-fixes). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: lantiq_gswip: fix and improve the unsupported interface error (git-fixes). - net: dsa: mt7530: Change the LINK bit to reflect the link status (git-fixes). - net: dsa: mt7530: set CPU port to fallback mode (git-fixes). - net: ena: set initial DMA width to avoid intel iommu issue (git-fixes). - net: ethernet: ave: Fix error returns in ave_init (git-fixes). - net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes). - net: ethernet: ti: ale: fix allmulti for nu type ale (git-fixes). - net: ethernet: ti: ale: fix seeing unreg mcast packets with promisc and allmulti disabled (git-fixes). - net: ethernet: ti: ale: modify vlan/mdb api for switchdev (git-fixes). - net: ethernet: ti: cpsw: allow untagged traffic on host port (git-fixes). - net: ethernet: ti: fix some return value check of cpsw_ale_create() (git-fixes). - net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() (git-fixes). - net: gro: do not keep too many GRO packets in napi->rx_list (bsc#1154353). - net: hns3: add a check for queue_id in hclge_reset_vf_queue() (git-fixes). - net: hns3: add a missing uninit debugfs when unload driver (git-fixes). - net: hns3: add reset check for VF updating port based VLAN (git-fixes). - net: hns3: clear port base VLAN when unload PF (git-fixes). - net: hns3: fix aRFS FD rules leftover after add a user FD rule (git-fixes). - net: hns3: fix a TX timeout issue (git-fixes). - net: hns3: fix desc filling bug when skb is expanded or lineared (git-fixes). - net: hns3: fix for mishandle of asserting VF reset fail (git-fixes). - net: hns3: fix for VLAN config when reset failed (git-fixes). - net: hns3: fix RSS config lost after VF reset (git-fixes). - net: hns3: fix set and get link ksettings issue (git-fixes). - net: hns3: fix 'tc qdisc del' failed issue (git-fixes). - net: hns3: fix the number of queues actually used by ARQ (git-fixes). - net: hns3: fix use-after-free when doing self test (git-fixes). - net: hns3: fix VF VLAN table entries inconsistent issue (git-fixes). - net: hns: fix return value check in __lb_other_process() (git-fixes). - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - net: macb: fix call to pm_runtime in the suspend/resume functions (git-fixes). - net: macb: fix wakeup test in runtime suspend/resume routines (git-fixes). - net: macb: mark device wake capable when 'magic-packet' property present (git-fixes). - net/mlx4_core: fix a memory leak bug (git-fixes). - net/mlx4_core: Fix init_hca fields offset (git-fixes). - net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854). - net/mlx4_en: Handle TX error CQE (bsc#1181854). - net/mlx5: Add handling of port type in rule deletion (git-fixes). - net/mlx5: Annotate mutex destroy for root ns (git-fixes). - net/mlx5: Clear LAG notifier pointer after unregister (git-fixes). - net/mlx5: Disable QoS when min_rates on all VFs are zero (git-fixes). - net/mlx5: Do not call timecounter cyc2time directly from 1PPS flow (git-fixes). - net/mlx5: Do not maintain a case of del_sw_func being null (git-fixes). - net/mlx5e: Correctly handle changing the number of queues when the interface is down (git-fixes). - net/mlx5e: Do not trigger IRQ multiple times on XSK wakeup to avoid WQ overruns (git-fixes). - net/mlx5e: en_accel, Add missing net/geneve.h include (git-fixes). - net/mlx5e: Encapsulate updating netdev queues into a function (git-fixes). - net/mlx5e: E-switch, Fix rate calculation for overflow (jsc#SLE-8464). - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (git-fixes). - net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases (git-fixes). - net/mlx5e: Fix endianness handling in pedit mask (git-fixes). - net/mlx5e: Fix error path of device attach (git-fixes). - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes). - net/mlx5e: Fix two double free cases (git-fixes). - net/mlx5e: Fix VLAN cleanup flow (git-fixes). - net/mlx5e: Fix VLAN create flow (git-fixes). - net/mlx5e: Get the latest values from counters in switchdev mode (git-fixes). - net/mlx5e: IPoIB, Drop multicast packets that this interface sent (git-fixes). - net/mlx5e: kTLS, Fix wrong value in record tracker enum (git-fixes). - net/mlx5e: Reduce tc unsupported key print level (git-fixes). - net/mlx5e: Rename hw_modify to preactivate (git-fixes). - net/mlx5e: Set of completion request bit should not clear other adjacent bits (git-fixes). - net/mlx5: E-switch, Destroy TSAR after reload interface (git-fixes). - net/mlx5: E-Switch, Hold mutex when querying drop counter in legacy mode (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching by default (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching only when mandatory (git-fixes). - net/mlx5e: Use preactivate hook to set the indirection table (git-fixes). - net/mlx5e: vxlan: Use RCU for vxlan table lookup (git-fixes). - net/mlx5: Fix a bug of using ptp channel index as pin index (git-fixes). - net/mlx5: Fix deletion of duplicate rules (git-fixes). - net/mlx5: Fix failing fw tracer allocation on s390 (git-fixes). - net/mlx5: Fix memory leak on flow table creation error flow (git-fixes). - net/mlx5: Fix request_irqs error flow (git-fixes). - net/mlx5: Fix wrong address reclaim when command interface is down (git-fixes). - net/mlx5: Query PPS pin operational status before registering it (git-fixes). - net/mlx5: Verify Hardware supports requested ptp function on a given pin (git-fixes). - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms (git-fixes). - net: mscc: ocelot: fix address ageing time (again) (git-fixes). - net: mscc: ocelot: properly account for VLAN header length when setting MRU (git-fixes). - net: mvpp2: Add TCAM entry to drop flow control pause frames (git-fixes). - net: mvpp2: disable force link UP during port init procedure (git-fixes). - net: mvpp2: Fix error return code in mvpp2_open() (git-fixes). - net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (git-fixes). - net: mvpp2: fix memory leak in mvpp2_rx (git-fixes). - net: mvpp2: fix pkt coalescing int-threshold configuration (git-fixes). - net: mvpp2: prs: fix PPPoE with ipv6 packet parse (git-fixes). - net: mvpp2: Remove Pause and Asym_Pause support (git-fixes). - net: mvpp2: TCAM entry enable should be written after SRAM data (git-fixes). - net: netsec: Correct dma sync for XDP_TX frames (git-fixes). - net: nixge: fix potential memory leak in nixge_probe() (git-fixes). - net: octeon: mgmt: Repair filling of RX ring (git-fixes). - net: phy: at803x: use operating parameters from PHY-specific status (git-fixes). - net: phy: extract link partner advertisement reading (git-fixes). - net: phy: extract pause mode (git-fixes). - net: phy: marvell10g: fix null pointer dereference (git-fixes). - net: phy: marvell10g: fix temperature sensor on 2110 (git-fixes). - net: phy: read MII_CTRL1000 in genphy_read_status only if needed (git-fixes). - net: qca_spi: fix receive buffer size check (git-fixes). - net: qca_spi: Move reset_count to struct qcaspi (git-fixes). - net: qede: fix PTP initialization on recovery (git-fixes). - net: qede: fix use-after-free on recovery and AER handling (git-fixes). - net: qede: stop adding events on an already destroyed workqueue (git-fixes). - net: qed: fix async event callbacks unregistering (git-fixes). - net: qed: fix excessive QM ILT lines consumption (git-fixes). - net: qed: fix 'maybe uninitialized' warning (git-fixes). - net: qed: fix NVMe login fails over VFs (git-fixes). - net: qed: RDMA personality shouldn't fail VF load (git-fixes). - net: re-solve some conflicts after net -> net-next merge (bsc#1176855 ltc#187293). - net: rmnet: do not allow to add multiple bridge interfaces (git-fixes). - net: rmnet: do not allow to change mux id if mux id is duplicated (git-fixes). - net: rmnet: fix bridge mode bugs (git-fixes). - net: rmnet: fix lower interface leak (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_changelink() (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_newlink() (git-fixes). - net: rmnet: fix packet forwarding in rmnet bridge mode (git-fixes). - net: rmnet: fix suspicious RCU usage (git-fixes). - net: rmnet: print error message when command fails (git-fixes). - net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device() (git-fixes). - net: rmnet: use upper/lower device infrastructure (git-fixes). - net, sctp, filter: remap copy_from_user failure error (bsc#1181637). - net: smc91x: Fix possible memory leak in smc_drv_probe() (git-fixes). - net/sonic: Add mutual exclusion for accessing shared state (git-fixes). - net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes). - net: stmmac: Always arm TX Timer at end of transmission start (git-fixes). - net: stmmac: Do not accept invalid MTU values (git-fixes). - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes). - net: stmmac: Enable 16KB buffer size (git-fixes). - net: stmmac: fix disabling flexible PPS output (git-fixes). - net: stmmac: fix length of PTP clock's name string (git-fixes). - net: stmmac: Fix the TX IOC in xmit path (git-fixes). - net: stmmac: RX buffer size must be 16 byte aligned (git-fixes). - net: stmmac: selftests: Flow Control test can also run with ASYM Pause (git-fixes). - net: stmmac: selftests: Needs to check the number of Multicast regs (git-fixes). - net: stmmac: xgmac: Clear previous RX buffer size (git-fixes). - net: sun: fix missing release regions in cas_init_one() (git-fixes). - net: team: fix memory leak in __team_options_register (git-fixes). - net: thunderx: initialize VF's mailbox mutex before first usage (git-fixes). - net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family (git-fixes). - net: usb: qmi_wwan: Adding support for Cinterion MV31 (git-fixes). - nvme-hwmon: rework to avoid devm allocation (bsc#1177326). - nvme-multipath: Early exit if no path is available (bsc#1180964). - nvme: re-read ANA log on NS CHANGED AEN (bsc#1179137). - nvmet-tcp: Fix NULL dereference when a connect data comes in h2cdata pdu (bsc#1182547). - objtool: Do not fail on missing symbol table (bsc#1169514). - perf/x86/intel/uncore: Factor out uncore_pci_find_dev_pmu() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_get_dev_die_info() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_register() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_unregister() (bsc#1180989). - perf/x86/intel/uncore: Generic support for the PCI sub driver (bsc#1180989). - perf/x86/intel/uncore: Store the logical die id instead of the physical die id (bsc#1180989). - perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info (bsc#1180989). - phy: cpcap-usb: Fix warning for missing regulator_disable (git-fixes). - phy: rockchip-emmc: emmc_phy_init() always return 0 (git-fixes). - platform/x86: hp-wmi: Disable tablet-mode reporting by default (git-fixes). - platform/x86: intel-vbtn: Support for tablet mode on Dell Inspiron 7352 (git-fixes). - platform/x86: touchscreen_dmi: Add swap-x-y quirk for Goodix touchscreen on Estar Beauty HD tablet (git-fixes). - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning (bsc#1182571 ltc#191345). - powerpc/boot: Delete unneeded .globl _zimage_start (bsc#1156395). - powerpc: Fix alignment bug within the init sections (bsc#1065729). - powerpc/fpu: Drop cvt_fd() and cvt_df() (bsc#1156395). - powerpc/hvcall: add token and codes for H_VASI_SIGNAL (bsc#1181674 ltc#189159). - powerpc: kABI: add back suspend_disable_cpu in machdep_calls (bsc#1181674 ltc#189159). - powerpc/machdep: remove suspend_disable_cpu() (bsc#1181674 ltc#189159). - powerpc/mm/pkeys: Make pkey access check work on execute_only_key (bsc#1181544 ltc#191080 git-fixes). - powerpc/numa: Fix build when CONFIG_NUMA=n (bsc#1132477 ltc#175530). - powerpc/numa: make vphn_enabled, prrn_enabled flags const (bsc#1181674 ltc#189159). - powerpc/numa: remove ability to enable topology updates (bsc#1181674 ltc#189159). - powerpc/numa: remove arch_update_cpu_topology (bsc#1181674 ltc#189159). - powerpc/numa: Remove late request for home node associativity (bsc#1181674 ltc#189159). - powerpc/numa: remove prrn_is_enabled() (bsc#1181674 ltc#189159). - powerpc/numa: remove start/stop_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove timed_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology timer code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology update code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology workqueue code (bsc#1181674 ltc#189159). - powerpc/numa: remove vphn_enabled and prrn_enabled internal flags (bsc#1181674 ltc#189159). - powerpc/numa: stub out numa_update_cpu_topology() (bsc#1181674 ltc#189159). - powerpc/perf: Exclude kernel samples while counting events in user space (bsc#1065729). - powerpc/perf/hv-24x7: Dont create sysfs event files for dummy events (bsc#1182118 ltc#190624). - powerpc/pkeys: Avoid using lockless page table walk (bsc#1181544 ltc#191080). - powerpc/pkeys: Check vma before returning key fault error to the user (bsc#1181544 ltc#191080). - powerpc/powernv/memtrace: Do not leak kernel memory to user space (bsc#1156395). - powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently (bsc#1156395). - powerpc/powernv/npu: Do not attempt NPU2 setup on POWER8NVL NPU (bsc#1156395). - powerpc/prom: Fix 'ibm,arch-vec-5-platform-support' scan (bsc#1182602 ltc#190924). - powerpc/pseries/dlpar: handle ibm, configure-connector delay status (bsc#1181985 ltc#188074). - powerpc/pseries: Do not enforce MSI affinity with kdump (bsc#1181655 ltc#190855). - powerpc/pseries/eeh: Make pseries_pcibios_bus_add_device() static (bsc#1078720, git-fixes). - powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900). - powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: pass stream id via function arguments (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: perform post-suspend fixups later (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove prepare_late() callback (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove pseries_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: switch to rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: add missing break to default case (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Add pr_debug() for device tree changes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: do not error on absence of ibm, update-nodes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: error message improvements (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: extract VASI session polling logic (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: refactor node lookup during DT update (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: retry partition suspend after error (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Set pr_fmt() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: signal suspend cancellation to platform (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use rtas_activate_firmware() on resume (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use stop_machine for join/suspend (bsc#1181674 ltc#189159). - powerpc/pseries/ras: Make init_ras_hotplug_IRQ() static (bsc#1065729. git-fixes). - powerpc/pseries: remove dlpar_cpu_readd() (bsc#1181674 ltc#189159). - powerpc/pseries: remove memory 're-add' implementation (bsc#1181674 ltc#189159). - powerpc/pseries: remove obsolete memory hotplug DT notifier code (bsc#1181674 ltc#189159). - powerpc/pseries: remove prrn special case from DT update path (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_activate_firmware() (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/rtas: complete ibm,suspend-me status codes (bsc#1181674 ltc#189159). - powerpc/rtas: dispatch partition migration requests to pseries (bsc#1181674 ltc#189159). - powerpc/rtasd: simplify handle_rtas_event(), emit message on events (bsc#1181674 ltc#189159). - powerpc/rtas: prevent suspend-related sys_rtas use on LE (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_ibm_suspend_me_unsafe() (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_last_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_me_data (bsc#1181674 ltc#189159). - powerpc/rtas: rtas_ibm_suspend_me -> rtas_ibm_suspend_me_unsafe (bsc#1181674 ltc#189159). - power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (git-fixes). - pseries/drmem: do not cache node id in drmem_lmb struct (bsc#1132477 ltc#175530). - pseries/hotplug-memory: hot-add: skip redundant LMB lookup (bsc#1132477 ltc#175530). - qed: fix error return code in qed_iwarp_ll2_start() (git-fixes). - qed: Fix race condition between scheduling and destroying the slowpath workqueue (git-fixes). - qed: Populate nvm-file attributes while reading nvm config partition (git-fixes). - qed: select CONFIG_CRC32 (git-fixes). - qlcnic: fix missing release in qlcnic_83xx_interrupt_test (git-fixes). - quota: Fix memory leak when handling corrupted quota file (bsc#1182650). - quota: Sanity-check quota file headers on load (bsc#1182461). - r8169: fix resuming from suspend on RTL8105e if machine runs on battery (git-fixes). - r8169: fix WoL on shutdown if CONFIG_DEBUG_SHIRQ is set (git-fixes). - rcu/nocb: Perform deferred wake up before last idle's (git-fixes) - rcu/nocb: Trigger self-IPI on late deferred wake up before (git-fixes) - rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers (git-fixes) - RDMA/efa: Add EFA 0xefa1 PCI ID (bsc#1176248). - RDMA/efa: Count admin commands errors (bsc#1176248). - RDMA/efa: Count mmap failures (bsc#1176248). - RDMA/efa: Do not delay freeing of DMA pages (bsc#1176248). - RDMA/efa: Drop double zeroing for sg_init_table() (bsc#1176248). - RDMA/efa: Expose maximum TX doorbell batch (bsc#1176248). - RDMA/efa: Expose minimum SQ size (bsc#1176248). - RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1176248). - RDMA/efa: Properly document the interrupt mask register (bsc#1176248). - RDMA/efa: Remove redundant udata check from alloc ucontext response (bsc#1176248). - RDMA/efa: Report create CQ error counter (bsc#1176248). - RDMA/efa: Report host information to the device (bsc#1176248). - RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1176248). - RDMA/efa: Use in-kernel offsetofend() to check field availability (bsc#1176248). - RDMA/efa: User/kernel compatibility handshake mechanism (bsc#1176248). - RDMA/efa: Use the correct current and new states in modify QP (git-fixes). - regulator: axp20x: Fix reference cout leak (git-fixes). - regulator: core: Avoid debugfs: Directory ... already present! error (git-fixes). - regulator: core: avoid regulator_resolve_supply() race condition (git-fixes). - regulator: Fix lockdep warning resolving supplies (git-fixes). - regulator: s5m8767: Drop regulators OF node reference (git-fixes). - regulator: s5m8767: Fix reference count leak (git-fixes). - reiserfs: add check for an invalid ih_entry_count (bsc#1182462). - reset: hisilicon: correct vendor prefix (git-fixes). - Revert 'ibmvnic: remove never executed if statement' (jsc#SLE-17043 bsc#1179243 ltc#189290). - Revert 'net: bcmgenet: remove unused function in bcmgenet.c' (git-fixes). - Revert 'platform/x86: ideapad-laptop: Switch touchpad attribute to be RO' (git-fixes). - Revert 'RDMA/mlx5: Fix devlink deadlock on net namespace deletion' (jsc#SLE-8464). - rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439) - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - rtc: s5m: select REGMAP_I2C (git-fixes). - rxrpc: Fix memory leak in rxrpc_lookup_local (bsc#1154353 bnc#1151927 5.3.9). - s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated (git-fixes). - s390/vfio-ap: No need to disable IRQ after queue reset (git-fixes). - sched: Reenable interrupts in do_sched_yield() (git-fixes) - scsi: lpfc: Fix EEH encountering oops with NVMe traffic (bsc#1181958). - sh_eth: check sh_eth_cpu_data::cexcr when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_tx_cntrs when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_xdfar when dumping registers (git-fixes). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - smsc95xx: avoid memory leak in smsc95xx_bind (git-fixes). - smsc95xx: check return value of smsc95xx_reset (git-fixes). - soc: aspeed: snoop: Add clock control logic (git-fixes). - spi: atmel: Put allocated master before return (git-fixes). - spi: pxa2xx: Fix the controller numbering for Wildcat Point (git-fixes). - spi: spi-synquacer: fix set_cs handling (git-fixes). - spi: stm32: properly handle 0 byte transfer (git-fixes). - squashfs: add more sanity checks in id lookup (git-fixes bsc#1182266). - squashfs: add more sanity checks in inode lookup (git-fixes bsc#1182267). - squashfs: add more sanity checks in xattr id lookup (git-fixes bsc#1182268). - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (git-fixes). - target: disallow emulate_legacy_capacity with RBD object-map (bsc#1177109). - team: set dev->needed_headroom in team_setup_by_port() (git-fixes). - tpm: Remove tpm_dev_wq_lock (git-fixes). - tpm_tis: Clean up locality release (git-fixes). - tpm_tis: Fix check_locality for correct locality acquisition (git-fixes). - tracing: Check length before giving out the filter buffer (git-fixes). - tracing: Do not count ftrace events in top level enable output (git-fixes). - tracing/kprobe: Fix to support kretprobe events on unloaded modules (git-fixes). - tracing/kprobes: Do the notrace functions check without kprobes on ftrace (git-fixes). - tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (git-fixes). - ubifs: Fix error return code in ubifs_init_authentication() (bsc#1182459). - ubifs: Fix ubifs_tnc_lookup() usage in do_kill_orphans() (bsc#1182454). - ubifs: prevent creating duplicate encrypted filenames (bsc#1182457). - ubifs: ubifs_add_orphan: Fix a memory leak bug (bsc#1182456). - ubifs: ubifs_jnl_write_inode: Fix a memory leak bug (bsc#1182455). - ubifs: wbuf: Do not leak kernel memory to flash (bsc#1182458). - Update config files: activate CONFIG_CSD_LOCK_WAIT_DEBUG for x86 (bsc#1180846). - Update config files: Set ledtrig-default-on as builtin (bsc#1182128) - USB: dwc2: Abort transaction after errors with unknown reason (git-fixes). - USB: dwc2: Fix endpoint direction check in ep_from_windex (git-fixes). - USB: dwc2: Make 'trimming xfer length' a debug message (git-fixes). - USB: dwc3: fix clock issue during resume in OTG mode (git-fixes). - USB: gadget: legacy: fix an error code in eth_bind() (git-fixes). - USB: gadget: u_audio: Free requests only after callback (git-fixes). - USB: mUSB: Fix runtime PM race in musb_queue_resume_work (git-fixes). - USB: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (git-fixes). - USB: quirks: sort quirk entries (git-fixes). - USB: renesas_usbhs: Clear pipe running flag in USBhs_pkt_pop() (git-fixes). - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 (git-fixes). - USB: serial: cp210x: add pid/vid for WSDA-200-USB (git-fixes). - USB: serial: mos7720: fix error code in mos7720_write() (git-fixes). - USB: serial: mos7720: improve OOM-handling in read_mos_reg() (git-fixes). - USB: serial: mos7840: fix error code in mos7840_write() (git-fixes). - USB: serial: option: Adding support for Cinterion MV31 (git-fixes). - USB: usblp: do not call usb_set_interface if there's a single alt (git-fixes). - veth: Adjust hard_start offset on redirect XDP frames (git-fixes). - vfs: Convert squashfs to use the new mount API (git-fixes bsc#1182265). - virtio_net: Fix error code in probe() (git-fixes). - virtio_net: Fix recursive call to cpus_read_lock() (git-fixes). - virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes). - virt: vbox: Do not use wait_event_interruptible when called from kernel context (git-fixes). - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - vxlan: fix memleak of fdb (git-fixes). - wext: fix NULL-ptr-dereference with cfg80211's lack of commit() (git-fixes). - writeback: Drop I_DIRTY_TIME_EXPIRE (bsc#1182460). - x86/alternatives: Sync bp_patching update for avoiding NULL pointer exception (bsc#1152489). - x86/apic: Add extra serialization for non-serializing MSRs (bsc#1152489). - x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181259, jsc#ECO-3191). - x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181259, jsc#ECO-3191). - x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259, jsc#ECO-3191). - x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259 jsc#ECO-3191). - x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181259, jsc#ECO-3191). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xfs: ensure inobt record walks always make forward progress (git-fixes bsc#1182272). - xfs: fix an ABBA deadlock in xfs_rename (git-fixes bsc#1182558). - xfs: fix parent pointer scrubber bailing out on unallocated inodes (git-fixes bsc#1182276). - xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks (git-fixes bsc#1182430). - xfs: fix the minrecs logic when dealing with inode root child blocks (git-fixes bsc#1182273). - xfs: ratelimit xfs_discard_page messages (bsc#1182283). - xfs: reduce quota reservation when doing a dax unwritten extent conversion (git-fixes bsc#1182561). - xfs: return corresponding errcode if xfs_initialize_perag() fail (git-fixes bsc#1182275). - xfs: scrub should mark a directory corrupt if any entries cannot be iget'd (git-fixes bsc#1182278). - xfs: strengthen rmap record flags checking (git-fixes bsc#1182271). - xhci: fix bounce buffer usage for non-sg list case (git-fixes). The kernel-default-base packaging was changed: - Added squashfs for kiwi installiso support (bsc#1182341) - Added fuse (bsc#1182507) - Added modules which got lost when migrating away from supported.conf (bsc#1182110): * am53c974 had a typo * cls_bpf, iscsi_ibft, libahci, libata, openvswitch, sch_ingress - Also added vport-* modules for Open vSwitch ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:758-1 Released: Wed Mar 10 12:16:27 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1182688 This update for dracut fixes the following issues: - network-legacy: fix route parsing issues in ifup. (bsc#1182688) -0kernel-modules: arm/arm64: Add reset controllers - Prevent creating unexpected files on the host when running dracut - As of 'v246' of systemd 'syslog' and 'syslog-console' switches have been deprecated. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:784-1 Released: Mon Mar 15 11:19:08 2021 Summary: Recommended update for efivar Type: recommended Severity: moderate References: 1181967 This update for efivar fixes the following issues: - Fixed an issue with the NVME path parsing (bsc#1181967) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:802-1 Released: Tue Mar 16 16:54:12 2021 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1183073 This update for grub2 fixes the following issues: - Fixed chainloading windows on dual boot machine (bsc#1183073) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:881-1 Released: Fri Mar 19 04:16:42 2021 Summary: Recommended update for yast2-adcommon-python, yast2-aduc, samba Type: recommended Severity: moderate References: 1084864,1132565,1133568,1135130,1135224,1138203,1138487,1145508,1146898,1150394,1150612,1151713,1152052,1154121,1170998 This update for yast2-adcommon-python, yast2-aduc, samba fixes the following issues: - Update 'aduc' for 'realmd' customer. (jsc#SLE-5527) - Add ability to change/enable/unlock user's passwords. (bsc#1152052) - Fixes a Failure to authenticate on first try and throws a MemoryError on Ubuntu. (bsc#1151713) - Fixes an issue when unused 'xset' may cause exception in 'appimage'. (bsc#1150612) - Include other object creaiton options. (bsc#1138203) - Use the domain name stored in the samba credentials object. (bsc#1138487) - Display a backtrace if the connection fails. - Use new schema of desktop files. (bsc#1084864) - Move the module to Network Services. - Use common authentication from yast2-adcommon-python. - Switch to using a unified file/actions menu, instead of random buttons - Remove 'ad-dc' dependency. (jsc#ECO-2527) - Fix slow load of 'ADUC' caused by chatty ldap traffic. (bsc#1170998) - The domain label should be a text field, for manually entering the domain name. (bsc#1154121) - Fix to reconnect the 'ldap' session if it times out. (bsc#1150394) - 'AD' modules should connect to an AD-DC via the SamDB interface, instead of 'python-ldap'. (bsc#1146898) - Fix incorrectly placed domain in change domain dialog (bsc#1145508) - YaST 'aduc/adsi/gpmc' should not exit after entering empty password and explicitly state that an Active Directory administrator should sign in. (bsc#1132565) - Move schema parsing code from adsi to the common code. (bsc#1138203) - 'TypeError: Expected a string or unicode object' during auth. (bsc#1135224) - Authentication fails with 'Failed to initialize ldap connection'. (bsc#1135130) - Fix for an issue when 'yast2-adcommon-python' 'ldap' does not correctly parse 'ldap' urls. (bsc#1133568) - Initial version ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:933-1 Released: Wed Mar 24 12:16:14 2021 Summary: Security update for ruby2.5 Type: security Severity: important References: 1177125,1177222,CVE-2020-25613 This update for ruby2.5 fixes the following issues: - CVE-2020-25613: Fixed a potential HTTP Request Smuggling in WEBrick (bsc#1177125). - Enable optimizations also on ARM64 (bsc#1177222) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:945-1 Released: Wed Mar 24 13:43:08 2021 Summary: Security update for ldb Type: security Severity: important References: 1183572,1183574,CVE-2020-27840,CVE-2021-20277 This update for ldb fixes the following issues: - CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572). - CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:960-1 Released: Mon Mar 29 11:16:28 2021 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1181283 This update for cloud-init fixes the following issues: - Does no longer include the sudoers.d directory twice (bsc#1181283) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:974-1 Released: Mon Mar 29 19:31:27 2021 Summary: Security update for tar Type: security Severity: low References: 1181131,CVE-2021-20193 This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:42:46 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:991-1 Released: Wed Mar 31 13:28:37 2021 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1182324 This update for vim provides the following fixes: - Install SUSE vimrc in /usr. (bsc#1182324) - Source correct suse.vimrc file. (bsc#1182324) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) From sle-security-updates at lists.suse.com Fri Apr 9 06:00:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Apr 2021 08:00:42 +0200 (CEST) Subject: SUSE-CU-2021:96-1: Security update of ses/7/cephcsi/cephcsi Message-ID: <20210409060042.979C4B45E9B@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:96-1 Container Tags : ses/7/cephcsi/cephcsi:3.2.0 , ses/7/cephcsi/cephcsi:3.2.0.0.3.300 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus , ses/7/cephcsi/cephcsi:v3.2.0 , ses/7/cephcsi/cephcsi:v3.2.0.0 Container Release : 3.300 Severity : important Type : security References : 1078466 1083473 1112500 1115408 1125671 1140565 1146705 1154393 1160876 1165780 1171549 1172442 1172926 1174514 1175289 1175519 1176201 1176390 1176489 1176679 1176784 1176785 1176828 1177360 1177857 1178168 1178407 1178775 1178837 1178860 1178905 1178932 1179569 1179847 1179997 1180020 1180073 1180083 1180596 1180713 1181011 1181328 1181358 1181622 1181831 1182328 1182362 1182379 1182629 1182766 1183012 1183094 1183370 1183371 1183456 1183457 1183852 1183933 1183934 CVE-2020-11080 CVE-2020-14343 CVE-2020-25659 CVE-2020-25678 CVE-2020-27839 CVE-2021-20231 CVE-2021-20232 CVE-2021-22876 CVE-2021-22890 CVE-2021-23336 CVE-2021-24031 CVE-2021-24032 CVE-2021-27218 CVE-2021-27219 CVE-2021-3449 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:952-1 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Type: recommended Severity: moderate References: 1160876,1171549 This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:953-1 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1178407 This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:42:46 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1018-1 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1180713 This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1109-1 Released: Thu Apr 8 11:49:10 2021 Summary: Security update for ceph Type: security Severity: moderate References: 1172926,1176390,1176489,1176679,1176828,1177360,1177857,1178837,1178860,1178905,1178932,1179569,1179997,1182766,CVE-2020-25678,CVE-2020-27839 This update for ceph fixes the following issues: - ceph was updated to to 15.2.9 - cephadm: fix 'inspect' and 'pull' (bsc#1182766) - CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997) - CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905) - mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926) - mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679) - mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489) - cephadm: command_unit: call systemctl with verbose=True (bsc#1176828) - cephadm: silence 'Failed to evict container' log msg (bsc#1177360) - mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857) - rgw: cls/user: set from_index for reset stats calls (bsc#1178837) - mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) - cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569) From sle-security-updates at lists.suse.com Fri Apr 9 06:01:49 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Apr 2021 08:01:49 +0200 (CEST) Subject: SUSE-CU-2021:97-1: Security update of ses/7/ceph/grafana Message-ID: <20210409060150.02EE9B4634A@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/ceph/grafana ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:97-1 Container Tags : ses/7/ceph/grafana:7.3.1 , ses/7/ceph/grafana:7.3.1.3.428 , ses/7/ceph/grafana:latest , ses/7/ceph/grafana:sle15.2.octopus Container Release : 3.428 Severity : important Type : security References : 1050625 1078466 1084671 1141597 1146705 1169006 1171883 1172442 1172695 1172926 1173582 1174016 1174436 1174942 1175458 1175514 1175519 1175623 1176201 1176390 1176489 1176679 1176828 1177238 1177275 1177360 1177427 1177490 1177583 1177857 1177998 1178346 1178386 1178554 1178775 1178775 1178823 1178825 1178837 1178860 1178860 1178905 1178909 1178910 1178932 1178966 1179016 1179083 1179222 1179363 1179398 1179399 1179415 1179452 1179491 1179503 1179526 1179569 1179593 1179694 1179721 1179816 1179824 1179847 1179909 1179997 1180020 1180038 1180073 1180077 1180083 1180107 1180138 1180155 1180225 1180596 1180603 1180603 1180663 1180721 1180885 1181011 1181328 1181358 1181505 1181622 1181831 1182117 1182279 1182328 1182331 1182333 1182362 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182629 1182766 1182959 1183094 1183370 1183371 1183456 1183457 1183852 1183933 1183934 CVE-2017-9271 CVE-2019-25013 CVE-2020-11080 CVE-2020-1971 CVE-2020-25678 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-27781 CVE-2020-27839 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-20231 CVE-2021-20232 CVE-2021-22876 CVE-2021-22890 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3326 CVE-2021-3449 ----------------------------------------------------------------- The container ses/7/ceph/grafana was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3747-1 Released: Thu Dec 10 13:54:49 2020 Summary: Recommended update for ceph Type: recommended Severity: moderate References: 1179452,1179526 This update for ceph fixes the following issues: - Fixed an issue when reading a large 'RGW' object takes too long and can cause data loss. (bsc#1179526) - Fixed a build issue caused by missing nautilus module named 'six'. (bsc#1179452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3894-1 Released: Mon Dec 21 12:56:05 2020 Summary: Security update for ceph Type: security Severity: important References: 1178860,1179016,1180107,1180155,CVE-2020-27781 This update for ceph fixes the following issues: Security issue fixed: - CVE-2020-27781: Fixed a privilege escalation via the ceph_volume_client Python interface (bsc#1180155). Non-security issues fixed: - Update to 15.2.8-80-g1f4b6229ca: + Rebase on tip of upstream 'octopus' branch, SHA1 bdf3eebcd22d7d0b3dd4d5501bee5bac354d5b55 * upstream Octopus v15.2.8 release, see https://ceph.io/releases/v15-2-8-octopus-released/ - Update to 15.2.7-776-g343cd10fe5: + Rebase on tip of upstream 'octopus' branch, SHA1 1b8a634fdcd94dfb3ba650793fb1b6d09af65e05 * (bsc#1178860) mgr/dashboard: Disable TLS 1.0 and 1.1 + (bsc#1179016) rpm: require smartmontools on SUSE + (bsc#1180107) ceph-volume: pass --filter-for-batch from drive-group subcommand ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:109-1 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:169-1 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179816,1180077,1180663,1180721 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:321-1 Released: Mon Feb 8 10:29:48 2021 Summary: Recommended update for grafana, system-user-grafana Type: recommended Severity: moderate References: This update for grafana, system-user-grafana fixes the following issues: - Update packaging * avoid systemd and shadow hard requirements * Require the user from a new dedicated 'system-user-grafana' sibling package * avoid pinning to a specific Go version in the spec file - Update to version 7.3.1: * Breaking changes - CloudWatch: The AWS CloudWatch data source's authentication scheme has changed. See the upgrade notes for details and how this may affect you. - Units: The date time units `YYYY-MM-DD HH:mm:ss` and `MM/DD/YYYY h:mm:ss a` have been renamed to `Datetime ISO` and `Datetime US` respectively. * Features / Enhancements - AzureMonitor: Support decimal (as float64) type in analytics/logs. - Add monitoring mixing for Grafana. - CloudWatch: Missing Namespace AWS/EC2CapacityReservations. - CloudWatch: Add support for AWS DirectConnect virtual interface metrics and add missing dimensions. - CloudWatch: Adding support for Amazon ElastiCache Redis metrics. - CloudWatch: Adding support for additional Amazon CloudFront metrics. - CloudWatch: Re-implement authentication. - Elasticsearch: Support multiple pipeline aggregations for a query. - Prometheus: Add time range parameters to labels API. - Loki: Visually distinguish error logs for LogQL2. - Api: Add /healthz endpoint for health checks. - API: Enrich add user to org endpoints with user ID in the response. - API: Enrich responses and improve error handling for alerting API endpoints. - Elasticsearch: Add support for date_nanos type. - Elasticsearch: Allow fields starting with underscore. - Elasticsearch: Increase maximum geohash aggregation precision to 12. - Postgres: Support request cancellation properly (Uses new backendSrv.fetch Observable request API). - Provisioning: Remove provisioned dashboards without parental reader. - API: Return ID of the deleted resource for dashboard, datasource and folder DELETE endpoints. - API: Support paging in the admin orgs list API. - API: return resource ID for auth key creation, folder permissions update and user invite complete endpoints. - BackendSrv: Uses credentials, deprecates withCredentials & defaults to same-origin. - CloudWatch: Update list of AmazonMQ metrics and dimensions. - Cloudwatch: Add Support for external ID in assume role. - Cloudwatch: Add af-south-1 region. - DateFormats: Default ISO & US formats never omit date part even if date is today (breaking change). - Explore: Transform prometheus query to elasticsearch query. - InfluxDB/Flux: Increase series limit for Flux datasource. - InfluxDB: exclude result and table column from Flux table results. - InfluxDB: return a table rather than an error when timeseries is missing time. - Loki: Add scopedVars support in legend formatting for repeated variables. - Loki: Re-introduce running of instant queries. - Loki: Support request cancellation properly (Uses new backendSrv.fetch Observable request API). - MixedDatasource: Shows retrieved data even if a data source fails. - Postgres: Support Unix socket for host. - Prometheus: Add scopedVars support in legend formatting for repeated variables. - Prometheus: Support request cancellation properly (Uses new backendSrv.fetch Observable request API). - Prometheus: add $__rate_interval variable. - Table: Adds column filtering. - grafana-cli: Add ability to read password from stdin to reset admin password. - Variables: enables cancel for slow query variables queries. - AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified and alias was used. - TextPanel: Fix content overflowing panel boundaries. - Fix golang version = 1.14 to avoid dependency conflicts on some OBS projects ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1109-1 Released: Thu Apr 8 11:49:10 2021 Summary: Security update for ceph Type: security Severity: moderate References: 1172926,1176390,1176489,1176679,1176828,1177360,1177857,1178837,1178860,1178905,1178932,1179569,1179997,1182766,CVE-2020-25678,CVE-2020-27839 This update for ceph fixes the following issues: - ceph was updated to to 15.2.9 - cephadm: fix 'inspect' and 'pull' (bsc#1182766) - CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997) - CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905) - mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926) - mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679) - mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489) - cephadm: command_unit: call systemctl with verbose=True (bsc#1176828) - cephadm: silence 'Failed to evict container' log msg (bsc#1177360) - mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857) - rgw: cls/user: set from_index for reset stats calls (bsc#1178837) - mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) - cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569) From sle-security-updates at lists.suse.com Fri Apr 9 06:04:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Apr 2021 08:04:03 +0200 (CEST) Subject: SUSE-CU-2021:98-1: Security update of ses/7/ceph/ceph Message-ID: <20210409060403.2A9ABB45E9B@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:98-1 Container Tags : ses/7/ceph/ceph:15.2.9.83 , ses/7/ceph/ceph:15.2.9.83.4.157 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 4.157 Severity : important Type : security References : 1050625 1078466 1083473 1098449 1112500 1115408 1125671 1140565 1141597 1142248 1144793 1146705 1154393 1155094 1160876 1165780 1167880 1168771 1171549 1171883 1172442 1172695 1172926 1173582 1174016 1174091 1174436 1174514 1174571 1174701 1175289 1175458 1175519 1176171 1176201 1176262 1176390 1176489 1176679 1176784 1176785 1176828 1177127 1177211 1177238 1177275 1177360 1177427 1177460 1177460 1177490 1177533 1177583 1177658 1177857 1177870 1177998 1178009 1178168 1178386 1178407 1178775 1178775 1178823 1178837 1178860 1178905 1178909 1178910 1178932 1178966 1179083 1179193 1179222 1179363 1179415 1179503 1179569 1179630 1179691 1179691 1179694 1179721 1179738 1179756 1179816 1179824 1179847 1179909 1179997 1180020 1180038 1180073 1180077 1180083 1180119 1180138 1180225 1180336 1180377 1180501 1180596 1180603 1180603 1180663 1180676 1180684 1180685 1180686 1180687 1180713 1180721 1180801 1180885 1181011 1181090 1181126 1181319 1181328 1181358 1181505 1181622 1181831 1181944 1182066 1182117 1182244 1182279 1182328 1182331 1182333 1182362 1182379 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182629 1182688 1182766 1182959 1183012 1183094 1183370 1183371 1183456 1183457 1183852 1183933 1183934 1183942 CVE-2017-9271 CVE-2019-16935 CVE-2019-18348 CVE-2019-20907 CVE-2019-20916 CVE-2019-25013 CVE-2019-5010 CVE-2020-11080 CVE-2020-14343 CVE-2020-14422 CVE-2020-25659 CVE-2020-25678 CVE-2020-25709 CVE-2020-25710 CVE-2020-26116 CVE-2020-27618 CVE-2020-27619 CVE-2020-27839 CVE-2020-28493 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-36242 CVE-2020-8025 CVE-2020-8492 CVE-2021-20231 CVE-2021-20232 CVE-2021-22876 CVE-2021-22890 CVE-2021-23239 CVE-2021-23240 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3139 CVE-2021-3156 CVE-2021-3177 CVE-2021-3326 CVE-2021-3449 ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3921-1 Released: Tue Dec 22 15:19:17 2020 Summary: Recommended update for libpwquality Type: recommended Severity: low References: This update for libpwquality fixes the following issues: - Implement alignment with 'pam_cracklib'. (jsc#SLE-16720) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3930-1 Released: Wed Dec 23 18:19:39 2020 Summary: Security update for python3 Type: security Severity: important References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 This update for python3 fixes the following issues: - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Change setuptools and pip version numbers according to new wheels - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - add triplets for mips-r6 and riscv - RISC-V needs CTYPES_PASS_BY_REF_HACK Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(???). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). Update to 3.6.11: - Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) - CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3946-1 Released: Tue Dec 29 17:39:54 2020 Summary: Recommended update for python3 Type: recommended Severity: important References: 1180377 This update for python3 fixes the following issues: - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:6-1 Released: Mon Jan 4 07:05:06 2021 Summary: Recommended update for libdlm Type: recommended Severity: moderate References: 1098449,1144793,1168771,1177533,1177658 This update for libdlm fixes the following issues: - Rework libdlm3 require with a shared library version tag instead so it propagates to all consuming packages.(bsc#1177658, bsc#1098449) - Add support for type 'uint64_t' to corosync ringid. (bsc#1168771) - Include some fixes/enhancements for dlm_controld. (bsc#1144793) - Fixed an issue where /boot logical volume was accidentally unmounted. (bsc#1177533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:109-1 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:93-1 Released: Wed Jan 13 16:45:40 2021 Summary: Security update for tcmu-runner Type: security Severity: important References: 1180676,CVE-2021-3139 This update for tcmu-runner fixes the following issues: - CVE-2021-3139: Fixed a LIO security issue (bsc#1180676). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:152-1 Released: Fri Jan 15 17:04:47 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1179691,1179738 This update for lvm2 fixes the following issues: - Fix for lvm2 to use udev as external device by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:169-1 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179816,1180077,1180663,1180721 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:179-1 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:227-1 Released: Tue Jan 26 19:22:14 2021 Summary: Security update for sudo Type: security Severity: important References: 1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156 This update for sudo fixes the following issues: - A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges [bsc#1181090,CVE-2021-3156] - It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit` [bsc#1180684,CVE-2021-23239] - A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685, CVE-2021-23240] - It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:264-1 Released: Mon Feb 1 15:04:00 2021 Summary: Recommended update for dracut Type: recommended Severity: important References: 1142248,1177870,1180119 This update for dracut fixes the following issues: - As of v246 of systemd 'syslog' and 'syslog-console' switches have been deprecated. (bsc#1180119) - Make collect optional. (bsc#1177870) - Inclusion of dracut modifications to enable 'nvme-fc boo't support. (bsc#1142248) - Add nvmf module. (jsc#ECO-3063) * Implement 'fc,auto' commandline syntax. * Add nvmf-autoconnect script. * Fixup FC connections. * Rework parameter handling. * Fix typo in the example documentation. * Add 'NVMe over TCP' support. * Add module for 'NVMe-oF'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:278-1 Released: Tue Feb 2 09:43:08 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1181319 This update for lvm2 fixes the following issues: - Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:280-1 Released: Tue Feb 2 11:33:49 2021 Summary: Recommended update for strongswan Type: recommended Severity: moderate References: 1167880,1180801 This update for strongswan fixes the following issues: - Fix trailing quotation mark missing from example in README. (bsc#1167880) - Fixes an error in 'libgcrypt' causing problems by generating CA keys with 'pki create'. (bsc#1180801) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:302-1 Released: Thu Feb 4 13:18:35 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:519-1 Released: Fri Feb 19 09:44:53 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:573-1 Released: Wed Feb 24 09:58:38 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1176171,1180336 This update for dracut fixes the following issues: - arm/arm64: Add reset controllers (bsc#1180336) - Prevent creating unexpected files on the host when running dracut (bsc#1176171) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:594-1 Released: Thu Feb 25 09:29:35 2021 Summary: Security update for python-cryptography Type: security Severity: important References: 1182066,CVE-2020-36242 This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:654-1 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1181944,1182244,CVE-2020-28493 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:758-1 Released: Wed Mar 10 12:16:27 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1182688 This update for dracut fixes the following issues: - network-legacy: fix route parsing issues in ifup. (bsc#1182688) -0kernel-modules: arm/arm64: Add reset controllers - Prevent creating unexpected files on the host when running dracut - As of 'v246' of systemd 'syslog' and 'syslog-console' switches have been deprecated. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:952-1 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Type: recommended Severity: moderate References: 1160876,1171549 This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:953-1 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1178407 This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:42:46 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1007-1 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1018-1 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1180713 This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1109-1 Released: Thu Apr 8 11:49:10 2021 Summary: Security update for ceph Type: security Severity: moderate References: 1172926,1176390,1176489,1176679,1176828,1177360,1177857,1178837,1178860,1178905,1178932,1179569,1179997,1182766,CVE-2020-25678,CVE-2020-27839 This update for ceph fixes the following issues: - ceph was updated to to 15.2.9 - cephadm: fix 'inspect' and 'pull' (bsc#1182766) - CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997) - CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905) - mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926) - mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679) - mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489) - cephadm: command_unit: call systemctl with verbose=True (bsc#1176828) - cephadm: silence 'Failed to evict container' log msg (bsc#1177360) - mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857) - rgw: cls/user: set from_index for reset stats calls (bsc#1178837) - mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) - cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569) From sle-security-updates at lists.suse.com Fri Apr 9 06:06:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Apr 2021 08:06:25 +0200 (CEST) Subject: SUSE-CU-2021:99-1: Security update of ses/7/rook/ceph Message-ID: <20210409060625.A5825B45E9B@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:99-1 Container Tags : ses/7/rook/ceph:1.5.7 , ses/7/rook/ceph:1.5.7.4 , ses/7/rook/ceph:1.5.7.4.1.1546 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1546 Severity : important Type : security References : 1078466 1083473 1112500 1115408 1125671 1140565 1146705 1154393 1160876 1165780 1171549 1172442 1172926 1174514 1175289 1175519 1176201 1176390 1176489 1176679 1176784 1176785 1176828 1177360 1177857 1178168 1178407 1178775 1178837 1178860 1178905 1178932 1179569 1179847 1179997 1180020 1180073 1180083 1180596 1180713 1181011 1181328 1181358 1181622 1181831 1182328 1182362 1182379 1182629 1182766 1183012 1183094 1183370 1183371 1183456 1183457 1183852 1183933 1183934 CVE-2020-11080 CVE-2020-14343 CVE-2020-25659 CVE-2020-25678 CVE-2020-27839 CVE-2021-20231 CVE-2021-20232 CVE-2021-22876 CVE-2021-22890 CVE-2021-23336 CVE-2021-24031 CVE-2021-24032 CVE-2021-27218 CVE-2021-27219 CVE-2021-3449 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:952-1 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Type: recommended Severity: moderate References: 1160876,1171549 This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:953-1 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1178407 This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:42:46 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1018-1 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1180713 This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1109-1 Released: Thu Apr 8 11:49:10 2021 Summary: Security update for ceph Type: security Severity: moderate References: 1172926,1176390,1176489,1176679,1176828,1177360,1177857,1178837,1178860,1178905,1178932,1179569,1179997,1182766,CVE-2020-25678,CVE-2020-27839 This update for ceph fixes the following issues: - ceph was updated to to 15.2.9 - cephadm: fix 'inspect' and 'pull' (bsc#1182766) - CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997) - CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905) - mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926) - mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679) - mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489) - cephadm: command_unit: call systemctl with verbose=True (bsc#1176828) - cephadm: silence 'Failed to evict container' log msg (bsc#1177360) - mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857) - rgw: cls/user: set from_index for reset stats calls (bsc#1178837) - mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) - cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569) From sle-security-updates at lists.suse.com Fri Apr 9 06:08:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Apr 2021 08:08:10 +0200 (CEST) Subject: SUSE-CU-2021:100-1: Security update of suse/sle15 Message-ID: <20210409060810.97270B46345@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:100-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.13.2.252 Container Release : 13.2.252 Severity : moderate Type : security References : 1180073 1183933 1183934 CVE-2021-22876 CVE-2021-22890 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) From sle-security-updates at lists.suse.com Fri Apr 9 13:16:40 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Apr 2021 15:16:40 +0200 (CEST) Subject: SUSE-SU-2021:1116-1: important: Security update for umoci Message-ID: <20210409131640.30119F78E@maintenance.suse.de> SUSE Security Update: Security update for umoci ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1116-1 Rating: important References: #1184147 Cross-References: CVE-2021-29136 CVSS scores: CVE-2021-29136 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Containers 15-SP3 SUSE Linux Enterprise Module for Containers 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for umoci fixes the following issues: - Update to umoci v0.4.6. - CVE-2021-29136: malicious layer allows overwriting of host files (bsc#1184147) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1116=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1116=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1116=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1116=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1116=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1116=1 - SUSE Linux Enterprise Module for Containers 15-SP3: zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2021-1116=1 - SUSE Linux Enterprise Module for Containers 15-SP2: zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2021-1116=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1116=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1116=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1116=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): umoci-0.4.6-3.9.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): umoci-0.4.6-3.9.1 - SUSE Manager Proxy 4.0 (x86_64): umoci-0.4.6-3.9.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): umoci-0.4.6-3.9.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): umoci-0.4.6-3.9.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): umoci-0.4.6-3.9.1 - SUSE Linux Enterprise Module for Containers 15-SP3 (aarch64 ppc64le s390x x86_64): umoci-0.4.6-3.9.1 - SUSE Linux Enterprise Module for Containers 15-SP2 (aarch64 ppc64le s390x x86_64): umoci-0.4.6-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): umoci-0.4.6-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): umoci-0.4.6-3.9.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): umoci-0.4.6-3.9.1 - SUSE CaaS Platform 4.0 (x86_64): umoci-0.4.6-3.9.1 References: https://www.suse.com/security/cve/CVE-2021-29136.html https://bugzilla.suse.com/1184147 From sle-security-updates at lists.suse.com Fri Apr 9 19:16:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Apr 2021 21:16:52 +0200 (CEST) Subject: SUSE-SU-2021:1123-1: important: Security update for fwupdate Message-ID: <20210409191652.A0E23F78E@maintenance.suse.de> SUSE Security Update: Security update for fwupdate ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1123-1 Rating: important References: #1182057 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for fwupdate fixes the following issues: - Add SBAT section to EFI images (bsc#1182057) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1123=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1123=1 Package List: - SUSE OpenStack Cloud 7 (x86_64): fwupdate-0.5-7.5.1 fwupdate-debuginfo-0.5-7.5.1 fwupdate-debugsource-0.5-7.5.1 fwupdate-efi-0.5-7.5.1 fwupdate-efi-debuginfo-0.5-7.5.1 libfwup0-0.5-7.5.1 libfwup0-debuginfo-0.5-7.5.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): fwupdate-0.5-7.5.1 fwupdate-debuginfo-0.5-7.5.1 fwupdate-debugsource-0.5-7.5.1 fwupdate-efi-0.5-7.5.1 fwupdate-efi-debuginfo-0.5-7.5.1 libfwup0-0.5-7.5.1 libfwup0-debuginfo-0.5-7.5.1 References: https://bugzilla.suse.com/1182057 From sle-security-updates at lists.suse.com Fri Apr 9 19:17:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Apr 2021 21:17:55 +0200 (CEST) Subject: SUSE-SU-2021:1125-1: moderate: Security update for wpa_supplicant Message-ID: <20210409191755.094BBF78E@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1125-1 Rating: moderate References: #1184348 Cross-References: CVE-2021-30004 CVSS scores: CVE-2021-30004 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-30004 (SUSE): 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for wpa_supplicant fixes the following issues: - CVE-2021-30004: Fixed an issue where forging attacks might have occured because AlgorithmIdentifier parameters were mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1125=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-23.12.1 wpa_supplicant-debuginfo-2.9-23.12.1 wpa_supplicant-debugsource-2.9-23.12.1 References: https://www.suse.com/security/cve/CVE-2021-30004.html https://bugzilla.suse.com/1184348 From sle-security-updates at lists.suse.com Mon Apr 12 16:16:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Apr 2021 18:16:14 +0200 (CEST) Subject: SUSE-SU-2021:1145-1: important: Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP2) Message-ID: <20210412161614.6118EFCF8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1145-1 Rating: important References: #1182717 #1183120 #1183491 Cross-References: CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVSS scores: CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.121-92_138 fixes several issues. The following security issues were fixed: - CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120). - CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1142=1 SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1143=1 SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1144=1 SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1145=1 SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1146=1 SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1147=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1142=1 SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1143=1 SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1144=1 SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1145=1 SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1146=1 SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1147=1 Package List: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): kgraft-patch-4_4_121-92_129-default-10-2.2 kgraft-patch-4_4_121-92_135-default-8-2.2 kgraft-patch-4_4_121-92_138-default-8-2.2 kgraft-patch-4_4_121-92_141-default-7-2.2 kgraft-patch-4_4_121-92_146-default-5-2.2 kgraft-patch-4_4_121-92_149-default-3-2.2 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): kgraft-patch-4_4_121-92_129-default-10-2.2 kgraft-patch-4_4_121-92_135-default-8-2.2 kgraft-patch-4_4_121-92_138-default-8-2.2 kgraft-patch-4_4_121-92_141-default-7-2.2 kgraft-patch-4_4_121-92_146-default-5-2.2 kgraft-patch-4_4_121-92_149-default-3-2.2 References: https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1183120 https://bugzilla.suse.com/1183491 From sle-security-updates at lists.suse.com Mon Apr 12 16:21:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 12 Apr 2021 18:21:54 +0200 (CEST) Subject: SUSE-SU-2021:1148-1: important: Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP2) Message-ID: <20210412162154.7FA41FCF8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1148-1 Rating: important References: #1165631 #1176931 #1177513 #1182717 #1183120 #1183491 Cross-References: CVE-2020-0429 CVE-2020-1749 CVE-2020-25645 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVSS scores: CVE-2020-0429 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-1749 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-25645 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-25645 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.121-92_152 fixes several issues. The following security issues were fixed: - CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120). - CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bsc#1177513). - CVE-2020-0429: Fixed a memory corruption due to a use after free which could have led to local escalation of privilege with System execution privileges needed (bsc#1176931). - CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165631). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1148=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1148=1 Package List: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): kgraft-patch-4_4_121-92_152-default-2-2.2 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): kgraft-patch-4_4_121-92_152-default-2-2.2 References: https://www.suse.com/security/cve/CVE-2020-0429.html https://www.suse.com/security/cve/CVE-2020-1749.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://bugzilla.suse.com/1165631 https://bugzilla.suse.com/1176931 https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1183120 https://bugzilla.suse.com/1183491 From sle-security-updates at lists.suse.com Mon Apr 12 22:15:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 00:15:54 +0200 (CEST) Subject: SUSE-SU-2021:1152-1: important: Security update for spamassassin Message-ID: <20210412221554.02CB3F78E@maintenance.suse.de> SUSE Security Update: Security update for spamassassin ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1152-1 Rating: important References: #1159133 #1184221 Cross-References: CVE-2019-12420 CVE-2020-1946 CVSS scores: CVE-2019-12420 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-12420 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-1946 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for spamassassin fixes the following issues: - spamassassin was updated to version 3.4.5 - CVE-2019-12420: memory leak via crafted messages (bsc#1159133) - CVE-2020-1946: security update (bsc#1184221) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1152=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1152=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1152=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1152=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1152=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1152=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1152=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1152=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1152=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1152=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1152=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1152=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1152=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1152=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE OpenStack Cloud 9 (x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE OpenStack Cloud 8 (x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 - HPE Helion Openstack 8 (x86_64): perl-Mail-SpamAssassin-3.4.5-44.13.1 spamassassin-3.4.5-44.13.1 spamassassin-debuginfo-3.4.5-44.13.1 spamassassin-debugsource-3.4.5-44.13.1 References: https://www.suse.com/security/cve/CVE-2019-12420.html https://www.suse.com/security/cve/CVE-2020-1946.html https://bugzilla.suse.com/1159133 https://bugzilla.suse.com/1184221 From sle-security-updates at lists.suse.com Mon Apr 12 22:17:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 00:17:09 +0200 (CEST) Subject: SUSE-SU-2021:1153-1: important: Security update for spamassassin Message-ID: <20210412221709.BF93EF78E@maintenance.suse.de> SUSE Security Update: Security update for spamassassin ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1153-1 Rating: important References: #1159133 #1184221 Cross-References: CVE-2019-12420 CVE-2020-1946 CVSS scores: CVE-2019-12420 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-12420 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-1946 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for spamassassin fixes the following issues: - CVE-2019-12420: memory leak via crafted messages (bsc#1159133) - CVE-2020-1946: security update (bsc#1184221) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1153=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1153=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1153=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1153=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): perl-Mail-SpamAssassin-3.4.5-7.14.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-7.14.1 spamassassin-3.4.5-7.14.1 spamassassin-debuginfo-3.4.5-7.14.1 spamassassin-debugsource-3.4.5-7.14.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): perl-Mail-SpamAssassin-3.4.5-7.14.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-7.14.1 spamassassin-3.4.5-7.14.1 spamassassin-debuginfo-3.4.5-7.14.1 spamassassin-debugsource-3.4.5-7.14.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): perl-Mail-SpamAssassin-3.4.5-7.14.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-7.14.1 spamassassin-3.4.5-7.14.1 spamassassin-debuginfo-3.4.5-7.14.1 spamassassin-debugsource-3.4.5-7.14.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): perl-Mail-SpamAssassin-3.4.5-7.14.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-7.14.1 spamassassin-3.4.5-7.14.1 spamassassin-debuginfo-3.4.5-7.14.1 spamassassin-debugsource-3.4.5-7.14.1 References: https://www.suse.com/security/cve/CVE-2019-12420.html https://www.suse.com/security/cve/CVE-2020-1946.html https://bugzilla.suse.com/1159133 https://bugzilla.suse.com/1184221 From sle-security-updates at lists.suse.com Tue Apr 13 13:16:18 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 15:16:18 +0200 (CEST) Subject: SUSE-SU-2021:1161-1: moderate: Security update for cifs-utils Message-ID: <20210413131618.37511FCF8@maintenance.suse.de> SUSE Security Update: Security update for cifs-utils ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1161-1 Rating: moderate References: #1183239 Cross-References: CVE-2021-20208 CVSS scores: CVE-2021-20208 (SUSE): 6.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cifs-utils fixes the following issues: - CVE-2021-20208: Fixed a potential kerberos auth leak escaping from container (bsc#1183239) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1161=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): cifs-utils-6.9-5.9.1 cifs-utils-debuginfo-6.9-5.9.1 cifs-utils-debugsource-6.9-5.9.1 cifs-utils-devel-6.9-5.9.1 References: https://www.suse.com/security/cve/CVE-2021-20208.html https://bugzilla.suse.com/1183239 From sle-security-updates at lists.suse.com Tue Apr 13 13:18:19 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 15:18:19 +0200 (CEST) Subject: SUSE-SU-2021:1162-1: moderate: Security update for rubygem-actionpack-4_2 Message-ID: <20210413131819.5482FFCF8@maintenance.suse.de> SUSE Security Update: Security update for rubygem-actionpack-4_2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1162-1 Rating: moderate References: #1159548 Cross-References: CVE-2019-16782 CVSS scores: CVE-2019-16782 (SUSE): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for rubygem-actionpack-4_2 fixes the following issues: - CVE-2019-16782: Possible Information Leak / Session Hijack Vulnerability in Rack (bsc#1159548) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1162=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1162=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1162=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): ruby2.1-rubygem-actionpack-4_2-4.2.9-7.9.1 References: https://www.suse.com/security/cve/CVE-2019-16782.html https://bugzilla.suse.com/1159548 From sle-security-updates at lists.suse.com Tue Apr 13 13:19:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 15:19:22 +0200 (CEST) Subject: SUSE-SU-2021:1159-1: moderate: Security update for cifs-utils Message-ID: <20210413131922.AA2D7FCF8@maintenance.suse.de> SUSE Security Update: Security update for cifs-utils ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1159-1 Rating: moderate References: #1183239 Cross-References: CVE-2021-20208 CVSS scores: CVE-2021-20208 (SUSE): 6.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cifs-utils fixes the following issues: - CVE-2021-20208: Fixed a potential kerberos auth leak escaping from container (bsc#1183239) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1159=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1159=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): cifs-utils-debuginfo-6.9-13.14.1 cifs-utils-debugsource-6.9-13.14.1 cifs-utils-devel-6.9-13.14.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): cifs-utils-6.9-13.14.1 cifs-utils-debuginfo-6.9-13.14.1 cifs-utils-debugsource-6.9-13.14.1 References: https://www.suse.com/security/cve/CVE-2021-20208.html https://bugzilla.suse.com/1183239 From sle-security-updates at lists.suse.com Tue Apr 13 16:16:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 18:16:22 +0200 (CEST) Subject: SUSE-SU-2021:1166-1: moderate: Security update for wpa_supplicant Message-ID: <20210413161622.1C590F78E@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1166-1 Rating: moderate References: #1184348 Cross-References: CVE-2021-30004 CVSS scores: CVE-2021-30004 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-30004 (SUSE): 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for wpa_supplicant fixes the following issues: - CVE-2021-30004: Fixed an issue where forging attacks might have occured because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1166=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1166=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): wpa_supplicant-2.9-4.29.1 wpa_supplicant-debuginfo-2.9-4.29.1 wpa_supplicant-debugsource-2.9-4.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-4.29.1 wpa_supplicant-debuginfo-2.9-4.29.1 wpa_supplicant-debugsource-2.9-4.29.1 References: https://www.suse.com/security/cve/CVE-2021-30004.html https://bugzilla.suse.com/1184348 From sle-security-updates at lists.suse.com Tue Apr 13 16:19:40 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 18:19:40 +0200 (CEST) Subject: SUSE-SU-2021:1164-1: important: Security update for open-iscsi Message-ID: <20210413161940.4FB23F78E@maintenance.suse.de> SUSE Security Update: Security update for open-iscsi ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1164-1 Rating: important References: #1173886 #1179908 #1183421 Cross-References: CVE-2020-13987 CVE-2020-13988 CVE-2020-17437 CVE-2020-17438 CVSS scores: CVE-2020-13987 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-13987 (SUSE): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2020-13988 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-17437 (NVD) : 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-17437 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-17438 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-17438 (SUSE): 7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for open-iscsi fixes the following issues: - CVE-2020-17437: uIP Out-of-Bounds Write (bsc#1179908) - CVE-2020-17438: uIP Out-of-Bounds Write (bsc#1179908) - CVE-2020-13987: uIP Out-of-Bounds Read (bsc#1179908) - CVE-2020-13988: uIP Integer Overflow (bsc#1179908) - Enabled no-wait ("-W") iscsiadm option for iscsi login service (bsc#1173886, bsc#1183421) - Added the ability to perform async logins (bsc#1173886) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1164=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1164=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1164=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1164=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1164=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1164=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1164=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1164=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-1164=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-1164=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1164=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1164=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1164=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1164=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1164=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Manager Proxy 4.0 (x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 - SUSE CaaS Platform 4.0 (x86_64): iscsiuio-0.7.8.2-13.42.1 iscsiuio-debuginfo-0.7.8.2-13.42.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopeniscsiusr0_2_0-debuginfo-2.0.876-13.42.1 open-iscsi-2.0.876-13.42.1 open-iscsi-debuginfo-2.0.876-13.42.1 open-iscsi-debugsource-2.0.876-13.42.1 open-iscsi-devel-2.0.876-13.42.1 References: https://www.suse.com/security/cve/CVE-2020-13987.html https://www.suse.com/security/cve/CVE-2020-13988.html https://www.suse.com/security/cve/CVE-2020-17437.html https://www.suse.com/security/cve/CVE-2020-17438.html https://bugzilla.suse.com/1173886 https://bugzilla.suse.com/1179908 https://bugzilla.suse.com/1183421 From sle-security-updates at lists.suse.com Tue Apr 13 16:21:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 18:21:06 +0200 (CEST) Subject: SUSE-SU-2021:1167-1: important: Security update for MozillaThunderbird Message-ID: <20210413162106.7EA6FF78E@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1167-1 Rating: important References: #1177542 #1183942 #1184536 Cross-References: CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 CVE-2021-23991 CVE-2021-23992 CVSS scores: CVE-2021-23981 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2021-23982 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-23984 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-23987 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23991 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird was updated to version 78.9.1 (MFSA 2021-12,MFSA 2021-13, bsc#1183942, bsc#1184536) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs * CVE-2021-23991: An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key * CVE-2021-23993: Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key - cleaned up and fixed mozilla.sh.in for wayland (bsc#1177542) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-1167=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1167=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): MozillaThunderbird-78.9.1-8.20.1 MozillaThunderbird-debuginfo-78.9.1-8.20.1 MozillaThunderbird-debugsource-78.9.1-8.20.1 MozillaThunderbird-translations-common-78.9.1-8.20.1 MozillaThunderbird-translations-other-78.9.1-8.20.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): MozillaThunderbird-78.9.1-8.20.1 MozillaThunderbird-debuginfo-78.9.1-8.20.1 MozillaThunderbird-debugsource-78.9.1-8.20.1 MozillaThunderbird-translations-common-78.9.1-8.20.1 MozillaThunderbird-translations-other-78.9.1-8.20.1 References: https://www.suse.com/security/cve/CVE-2021-23981.html https://www.suse.com/security/cve/CVE-2021-23982.html https://www.suse.com/security/cve/CVE-2021-23984.html https://www.suse.com/security/cve/CVE-2021-23987.html https://www.suse.com/security/cve/CVE-2021-23991.html https://www.suse.com/security/cve/CVE-2021-23992.html https://bugzilla.suse.com/1177542 https://bugzilla.suse.com/1183942 https://bugzilla.suse.com/1184536 From sle-security-updates at lists.suse.com Tue Apr 13 16:22:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 18:22:23 +0200 (CEST) Subject: SUSE-SU-2021:1168-1: moderate: Security update for opensc Message-ID: <20210413162223.2771DF78E@maintenance.suse.de> SUSE Security Update: Security update for opensc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1168-1 Rating: moderate References: #1149746 #1149747 #1158256 #1158307 #1170809 #1177364 #1177378 #1177380 Cross-References: CVE-2019-15945 CVE-2019-15946 CVE-2019-19479 CVE-2019-19480 CVE-2019-20792 CVE-2020-26570 CVE-2020-26571 CVE-2020-26572 CVSS scores: CVE-2019-15945 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-15945 (SUSE): 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2019-15946 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-15946 (SUSE): 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2019-19479 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2019-19479 (SUSE): 4.3 CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2019-19480 (NVD) : 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-20792 (NVD) : 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-20792 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-26570 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-26570 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26571 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-26571 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26572 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-26572 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for opensc fixes the following issues: - CVE-2019-15945: Fixed an out-of-bounds access of an ASN.1 Bitstring in decode_bit_string (bsc#1149746). - CVE-2019-15946: Fixed an out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry (bsc#1149747) - CVE-2019-19479: Fixed an incorrect read operation during parsing of a SETCOS file attribute (bsc#1158256) - CVE-2019-19480: Fixed an improper free operation in sc_pkcs15_decode_prkdf_entry (bsc#1158307). - CVE-2019-20792: Fixed a double free in coolkey_free_private_data (bsc#1170809). - CVE-2020-26570: Fixed a buffer overflow in sc_oberthur_read_file (bsc#1177364). - CVE-2020-26571: Fixed a stack-based buffer overflow in gemsafe GPK smart card software driver (bsc#1177380) - CVE-2020-26572: Fixed a stack-based buffer overflow in tcos_decipher (bsc#1177378). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1168=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1168=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): opensc-0.19.0-3.7.1 opensc-debuginfo-0.19.0-3.7.1 opensc-debugsource-0.19.0-3.7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): opensc-0.19.0-3.7.1 opensc-debuginfo-0.19.0-3.7.1 opensc-debugsource-0.19.0-3.7.1 References: https://www.suse.com/security/cve/CVE-2019-15945.html https://www.suse.com/security/cve/CVE-2019-15946.html https://www.suse.com/security/cve/CVE-2019-19479.html https://www.suse.com/security/cve/CVE-2019-19480.html https://www.suse.com/security/cve/CVE-2019-20792.html https://www.suse.com/security/cve/CVE-2020-26570.html https://www.suse.com/security/cve/CVE-2020-26571.html https://www.suse.com/security/cve/CVE-2020-26572.html https://bugzilla.suse.com/1149746 https://bugzilla.suse.com/1149747 https://bugzilla.suse.com/1158256 https://bugzilla.suse.com/1158307 https://bugzilla.suse.com/1170809 https://bugzilla.suse.com/1177364 https://bugzilla.suse.com/1177378 https://bugzilla.suse.com/1177380 From sle-security-updates at lists.suse.com Tue Apr 13 16:24:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 18:24:03 +0200 (CEST) Subject: SUSE-SU-2021:1163-1: important: Security update for spamassassin Message-ID: <20210413162403.7B804F78E@maintenance.suse.de> SUSE Security Update: Security update for spamassassin ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1163-1 Rating: important References: #1159133 #1184221 Cross-References: CVE-2019-12420 CVE-2020-1946 CVSS scores: CVE-2019-12420 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-12420 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-1946 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for spamassassin fixes the following issues: - CVE-2019-12420: memory leak via crafted messages (bsc#1159133) - CVE-2020-1946: security update (bsc#1184221) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1163=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1163=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1163=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1163=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1163=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1163=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-1163=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1163=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1163=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1163=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1163=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1163=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1163=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Manager Proxy 4.0 (x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 - SUSE CaaS Platform 4.0 (x86_64): perl-Mail-SpamAssassin-3.4.5-12.10.1 perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 spamassassin-3.4.5-12.10.1 spamassassin-debuginfo-3.4.5-12.10.1 spamassassin-debugsource-3.4.5-12.10.1 References: https://www.suse.com/security/cve/CVE-2019-12420.html https://www.suse.com/security/cve/CVE-2020-1946.html https://bugzilla.suse.com/1159133 https://bugzilla.suse.com/1184221 From sle-security-updates at lists.suse.com Tue Apr 13 16:25:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 18:25:22 +0200 (CEST) Subject: SUSE-SU-2021:1165-1: important: Security update for glibc Message-ID: <20210413162522.EDE49F78E@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1165-1 Rating: important References: #1178386 #1179694 #1179721 #1184034 Cross-References: CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVSS scores: CVE-2020-27618 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27618 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2020-29562 (NVD) : 4.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2020-29562 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-29573 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-29573 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for glibc fixes the following issues: - CVE-2020-27618: Accept redundant shift sequences in IBM1364 (bsc#1178386) - CVE-2020-29562: Fix incorrect UCS4 inner loop bounds (bsc#1179694) - CVE-2020-29573: Harden printf against non-normal long double values (bsc#1179721) - Check vector support in memmove ifunc-selector (bsc#1184034) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1165=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1165=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1165=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1165=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1165=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1165=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): glibc-2.22-114.8.3 glibc-32bit-2.22-114.8.3 glibc-debuginfo-2.22-114.8.3 glibc-debuginfo-32bit-2.22-114.8.3 glibc-debugsource-2.22-114.8.3 glibc-devel-2.22-114.8.3 glibc-devel-32bit-2.22-114.8.3 glibc-devel-debuginfo-2.22-114.8.3 glibc-devel-debuginfo-32bit-2.22-114.8.3 glibc-locale-2.22-114.8.3 glibc-locale-32bit-2.22-114.8.3 glibc-locale-debuginfo-2.22-114.8.3 glibc-locale-debuginfo-32bit-2.22-114.8.3 glibc-profile-2.22-114.8.3 glibc-profile-32bit-2.22-114.8.3 nscd-2.22-114.8.3 nscd-debuginfo-2.22-114.8.3 - SUSE OpenStack Cloud Crowbar 9 (noarch): glibc-html-2.22-114.8.3 glibc-i18ndata-2.22-114.8.3 glibc-info-2.22-114.8.3 - SUSE OpenStack Cloud 9 (x86_64): glibc-2.22-114.8.3 glibc-32bit-2.22-114.8.3 glibc-debuginfo-2.22-114.8.3 glibc-debuginfo-32bit-2.22-114.8.3 glibc-debugsource-2.22-114.8.3 glibc-devel-2.22-114.8.3 glibc-devel-32bit-2.22-114.8.3 glibc-devel-debuginfo-2.22-114.8.3 glibc-devel-debuginfo-32bit-2.22-114.8.3 glibc-locale-2.22-114.8.3 glibc-locale-32bit-2.22-114.8.3 glibc-locale-debuginfo-2.22-114.8.3 glibc-locale-debuginfo-32bit-2.22-114.8.3 glibc-profile-2.22-114.8.3 glibc-profile-32bit-2.22-114.8.3 nscd-2.22-114.8.3 nscd-debuginfo-2.22-114.8.3 - SUSE OpenStack Cloud 9 (noarch): glibc-html-2.22-114.8.3 glibc-i18ndata-2.22-114.8.3 glibc-info-2.22-114.8.3 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.22-114.8.3 glibc-debugsource-2.22-114.8.3 glibc-devel-static-2.22-114.8.3 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): glibc-info-2.22-114.8.3 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): glibc-2.22-114.8.3 glibc-debuginfo-2.22-114.8.3 glibc-debugsource-2.22-114.8.3 glibc-devel-2.22-114.8.3 glibc-devel-debuginfo-2.22-114.8.3 glibc-locale-2.22-114.8.3 glibc-locale-debuginfo-2.22-114.8.3 glibc-profile-2.22-114.8.3 nscd-2.22-114.8.3 nscd-debuginfo-2.22-114.8.3 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): glibc-32bit-2.22-114.8.3 glibc-debuginfo-32bit-2.22-114.8.3 glibc-devel-32bit-2.22-114.8.3 glibc-devel-debuginfo-32bit-2.22-114.8.3 glibc-locale-32bit-2.22-114.8.3 glibc-locale-debuginfo-32bit-2.22-114.8.3 glibc-profile-32bit-2.22-114.8.3 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): glibc-html-2.22-114.8.3 glibc-i18ndata-2.22-114.8.3 glibc-info-2.22-114.8.3 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): glibc-2.22-114.8.3 glibc-debuginfo-2.22-114.8.3 glibc-debugsource-2.22-114.8.3 glibc-devel-2.22-114.8.3 glibc-devel-debuginfo-2.22-114.8.3 glibc-locale-2.22-114.8.3 glibc-locale-debuginfo-2.22-114.8.3 glibc-profile-2.22-114.8.3 nscd-2.22-114.8.3 nscd-debuginfo-2.22-114.8.3 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): glibc-32bit-2.22-114.8.3 glibc-debuginfo-32bit-2.22-114.8.3 glibc-devel-32bit-2.22-114.8.3 glibc-devel-debuginfo-32bit-2.22-114.8.3 glibc-locale-32bit-2.22-114.8.3 glibc-locale-debuginfo-32bit-2.22-114.8.3 glibc-profile-32bit-2.22-114.8.3 - SUSE Linux Enterprise Server 12-SP5 (noarch): glibc-html-2.22-114.8.3 glibc-i18ndata-2.22-114.8.3 glibc-info-2.22-114.8.3 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): glibc-2.22-114.8.3 glibc-debuginfo-2.22-114.8.3 glibc-debugsource-2.22-114.8.3 glibc-devel-2.22-114.8.3 glibc-devel-debuginfo-2.22-114.8.3 glibc-locale-2.22-114.8.3 glibc-locale-debuginfo-2.22-114.8.3 glibc-profile-2.22-114.8.3 nscd-2.22-114.8.3 nscd-debuginfo-2.22-114.8.3 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): glibc-32bit-2.22-114.8.3 glibc-debuginfo-32bit-2.22-114.8.3 glibc-devel-32bit-2.22-114.8.3 glibc-devel-debuginfo-32bit-2.22-114.8.3 glibc-locale-32bit-2.22-114.8.3 glibc-locale-debuginfo-32bit-2.22-114.8.3 glibc-profile-32bit-2.22-114.8.3 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): glibc-html-2.22-114.8.3 glibc-i18ndata-2.22-114.8.3 glibc-info-2.22-114.8.3 References: https://www.suse.com/security/cve/CVE-2020-27618.html https://www.suse.com/security/cve/CVE-2020-29562.html https://www.suse.com/security/cve/CVE-2020-29573.html https://bugzilla.suse.com/1178386 https://bugzilla.suse.com/1179694 https://bugzilla.suse.com/1179721 https://bugzilla.suse.com/1184034 From sle-security-updates at lists.suse.com Tue Apr 13 19:18:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 21:18:15 +0200 (CEST) Subject: SUSE-SU-2021:1177-1: important: Security update for the Linux Kernel Message-ID: <20210413191815.38D21F78E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1177-1 Rating: important References: #1152472 #1152489 #1153274 #1154353 #1155518 #1156256 #1159280 #1160634 #1167773 #1168777 #1169514 #1169709 #1171295 #1173485 #1177326 #1178163 #1178330 #1179454 #1180197 #1180980 #1181383 #1181674 #1181862 #1182011 #1182077 #1182485 #1182552 #1182574 #1182591 #1182595 #1182715 #1182716 #1182717 #1182770 #1182989 #1183015 #1183018 #1183022 #1183023 #1183048 #1183252 #1183277 #1183278 #1183279 #1183280 #1183281 #1183282 #1183283 #1183284 #1183285 #1183286 #1183287 #1183288 #1183366 #1183369 #1183386 #1183412 #1183416 #1183427 #1183428 #1183445 #1183447 #1183501 #1183509 #1183530 #1183534 #1183540 #1183593 #1183596 #1183598 #1183637 #1183646 #1183662 #1183686 #1183692 #1183696 #1183750 #1183757 #1183775 #1183843 #1183859 #1183871 #1184167 #1184168 #1184170 #1184176 #1184192 #1184193 #1184196 #1184198 #1184217 #1184218 #1184219 #1184220 #1184224 Cross-References: CVE-2019-18814 CVE-2019-19769 CVE-2020-27170 CVE-2020-27171 CVE-2020-27815 CVE-2020-35519 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28375 CVE-2021-28660 CVE-2021-28688 CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29264 CVE-2021-29265 CVE-2021-29647 CVE-2021-3428 CVE-2021-3444 CVSS scores: CVE-2019-18814 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-18814 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-19769 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2019-19769 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H CVE-2020-27170 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27171 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27815 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-35519 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28038 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28375 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28964 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28971 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28972 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28972 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-29264 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3428 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP2 ______________________________________________________________________________ An update that solves 21 vulnerabilities and has 74 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170). - CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485). - CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ). - CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167). - CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168). - CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198). - CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ). - CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ). - CVE-2021-28375: Fixed an issue in fastrpc_internal_invoke which did not prevent user applications from sending kernel RPC messages (bsc#1183596). - CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022). - CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715). - CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716). - CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696). - CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454). - CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775). - CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686). - CVE-2019-19769: Fixed a use-after-free in the perf_trace_lock_acquire function (bsc#1159280 ). - CVE-2019-18814: Fixed a use-after-free when aa_label_parse() fails in aa_audit_rule_init() (bsc#1156256). The following non-security bugs were fixed: - 0007-block-add-docs-for-gendisk-request_queue-refcount-he.patch: (bsc#1171295, git fixes (block drivers)). - 0008-block-revert-back-to-synchronous-request_queue-remov.patch: (bsc#1171295, git fixes (block drivers)). - 0009-blktrace-fix-debugfs-use-after-free.patch: (bsc#1171295, git fixes (block drivers)). - ACPI: bus: Constify is_acpi_node() and friends (part 2) (git-fixes). - ACPICA: Always create namespace nodes using acpi_ns_create_node() (git-fixes). - ACPICA: Enable sleep button on ACPI legacy wake (bsc#1181383). - ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling (git-fixes). - ACPI: scan: Rearrange memory allocation in acpi_device_add() (git-fixes). - ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807 (git-fixes). - ACPI: video: Add missing callback back for Sony VPCEH3U1E (git-fixes). - ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits (git-fixes). - ALSA: hda: Avoid spurious unsol event handling during S3/S4 (git-fixes). - ALSA: hda: Drop the BATCH workaround for AMD controllers (git-fixes). - ALSA: hda: generic: Fix the micmute led init state (git-fixes). - ALSA: hda/hdmi: Cancel pending works before suspend (git-fixes). - ALSA: hda/realtek: Add quirk for Clevo NH55RZQ (git-fixes). - ALSA: hda/realtek: Add quirk for Intel NUC 10 (git-fixes). - ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board (git-fixes). - ALSA: hda/realtek: Apply headset-mic quirks for Xiaomi Redmibook Air (git-fixes). - ALSA: hda/realtek: apply pin quirk for XiaomiNotebook Pro (git-fixes). - ALSA: hda/realtek: Enable headset mic of Acer SWIFT with ALC256 (git-fixes). - ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO (git-fixes). - ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk (bsc#1182552). - ALSA: usb-audio: Allow modifying parameters with succeeding hw_params calls (bsc#1182552). - ALSA: usb-audio: Apply sample rate quirk to Logitech Connect (git-fixes). - ALSA: usb-audio: Apply the control quirk to Plantronics headsets (bsc#1182552). - ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend() (bsc#1182552). - ALSA: usb-audio: Do not abort even if the clock rate differs (bsc#1182552). - ALSA: usb-audio: Drop bogus dB range in too low level (bsc#1182552). - ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar (bsc#1182552). - ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe (bsc#1182552). - ALSA: usb-audio: Fix "RANGE setting not yet supported" errors (git-fixes). - ALSA: usb-audio: fix use after free in usb_audio_disconnect (bsc#1182552). - ALSA: usb-audio: Skip the clock selector inquiry for single connections (git-fixes). - ALSA: usb: Use DIV_ROUND_UP() instead of open-coding it (git-fixes). - amd/amdgpu: Disable VCN DPG mode for Picasso (git-fixes). - apparmor: check/put label on apparmor_sk_clone_security() (git-fixes). - arm64: make STACKPROTECTOR_PER_TASK configurable (bsc#1181862). - ASoC: ak4458: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: ak5558: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: cs42l42: Always wait at least 3ms after reset (git-fixes). - ASoC: cs42l42: Do not enable/disable regulator at Bias Level (git-fixes). - ASoC: cs42l42: Fix Bitclock polarity inversion (git-fixes). - ASoC: cs42l42: Fix channel width support (git-fixes). - ASoC: cs42l42: Fix mixer volume control (git-fixes). - ASoC: es8316: Simplify adc_pga_gain_tlv table (git-fixes). - ASoC: fsl_ssi: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for ARCHOS Cesium 140 (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 10-p0XX OVCD current threshold (git-fixes). - ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet (git-fixes). - ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5670: Add emulated 'DAC1 Playback Switch' control (git-fixes). - ASoC: rt5670: Remove ADC vol-ctrl mute bits poking from Sto1 ADC mixer settings (git-fixes). - ASoC: rt5670: Remove 'HP Playback Switch' control (git-fixes). - ASoC: rt5670: Remove 'OUT Channel Switch' control (git-fixes). - ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe (git-fixes). - ASoC: simple-card-utils: Do not handle device clock (git-fixes). - ath10k: fix wmi mgmt tx queue full due to race condition (git-fixes). - ath9k: fix transmitting to stations in dynamic SMPS mode (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - blktrace-annotate-required-lock-on-do_blk_trace_setu.patch: (bsc#1171295). - blktrace-Avoid-sparse-warnings-when-assigning-q-blk_.patch: (bsc#1171295). - blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch: (bsc#1171295). - block-clarify-context-for-refcount-increment-helpers.patch: (bsc#1171295). - block: rsxx: fix error return code of rsxx_pci_probe() (git-fixes). - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (git-fixes). - Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl (git-fixes). - bnxt_en: reliably allocate IRQ table on reset to avoid crash (jsc#SLE-8371 bsc#1153274). - bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775). - bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args (bsc#1155518). - bpf: Declare __bpf_free_used_maps() unconditionally (bsc#1155518). - bpf: Do not do bpf_cgroup_storage_set() for kuprobe/tp programs (bsc#1155518). - bpf: Fix 32 bit src register truncation on div/mod (bsc#1184170). - bpf_lru_list: Read double-checked variable once without lock (bsc#1155518). - bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775). - bpf,x64: Pad NOPs to make images converge more easily (bsc#1178163). - brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet (git-fixes). - brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet (git-fixes). - btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root (bsc#1184217). - btrfs: always pin deleted leaves when there are active tree mod log users (bsc#1184224). - btrfs: fix exhaustion of the system chunk array due to concurrent allocations (bsc#1183386). - btrfs: fix extent buffer leak on failure to copy root (bsc#1184218). - btrfs: fix race when cloning extent buffer during rewind of an old root (bsc#1184193). - btrfs: fix stale data exposure after cloning a hole with NO_HOLES enabled (bsc#1184220). - btrfs: fix subvolume/snapshot deletion not triggered on mount (bsc#1184219). - bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (git-fixes). - can: c_can: move runtime PM enable/disable to c_can_platform (git-fixes). - can: c_can_pci: c_can_pci_remove(): fix use-after-free (git-fixes). - can: flexcan: assert FRZ bit in flexcan_chip_freeze() (git-fixes). - can: flexcan: enable RX FIFO after FRZ/HALT valid (git-fixes). - can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate (git-fixes). - can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode (git-fixes). - can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (git-fixes). - can: peak_usb: add forgotten supported devices (git-fixes). - can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" (git-fixes). - can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (git-fixes). - cdc-acm: fix BREAK rx code path adding necessary calls (git-fixes). - certs: Fix blacklist flag type confusion (git-fixes). - cifs: check pointer before freeing (bsc#1183534). - completion: Drop init_completion define (git-fixes). - configfs: fix a use-after-free in __configfs_open_file (git-fixes). - config: net: freescale: change xgmac-mdio to built-in References: bsc#1183015,bsc#1182595 - crypto: aesni - prevent misaligned buffers on the stack (git-fixes). - crypto: arm64/sha - add missing module aliases (git-fixes). - crypto: bcm - Rename struct device_private to bcm_device_private (git-fixes). - crypto: Kconfig - CRYPTO_MANAGER_EXTRA_TESTS requires the manager (git-fixes). - crypto: tcrypt - avoid signed overflow in byte count (git-fixes). - Delete patches.suse/sched-Reenable-interrupts-in-do_sched_yield.patch (bsc#1183530) - drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue (git-fixes). - drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails (git-fixes). - drm/amdgpu: Add check to prevent IH overflow (git-fixes). - drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie (git-fixes). - drm/amdkfd: Put ACPI table after using it (bsc#1152489) Backporting notes: * context changes - drm/amd/powerplay: fix spelling mistake "smu_state_memroy_block" -> (bsc#1152489) Backporting notes: * rename amd/pm to amd/powerplay * context changes - drm/compat: Clear bounce structures (git-fixes). - drm/hisilicon: Fix use-after-free (git-fixes). - drm/i915: Reject 446-480MHz HDMI clock on GLK (git-fixes). - drm/mediatek: Fix aal size config (bsc#1152489) - drm: meson_drv add shutdown function (git-fixes). - drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (git-fixes). - drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) (git-fixes). - drm/msm: Fix races managing the OOB state for timestamp vs (bsc#1152489) Backporting notes: - drm/msm: fix shutdown hook in case GPU components failed to bind (git-fixes). - drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1152489) - drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1152489) - drm/msm/gem: Add obj->lock wrappers (bsc#1152489) - drm/msm/mdp5: Fix wait-for-commit for cmd panels (git-fixes). - drm/nouveau: bail out of nouveau_channel_new if channel init fails (bsc#1152489) Backporting notes: - drm/nouveau/kms: handle mDP connectors (git-fixes). - drm/panfrost: Do not corrupt the queue mutex on open/close (bsc#1152472) Backporting notes: * context changes - drm/panfrost: Fix job timeout handling (bsc#1152472) Backporting notes: * context changes - drm/panfrost: Remove unused variables in panfrost_job_close() (bsc#1152472) - drm/radeon: fix AGP dependency (git-fixes). - drm: rcar-du: Fix crash when using LVDS1 clock for CRTC (bsc#1152489) Backporting notes: * context changes - drm/sched: Cancel and flush all outstanding jobs before finish (git-fixes). - drm/sun4i: tcon: fix inverted DCLK polarity (bsc#1152489) Backporting notes: * context changes - drm/tegra: sor: Grab runtime PM reference across reset (git-fixes). - drm/vc4: hdmi: Restore cec physical address on reconnect (bsc#1152472) Backporting notes: * context changes * change vc4_hdmi to vc4->hdmi * removed references to encoder->hdmi_monitor - efi: use 32-bit alignment for efi_guid_t literals (git-fixes). - epoll: check for events when removing a timed out thread from the wait queue (git-fixes). - ethernet: alx: fix order of calls on resume (git-fixes). - exec: Move would_dump into flush_old_exec (git-fixes). - exfat: add missing MODULE_ALIAS_FS() (bsc#1182989). - exfat: add the dummy mount options to be backward compatible with staging/exfat (bsc#1182989). - extcon: Add stubs for extcon_register_notifier_all() functions (git-fixes). - extcon: Fix error handling in extcon_dev_register (git-fixes). - fbdev: aty: SPARC64 requires FB_ATY_CT (git-fixes). - firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (git-fixes). - flow_dissector: fix byteorder of dissected ICMP ID (bsc#1154353). - fsl/fman: check dereferencing null pointer (git-fixes). - fsl/fman: fix dereference null return value (git-fixes). - fsl/fman: fix eth hash table allocation (git-fixes). - fsl/fman: fix unreachable code (git-fixes). - fsl/fman: use 32-bit unsigned integer (git-fixes). - fuse: verify write return (git-fixes). - gcc-plugins: drop support for GCC <= 4.7 (bcs#1181862). - gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again (bcs#1181862). - gcc-plugins: simplify GCC plugin-dev capability test (bsc#1181862). - gianfar: Account for Tx PTP timestamp in the skb headroom (git-fixes). - gianfar: Fix TX timestamping with a stacked DSA driver (git-fixes). - gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP (git-fixes). - Goodix Fingerprint device is not a modem (git-fixes). - gpiolib: acpi: Add missing IRQF_ONESHOT (git-fixes). - gpio: pca953x: Set IRQ type when handle Intel Galileo Gen 2 (git-fixes). - gpio: zynq: fix reference leak in zynq_gpio functions (git-fixes). - HID: i2c-hid: Add I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for ITE8568 EC on Voyo Winpad A15 (git-fixes). - HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter (git-fixes). - HSI: Fix PM usage counter unbalance in ssi_hw_init (git-fixes). - hwmon: (ina3221) Fix PM usage counter unbalance in ina3221_write_enable (git-fixes). - i2c: rcar: faster irq code to minimize HW race condition (git-fixes). - i2c: rcar: optimize cacheline to minimize HW race condition (git-fixes). - iavf: Fix incorrect adapter get in iavf_resume (git-fixes). - iavf: use generic power management (git-fixes). - ibmvnic: add comments for spinlock_t definitions (bsc#1183871 ltc#192139). - ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844). - ibmvnic: avoid multiple line dereference (bsc#1183871 ltc#192139). - ibmvnic: fix block comments (bsc#1183871 ltc#192139). - ibmvnic: fix braces (bsc#1183871 ltc#192139). - ibmvnic: fix miscellaneous checks (bsc#1183871 ltc#192139). - ibmvnic: merge do_change_param_reset into do_reset (bsc#1183871 ltc#192139). - ibmvnic: prefer strscpy over strlcpy (bsc#1183871 ltc#192139). - ibmvnic: prefer 'unsigned long' over 'unsigned long int' (bsc#1183871 ltc#192139). - ibmvnic: remove excessive irqsave (bsc#1182485 ltc#191591). - ibmvnic: remove unnecessary rmb() inside ibmvnic_poll (bsc#1183871 ltc#192139). - ibmvnic: remove unused spinlock_t stats_lock definition (bsc#1183871 ltc#192139). - ibmvnic: rework to ensure SCRQ entry reads are properly ordered (bsc#1183871 ltc#192139). - ibmvnic: simplify reset_long_term_buff function (bsc#1183023 ltc#191791). - ibmvnic: substitute mb() with dma_wmb() for send_*crq* functions (bsc#1183023 ltc#191791). - ice: fix memory leak if register_netdev_fails (git-fixes). - ice: fix memory leak in ice_vsi_setup (git-fixes). - ice: Fix state bits on LLDP mode switch (jsc#SLE-7926). - ice: renegotiate link after FW DCB on (jsc#SLE-8464). - ice: report correct max number of TCs (jsc#SLE-7926). - ice: update the number of available RSS queues (jsc#SLE-7926). - igc: Fix igc_ptp_rx_pktstamp() (bsc#1160634). - iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask (git-fixes). - iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (git-fixes). - iio: adis16400: Fix an error code in adis16400_initial_setup() (git-fixes). - iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (git-fixes). - iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (git-fixes). - iio: hid-sensor-prox: Fix scale not correct issue (git-fixes). - iio: hid-sensor-temperature: Fix issues of timestamp channel (git-fixes). - include/linux/sched/mm.h: use rcu_dereference in in_vfork() (git-fixes). - Input: applespi - do not wait for responses to commands indefinitely (git-fixes). - Input: elantech - fix protocol errors for some trackpoints in SMBus mode (git-fixes). - Input: i8042 - add ASUS Zenbook Flip to noselftest list (git-fixes). - Input: raydium_ts_i2c - do not send zero length (git-fixes). - Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S (git-fixes). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183277). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183278). - iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate() (bsc#1183637). - iommu/vt-d: Add get_domain_info() helper (bsc#1183279). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183280). - iommu/vt-d: Correctly check addr alignment in qi_flush_dev_iotlb_pasid() (bsc#1183281). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183282). - iommu/vt-d: Fix general protection fault in aux_detach_device() (bsc#1183283). - iommu/vt-d: Fix ineffective devTLB invalidation for subdevices (bsc#1183284). - iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev() (bsc#1183285). - iommu/vt-d: Move intel_iommu info from struct intel_svm to struct intel_svm_dev (bsc#1183286). - ionic: linearize tso skb with too many frags (bsc#1167773). - kbuild: add dummy toolchains to enable all cc-option etc. in Kconfig (bcs#1181862). - kbuild: change *FLAGS_.o to take the path relative to $(obj) (bcs#1181862). - kbuild: dummy-tools, fix inverted tests for gcc (bcs#1181862). - kbuild: dummy-tools, support MPROFILE_KERNEL checks for ppc (bsc#1181862). - kbuild: Fail if gold linker is detected (bcs#1181862). - kbuild: improve cc-option to clean up all temporary files (bsc#1178330). - kbuild: include scripts/Makefile.* only when relevant CONFIG is enabled (bcs#1181862). - kbuild: simplify GCC_PLUGINS enablement in dummy-tools/gcc (bcs#1181862). - kbuild: stop filtering out $(GCC_PLUGINS_CFLAGS) from cc-option base (bcs#1181862). - kbuild: use -S instead of -E for precise cc-option test in Kconfig (bsc#1178330). - kconfig: introduce m32-flag and m64-flag (bcs#1181862). - KVM: nVMX: Properly handle userspace interrupt window request (bsc#1183427). - KVM: SVM: Clear the CR4 register on reset (bsc#1183252). - KVM: x86: Add helpers to perform CPUID-based guest vendor check (bsc#1183445). - KVM: x86: Add RIP to the kvm_entry, i.e. VM-Enter, tracepoint Needed as a dependency of 0b40723a827 ("kvm: tracing: Fix unmatched kvm_entry and kvm_exit events", bsc#1182770). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183287). - KVM: x86: do not reset microcode version on INIT or RESET (bsc#1183412). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1183447). - KVM: x86: list MSR_IA32_UCODE_REV as an emulated MSR (bsc#1183369). - KVM: x86: Return -E2BIG when KVM_GET_SUPPORTED_CPUID hits max entries (bsc#1183428). - KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU reset (bsc#1183288). - libbpf: Clear map_info before each bpf_obj_get_info_by_fd (bsc#1155518). - libbpf: Fix BTF dump of pointer-to-array-of-struct (bsc#1155518). - libbpf: Use SOCK_CLOEXEC when opening the netlink socket (bsc#1155518). - lib/syscall: fix syscall registers retrieval on 32-bit platforms (git-fixes). - loop-be-paranoid-on-exit-and-prevent-new-additions-r.patch: (bsc#1171295). - mac80211: fix double free in ibss_leave (git-fixes). - mac80211: fix rate mask reset (git-fixes). - mdio: fix mdio-thunder.c dependency & build error (git-fixes). - media: cros-ec-cec: do not bail on device_init_wakeup failure (git-fixes). - media: cx23885: add more quirks for reset DMA on some AMD IOMMU (git-fixes). - media: mceusb: Fix potential out-of-bounds shift (git-fixes). - media: mceusb: sanity check for prescaler value (git-fixes). - media: rc: compile rc-cec.c into rc-core (git-fixes). - media: usbtv: Fix deadlock on suspend (git-fixes). - media: uvcvideo: Allow entities with no pads (git-fixes). - media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate (git-fixes). - media: v4l: vsp1: Fix bru null pointer access (git-fixes). - media: v4l: vsp1: Fix uif null pointer access (git-fixes). - media: vicodec: add missing v4l2_ctrl_request_hdl_put() (git-fixes). - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (git-fixes). - misc: fastrpc: restrict user apps from sending kernel RPC messages (git-fixes). - misc/pvpanic: Export module FDT device table (git-fixes). - misc: rtsx: init of rts522a add OCP power off when no card is present (git-fixes). - mmc: core: Fix partition switch time for eMMC (git-fixes). - mmc: cqhci: Fix random crash when remove mmc module/card (git-fixes). - mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()' (git-fixes). - mmc: sdhci-esdhc-imx: fix kernel panic when remove module (git-fixes). - mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes). - mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page (git-fixes). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1168777). - mount: fix mounting of detached mounts onto targets that reside on shared mounts (git-fixes). - mt76: dma: do not report truncated frames to mac80211 (git-fixes). - mwifiex: pcie: skip cancel_work_sync() on reset failure path (git-fixes). - net: arc_emac: Fix memleak in arc_mdio_probe (git-fixes). - net: bonding: fix error return code of bond_neigh_init() (bsc#1154353). - net: cdc-phonet: fix data-interface release on probe failure (git-fixes). - net: core: introduce __netdev_notify_peers (bsc#1183871 ltc#192139). - netdevsim: init u64 stats for 32bit hardware (git-fixes). - net: dsa: rtl8366: Fix VLAN semantics (git-fixes). - net: dsa: rtl8366: Fix VLAN set-up (git-fixes). - net: dsa: rtl8366rb: Support all 4096 VLANs (git-fixes). - net: enic: Cure the enic api locking trainwreck (git-fixes). - net: ethernet: aquantia: Fix wrong return value (git-fixes). - net: ethernet: cavium: octeon_mgmt: use phy_start and phy_stop (git-fixes). - net: ethernet: ibm: ibmvnic: Fix some kernel-doc misdemeanours (bsc#1183871 ltc#192139). - net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host port (git-fixes). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix reference count leak in fec series ops (git-fixes). - net: gemini: Fix another missing clk_disable_unprepare() in probe (git-fixes). - net: gemini: Fix missing free_netdev() in error path of gemini_ethernet_port_probe() (git-fixes). - net: gianfar: Add of_node_put() before goto statement (git-fixes). - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device (git-fixes). - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup (git-fixes). - net: korina: cast KSEG0 address to pointer in kfree (git-fixes). - net: korina: fix kfree of rx/tx descriptor array (git-fixes). - net/mlx5: Disable devlink reload for lag devices (jsc#SLE-8464). - net/mlx5: Disable devlink reload for multi port slave device (jsc#SLE-8464). - net/mlx5: Disallow RoCE on lag device (jsc#SLE-8464). - net/mlx5: Disallow RoCE on multi port slave device (jsc#SLE-8464). - net/mlx5e: E-switch, Fix rate calculation division (jsc#SLE-8464). - net/mlx5e: E-switch, Fix rate calculation for overflow (jsc#SLE-8464). - net: mvneta: fix double free of txq->buf (git-fixes). - net: mvneta: make tx buffer array agnostic (git-fixes). - net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init (git-fixes). - netsec: restore phy power state after controller reset (bsc#1183757). - net: spider_net: Fix the size used in a 'dma_free_coherent()' call (git-fixes). - net: stmmac: Fix incorrect location to set real_num_rx|tx_queues (git-fixes). - net: stmmac: removed enabling eee in EEE set callback (git-fixes). - net: stmmac: use netif_tx_start|stop_all_queues() function (git-fixes). - net: stmmac: Use rtnl_lock/unlock on netif_set_real_num_rx_queues() call (git-fixes). - net: usb: ax88179_178a: fix missing stop entry in driver_info (git-fixes). - net: usb: qmi_wwan: allow qmimux add/del with master up (git-fixes). - net: usb: qmi_wwan: support ZTE P685M modem (git-fixes). - nfp: flower: fix pre_tun mask id allocation (bsc#1154353). - nvme: allocate the keep alive request using BLK_MQ_REQ_NOWAIT (bsc#1182077). - nvme-fabrics: fix kato initialization (bsc#1182591). - nvme-fabrics: only reserve a single tag (bsc#1182077). - nvme-fc: fix racing controller reset and create association (bsc#1183048). - nvme-hwmon: Return error code when registration fails (bsc#1177326). - nvme: merge nvme_keep_alive into nvme_keep_alive_work (bsc#1182077). - nvme: return an error if nvme_set_queue_count() fails (bsc#1180197). - nvmet-rdma: Fix list_del corruption on queue establishment failure (bsc#1183501). - objtool: Fix ".cold" section suffix check for newer versions of GCC (bsc#1169514). - objtool: Fix error handling for STD/CLD warnings (bsc#1169514). - objtool: Fix retpoline detection in asm code (bsc#1169514). - ovl: fix dentry leak in ovl_get_redirect (bsc#1184176). - ovl: fix out of date comment and unreachable code (bsc#1184176). - ovl: fix regression with re-formatted lower squashfs (bsc#1184176). - ovl: fix unneeded call to ovl_change_flags() (bsc#1184176). - ovl: fix value of i_ino for lower hardlink corner case (bsc#1184176). - ovl: initialize error in ovl_copy_xattr (bsc#1184176). - ovl: relax WARN_ON() when decoding lower directory file handle (bsc#1184176). - PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (git-fixes). - PCI: Align checking of syscall user config accessors (git-fixes). - PCI: Decline to resize resources if boot config must be preserved (git-fixes). - PCI: Fix pci_register_io_range() memory leak (git-fixes). - PCI: mediatek: Add missing of_node_put() to fix reference leak (git-fixes). - PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 (git-fixes). - PCI: xgene-msi: Fix race in installing chained irq handler (git-fixes). - pinctrl: rockchip: fix restore error in resume (git-fixes). - Platform: OLPC: Fix probe error handling (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire Switch 10E SW3-016 (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability flag (git-fixes). - platform/x86: acer-wmi: Add new force_caps module parameter (git-fixes). - platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices (git-fixes). - platform/x86: acer-wmi: Cleanup accelerometer device handling (git-fixes). - platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines (git-fixes). - platform/x86: intel-vbtn: Stop reporting SW_DOCK events (git-fixes). - PM: EM: postpone creating the debugfs dir till fs_initcall (git-fixes). - PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter (bsc#1183366). - PM: runtime: Fix race getting/putting suppliers at probe (git-fixes). - powerpc/book3s64/radix: Remove WARN_ON in destroy_context() (bsc#1183692 ltc#191963). - powerpc/pseries/mobility: handle premature return from H_JOIN (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/mobility: use struct for shared state (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - printk: fix deadlock when kernel panic (bsc#1183018). - proc: fix lookup in /proc/net subdirectories after setns(2) (git-fixes). - pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() (git-fixes). - qxl: Fix uninitialised struct field head.surface_id (git-fixes). - random: fix the RNDRESEEDCRNG ioctl (git-fixes). - RDMA/hns: Disable RQ inline by default (jsc#SLE-8449). - RDMA/hns: Fix type of sq_signal_bits (jsc#SLE-8449). - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - Revert "net: bonding: fix error return code of bond_neigh_init()" (bsc#1154353). - rpadlpar: fix potential drc_name corruption in store functions (bsc#1183416 ltc#191079). - rpm/check-for-config-changes: add -mrecord-mcount ignore Added by 3b15cdc15956 (tracing: move function tracer options to Kconfig) upstream. - rpm/check-for-config-changes: comment on the list To explain what it actually is. - rpm/check-for-config-changes: declare sed args as an array So that we can reuse it in both seds. This also introduces IGNORED_CONFIGS_RE array which can be easily extended. - rpm/check-for-config-changes: define ignores more strictly * search for whole words, so make wildcards explicit * use ' for quoting * prepend CONFIG_ dynamically, so it need not be in the list - rpm/check-for-config-changes: ignore more configs Specifially, these: * CONFIG_CC_HAS_* * CONFIG_CC_HAVE_* * CONFIG_CC_CAN_* * CONFIG_HAVE_[A-Z]*_COMPILER * CONFIG_TOOLS_SUPPORT_* are compiler specific too. This will allow us to use super configs using kernel's dummy-tools. - rpm/check-for-config-changes: sort the ignores They are growing so to make them searchable by humans. - rsi: Fix TX EAPOL packet handling against iwlwifi AP (git-fixes). - rsi: Move card interrupt handling to RX thread (git-fixes). - rsxx: Return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/crypto: return -EFAULT if copy_to_user() fails (git-fixes). - s390/dasd: fix hanging IO request during DASD driver unbind (git-fixes). - s390/qeth: fix memory leak after failed TX Buffer allocation (git-fixes). - s390/qeth: fix notification for pending buffers during teardown (git-fixes). - s390/qeth: improve completion of pending TX buffers (git-fixes). - s390/qeth: schedule TX NAPI on QAOB completion (git-fixes). - s390/vtime: fix increased steal time accounting (bsc#1183859). - samples, bpf: Add missing munmap in xdpsock (bsc#1155518). - scsi: lpfc: Change wording of invalid pci reset log message (bsc#1182574). - scsi: lpfc: Correct function header comments related to ndlp reference counting (bsc#1182574). - scsi: lpfc: Fix ADISC handling that never frees nodes (bsc#1182574). - scsi: lpfc: Fix crash caused by switch reboot (bsc#1182574). - scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (bsc#1182574). - scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1182574). - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe (bsc#1182574). - scsi: lpfc: Fix lpfc_els_retry() possible null pointer dereference (bsc#1182574). - scsi: lpfc: Fix nodeinfo debugfs output (bsc#1182574). - scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() (bsc#1182574). - scsi: lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN (bsc#1182574). - scsi: lpfc: Fix pt2pt connection does not recover after LOGO (bsc#1182574). - scsi: lpfc: Fix pt2pt state transition causing rmmod hang (bsc#1182574). - scsi: lpfc: Fix reftag generation sizing errors (bsc#1182574). - scsi: lpfc: Fix stale node accesses on stale RRQ request (bsc#1182574). - scsi: lpfc: Fix status returned in lpfc_els_retry() error exit path (bsc#1182574). - scsi: lpfc: Fix unnecessary null check in lpfc_release_scsi_buf (bsc#1182574). - scsi: lpfc: Fix use after free in lpfc_els_free_iocb (bsc#1182574). - scsi: lpfc: Fix vport indices in lpfc_find_vport_by_vpid() (bsc#1182574). - scsi: lpfc: Reduce LOG_TRACE_EVENT logging for vports (bsc#1182574). - scsi: lpfc: Update copyrights for 12.8.0.7 and 12.8.0.8 changes (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.8 (bsc#1182574). - scsi: target: pscsi: Avoid OOM in pscsi_map_sg() (bsc#1183843). - scsi: target: pscsi: Clean up after failure in pscsi_map_sg() (bsc#1183843). - selftests/bpf: Mask bpf_csum_diff() return value to 16 bits in test_verifier (bsc#1155518). - selftests/bpf: No need to drop the packet when there is no geneve opt (bsc#1155518). - selftests/bpf: Set gopt opt_class to 0 if get tunnel opt failed (bsc#1155518). - selinux: fix error initialization in inode_doinit_with_dentry() (git-fixes). - selinux: Fix error return code in sel_ib_pkey_sid_slow() (git-fixes). - selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling (git-fixes). - smb3: Fix out-of-bounds bug in SMB2_negotiate() (bsc#1183540). - software node: Fix node registration (git-fixes). - spi: stm32: make spurious and overrun interrupts visible (git-fixes). - squashfs: fix inode lookup sanity checks (bsc#1183750). - squashfs: fix xattr id and id lookup sanity checks (bsc#1183750). - stop_machine: mark helpers __always_inline (git-fixes). - udlfb: Fix memory leak in dlfb_usb_probe (git-fixes). - Update bug reference for USB-audio fixes (bsc#1182552 bsc#1183598) - USB: cdc-acm: fix double free on probe failure (git-fixes). - USB: cdc-acm: fix use-after-free after probe failure (git-fixes). - USB: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board (git-fixes). - USB: dwc2: Prevent core suspend when port connection flag is 0 (git-fixes). - USB: dwc3: gadget: Fix dep->interval for fullspeed interrupt (git-fixes). - USB: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 (git-fixes). - USB: dwc3: qcom: Add missing DWC3 OF node refcount decrement (git-fixes). - USB: dwc3: qcom: Honor wakeup enabled/disabled state (git-fixes). - USB: gadget: configfs: Fix KASAN use-after-free (git-fixes). - USB: gadget: f_uac1: stop playback on function disable (git-fixes). - USB: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (git-fixes). - USB: gadget: udc: amd5536udc_pci fix null-ptr-dereference (git-fixes). - USB: gadget: u_ether: Fix a configfs return code (git-fixes). - USBip: Fix incorrect double assignment to udc->ud.tcp_rx (git-fixes). - USBip: fix stub_dev to check for stream socket (git-fixes). - USBip: fix stub_dev usbip_sockfd_store() races leading to gpf (git-fixes). - USBip: fix vhci_hcd attach_store() races leading to gpf (git-fixes). - USBip: fix vhci_hcd to check for stream socket (git-fixes). - USBip: fix vudc to check for stream socket (git-fixes). - USBip: fix vudc usbip_sockfd_store races leading to gpf (git-fixes). - USBip: tools: fix build error for multiple definition (git-fixes). - USB: musb: Fix suspend with devices connected for a64 (git-fixes). - USB: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM (git-fixes). - USB: replace hardcode maximum usb string length by definition (git-fixes). - USB: serial: ch341: add new Product ID (git-fixes). - USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter (git-fixes). - USB: serial: cp210x: add some more GE USB IDs (git-fixes). - USB: serial: ftdi_sio: fix FTX sub-integer prescaler (git-fixes). - USB: serial: io_edgeport: fix memory leak in edge_startup (git-fixes). - usb-storage: Add quirk to defeat Kindle's automatic unload (git-fixes). - USB: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- (git-fixes). - USB: usblp: fix a hang in poll() if disconnected (git-fixes). - USB: xhci: do not perform Soft Retry for some xHCI hosts (git-fixes). - USB: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing (git-fixes). - USB: xhci-mtk: fix broken streams issue on 0.96 xHCI (git-fixes). - use __netdev_notify_peers in ibmvnic (bsc#1183871 ltc#192139). - video: fbdev: acornfb: remove free_unused_pages() (bsc#1152489) - video: hyperv_fb: Fix a double free in hvfb_probe (git-fixes). - VMCI: Use set_page_dirty_lock() when unregistering guest memory (git-fixes). - vt/consolemap: do font sum unsigned (git-fixes). - watchdog: mei_wdt: request stop on unregister (git-fixes). - wireguard: device: do not generate ICMP for non-IP packets (git-fixes). - wireguard: kconfig: use arm chacha even with no neon (git-fixes). - wireguard: selftests: test multiple parallel streams (git-fixes). - wlcore: Fix command execute failure 19 for wl12xx (git-fixes). - x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task (bsc#1152489). - xen/events: avoid handling the same event on two cpus at the same time (git-fixes). - xen/events: do not unmask an event channel when an eoi is pending (git-fixes). - xen/events: reset affinity of 2-level event when tearing it down (git-fixes). - xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367). - xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367). - xfs: group quota should return EDQUOT when prj quota enabled (bsc#1180980). - xhci: Fix repeated xhci wake after suspend due to uncleared internal wake state (git-fixes). - xhci: Improve detection of device initiated wake signal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2021-1177=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (noarch): kernel-devel-azure-5.3.18-18.41.1 kernel-source-azure-5.3.18-18.41.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (x86_64): kernel-azure-5.3.18-18.41.1 kernel-azure-debuginfo-5.3.18-18.41.1 kernel-azure-debugsource-5.3.18-18.41.1 kernel-azure-devel-5.3.18-18.41.1 kernel-azure-devel-debuginfo-5.3.18-18.41.1 kernel-syms-azure-5.3.18-18.41.1 References: https://www.suse.com/security/cve/CVE-2019-18814.html https://www.suse.com/security/cve/CVE-2019-19769.html https://www.suse.com/security/cve/CVE-2020-27170.html https://www.suse.com/security/cve/CVE-2020-27171.html https://www.suse.com/security/cve/CVE-2020-27815.html https://www.suse.com/security/cve/CVE-2020-35519.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://www.suse.com/security/cve/CVE-2021-28038.html https://www.suse.com/security/cve/CVE-2021-28375.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-28964.html https://www.suse.com/security/cve/CVE-2021-28971.html https://www.suse.com/security/cve/CVE-2021-28972.html https://www.suse.com/security/cve/CVE-2021-29264.html https://www.suse.com/security/cve/CVE-2021-29265.html https://www.suse.com/security/cve/CVE-2021-29647.html https://www.suse.com/security/cve/CVE-2021-3428.html https://www.suse.com/security/cve/CVE-2021-3444.html https://bugzilla.suse.com/1152472 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1153274 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156256 https://bugzilla.suse.com/1159280 https://bugzilla.suse.com/1160634 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1168777 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169709 https://bugzilla.suse.com/1171295 https://bugzilla.suse.com/1173485 https://bugzilla.suse.com/1177326 https://bugzilla.suse.com/1178163 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1179454 https://bugzilla.suse.com/1180197 https://bugzilla.suse.com/1180980 https://bugzilla.suse.com/1181383 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181862 https://bugzilla.suse.com/1182011 https://bugzilla.suse.com/1182077 https://bugzilla.suse.com/1182485 https://bugzilla.suse.com/1182552 https://bugzilla.suse.com/1182574 https://bugzilla.suse.com/1182591 https://bugzilla.suse.com/1182595 https://bugzilla.suse.com/1182715 https://bugzilla.suse.com/1182716 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1182770 https://bugzilla.suse.com/1182989 https://bugzilla.suse.com/1183015 https://bugzilla.suse.com/1183018 https://bugzilla.suse.com/1183022 https://bugzilla.suse.com/1183023 https://bugzilla.suse.com/1183048 https://bugzilla.suse.com/1183252 https://bugzilla.suse.com/1183277 https://bugzilla.suse.com/1183278 https://bugzilla.suse.com/1183279 https://bugzilla.suse.com/1183280 https://bugzilla.suse.com/1183281 https://bugzilla.suse.com/1183282 https://bugzilla.suse.com/1183283 https://bugzilla.suse.com/1183284 https://bugzilla.suse.com/1183285 https://bugzilla.suse.com/1183286 https://bugzilla.suse.com/1183287 https://bugzilla.suse.com/1183288 https://bugzilla.suse.com/1183366 https://bugzilla.suse.com/1183369 https://bugzilla.suse.com/1183386 https://bugzilla.suse.com/1183412 https://bugzilla.suse.com/1183416 https://bugzilla.suse.com/1183427 https://bugzilla.suse.com/1183428 https://bugzilla.suse.com/1183445 https://bugzilla.suse.com/1183447 https://bugzilla.suse.com/1183501 https://bugzilla.suse.com/1183509 https://bugzilla.suse.com/1183530 https://bugzilla.suse.com/1183534 https://bugzilla.suse.com/1183540 https://bugzilla.suse.com/1183593 https://bugzilla.suse.com/1183596 https://bugzilla.suse.com/1183598 https://bugzilla.suse.com/1183637 https://bugzilla.suse.com/1183646 https://bugzilla.suse.com/1183662 https://bugzilla.suse.com/1183686 https://bugzilla.suse.com/1183692 https://bugzilla.suse.com/1183696 https://bugzilla.suse.com/1183750 https://bugzilla.suse.com/1183757 https://bugzilla.suse.com/1183775 https://bugzilla.suse.com/1183843 https://bugzilla.suse.com/1183859 https://bugzilla.suse.com/1183871 https://bugzilla.suse.com/1184167 https://bugzilla.suse.com/1184168 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184176 https://bugzilla.suse.com/1184192 https://bugzilla.suse.com/1184193 https://bugzilla.suse.com/1184196 https://bugzilla.suse.com/1184198 https://bugzilla.suse.com/1184217 https://bugzilla.suse.com/1184218 https://bugzilla.suse.com/1184219 https://bugzilla.suse.com/1184220 https://bugzilla.suse.com/1184224 From sle-security-updates at lists.suse.com Tue Apr 13 19:27:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 21:27:10 +0200 (CEST) Subject: SUSE-SU-2021:1175-1: important: Security update for the Linux Kernel Message-ID: <20210413192710.0C4A7F78E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1175-1 Rating: important References: #1065600 #1065729 #1103990 #1103991 #1103992 #1104270 #1104353 #1109837 #1111981 #1112374 #1113994 #1118657 #1118661 #1119113 #1126390 #1129770 #1132477 #1142635 #1152446 #1154048 #1169709 #1172455 #1173485 #1175165 #1176720 #1176855 #1178163 #1179243 #1179428 #1179454 #1179660 #1179755 #1180846 #1181507 #1181515 #1181544 #1181655 #1181674 #1181747 #1181753 #1181843 #1182011 #1182175 #1182485 #1182574 #1182715 #1182716 #1182717 #1183018 #1183022 #1183023 #1183378 #1183379 #1183380 #1183381 #1183382 #1183416 #1183509 #1183593 #1183646 #1183662 #1183686 #1183692 #1183696 #1183775 #1183861 #1183871 #1184114 #1184167 #1184168 #1184170 #1184192 #1184193 #1184196 #1184198 Cross-References: CVE-2020-0433 CVE-2020-27170 CVE-2020-27171 CVE-2020-27815 CVE-2020-29368 CVE-2020-29374 CVE-2020-35519 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28660 CVE-2021-28688 CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29264 CVE-2021-29265 CVE-2021-29647 CVE-2021-3428 CVE-2021-3444 CVSS scores: CVE-2020-0433 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-0433 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27170 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27171 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27815 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35519 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28038 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28964 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28971 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28972 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28972 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-29264 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3428 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 24 vulnerabilities and has 51 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170). - CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485). - CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ). - CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167). - CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168). - CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198). - CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ). - CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ). - CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022). - CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715). - CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716). - CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696). - CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454). - CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775). - CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686). - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). - CVE-2020-0433: Fixed a use after free due to improper locking which could have led to local escalation of privilege (bsc#1176720). The following non-security bugs were fixed: - ACPI: scan: Rearrange memory allocation in acpi_device_add() (git-fixes). - ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits (git-fixes). - ALSA: hda: Drop the BATCH workaround for AMD controllers (git-fixes). - ALSA: hda/realtek: modify EAPD in the ALC886 (git-fixes). - amba: Fix resource leak for drivers without .remove (git-fixes). - bfq: Fix kABI for update internal depth state when queue depth changes (bsc#1172455). - bfq: update internal depth state when queue depth changes (bsc#1172455). - block: rsxx: fix error return code of rsxx_pci_probe() (git-fixes). - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (git-fixes). - Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes). - Bluetooth: hci_uart: Fix a race for write_work scheduling (git-fixes). - bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775). - bpf: Fix 32 bit src register truncation on div/mod (bsc#1184170). - bpf: fix subprog verifier bypass by div/mod by 0 exception (bsc#1184170). - bpf: fix x64 JIT code generation for jmp to 1st insn (bsc#1178163). - bpf_lru_list: Read double-checked variable once without lock (git-fixes). - bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775). - bpf,x64: Pad NOPs to make images converge more easily (bsc#1178163). - bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (git-fixes). - can: c_can: move runtime PM enable/disable to c_can_platform (git-fixes). - can: c_can_pci: c_can_pci_remove(): fix use-after-free (git-fixes). - can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (git-fixes). - can: peak_usb: add forgotten supported devices (git-fixes). - can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" (git-fixes). - can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (git-fixes). - cifs: change noisy error message to FYI (bsc#1181507). - cifs: check all path components in resolved dfs target (bsc#1179755). - cifs_debug: use %pd instead of messing with ->d_name (bsc#1181507). - cifs: fix nodfs mount option (bsc#1179755). - cifs: introduce helper for finding referral server (bsc#1179755). - cifs: New optype for session operations (bsc#1181507). - cifs: print MIDs in decimal notation (bsc#1181507). - cifs: return proper error code in statfs(2) (bsc#1181507). - cifs: Tracepoints and logs for tracing credit changes (bsc#1181507). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (bsc#1104270). - dmaengine: hsu: disable spurious interrupt (git-fixes). - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if (bsc#1129770) Backporting notes: * context changes - drm/atomic: Create __drm_atomic_helper_crtc_reset() for subclassing (bsc#1142635) Backporting notes: * taken for 427c4a0680a2 ("drm/vc4: crtc: Rework a bit the CRTC state code") * renamed drm_atomic_state_helper.{c,h} to drm_atomic_helper.{c,h} * context changes - drm: bridge: dw-hdmi: Avoid resetting force in the detect function (bsc#1129770) Backporting notes: * context changes - drm/compat: Clear bounce structures (bsc#1129770) Backporting notes: * context changes - drm/etnaviv: replace MMU flush marker with flush sequence (bsc#1154048) Backporting notes: * context changes - drm/gma500: Fix error return code in psb_driver_load() (bsc#1129770) - drm/mediatek: Add missing put_device() call in mtk_drm_kms_init() (bsc#1152446) Backporting notes: * context changes - drm/mediatek: Fix aal size config (bsc#1129770) Backporting notes: * access I/O memory with writel() - drm: meson_drv add shutdown function (git-fixes). - drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (git-fixes). - drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) (bsc#1129770) - drm/msm: fix shutdown hook in case GPU components failed to bind (git-fixes). - drm: mxsfb: check framebuffer pitch (bsc#1129770) Backporting notes: * context changes - drm/omap: fix max fclk divider for omap36xx (bsc#1152446) - drm: panel: Fix bpc for OrtusTech COM43H4M85ULC panel (bsc#1129770) - drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel (bsc#1129770) Backporting notes: * context changes - drm/radeon: fix AGP dependency (git-fixes). - drm: rcar-du: Put reference to VSP device (bsc#1129770) Backporting notes: * context changes - drm/vc4: crtc: Rework a bit the CRTC state code (bsc#1129770) Backporting notes: * context changes - drm/vc4: hdmi: Avoid sleeping in atomic context (bsc#1129770) Backporting notes: * context changes - ethernet: alx: fix order of calls on resume (git-fixes). - fbdev: aty: SPARC64 requires FB_ATY_CT (bsc#1129770) - firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (git-fixes). - futex: Prevent robust futex exit race (git-fixes). - gma500: clean up error handling in init (bsc#1129770) - gpiolib: acpi: Add missing IRQF_ONESHOT (git-fixes). - HID: make arrays usage and value to be the same (git-fixes). - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (git-fixes). - i40e: Add zero-initialization of AQ command structures (bsc#1109837 bsc#1111981). - i40e: Fix add TC filter for IPv6 (bsc#1109837 bsc#1111981 ). - i40e: Fix endianness conversions (bsc#1109837 bsc#1111981 ). - IB/mlx5: Return appropriate error code instead of ENOMEM (bsc#1103991). - ibmvnic: add comments for spinlock_t definitions (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: add memory barrier to protect long term buffer (bsc#1184114 ltc#192237 bsc#1182485 ltc#191591). - ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844). - ibmvnic: avoid multiple line dereference (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: compare adapter->init_done_rc with more readable ibmvnic_rc_codes (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Correctly re-enable interrupts in NAPI polling routine (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: create send_control_ip_offload (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: create send_query_ip_offload (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Do not replenish RX buffers after every polling loop (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1184114 ltc#192237 bsc#1182485 ltc#191591). - ibmvnic: Ensure that device queue memory is cache-line aligned (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Ensure that SCRQ entry reads are correctly ordered (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: fix block comments (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: fix braces (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: fix miscellaneous checks (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Fix possibly uninitialized old_num_tx_queues variable warning (bsc#1184114 ltc#192237). - ibmvnic: Fix TX completion error handling (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Fix use-after-free of VNIC login response buffer (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: handle inconsistent login with reset (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Harden device Command Response Queue handshake (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: improve ibmvnic_init and ibmvnic_reset_init (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: merge do_change_param_reset into do_reset (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: merge ibmvnic_reset_init and ibmvnic_init (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: no reset timeout for 5 seconds after reset (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: prefer strscpy over strlcpy (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: prefer 'unsigned long' over 'unsigned long int' (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: reduce wait for completion time (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: remove excessive irqsave (bsc#1065729). - ibmvnic: remove never executed if statement (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: remove unnecessary rmb() inside ibmvnic_poll (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: remove unused spinlock_t stats_lock definition (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: rename ibmvnic_send_req_caps to send_request_cap (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: rename send_cap_queries to send_query_cap (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: rename send_map_query to send_query_map (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: rework to ensure SCRQ entry reads are properly ordered (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: send_login should check for crq errors (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: simplify reset_long_term_buff function (bsc#1184114 ltc#192237 bsc#1183023 ltc#191791). - ibmvnic: skip send_request_unmap for timeout reset (bsc#1184114 ltc#192237 bsc#1182485 ltc#191591). - ibmvnic: skip tx timeout reset while in resetting (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: stop free_all_rwi on failed reset (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: substitute mb() with dma_wmb() for send_*crq* functions (bsc#1184114 ltc#192237 bsc#1183023 ltc#191791). - ibmvnic: track pending login (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Use netdev_alloc_skb instead of alloc_skb to replenish RX buffers (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Use 'skb_frag_address()' instead of hand coding it (bsc#1184114 ltc#192237). - ice: Account for port VLAN in VF max packet size calculation (bsc#1118661). - igc: check return value of ret_val in igc_config_fc_after_link_up (bsc#1118657). - igc: Report speed and duplex as unknown when device is runtime suspended (jsc#SLE-4799). - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr (bsc#1118657). - iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (git-fixes). - iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (git-fixes). - iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (git-fixes). - iio: hid-sensor-prox: Fix scale not correct issue (git-fixes). - iio: hid-sensor-temperature: Fix issues of timestamp channel (git-fixes). - Input: i8042 - add ASUS Zenbook Flip to noselftest list (git-fixes). - Input: i8042 - unbreak Pegatron C15B (git-fixes). - Input: raydium_ts_i2c - do not send zero length (git-fixes). - Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S (git-fixes). - Input: xpad - sync supported devices with fork on GitHub (git-fixes). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183378). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183379). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183380). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183381). - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (bsc#1113994). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kabi/severities: Add rtas_online_cpus_mask, rtas_offline_cpus_mask - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183382). - lib/crc32test: remove extra local_irq_disable/enable (git-fixes). - mac80211: fix double free in ibss_leave (git-fixes). - mac80211: fix rate mask reset (git-fixes). - media: usbtv: Fix deadlock on suspend (git-fixes). - media: uvcvideo: Allow entities with no pads (git-fixes). - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (git-fixes). - mmc: core: Fix partition switch time for eMMC (git-fixes). - mmc: core: Use DEFINE_DEBUGFS_ATTRIBUTE instead of DEFINE_SIMPLE_ATTRIBUTE. - mmc: cqhci: Fix random crash when remove mmc module/card (git-fixes). - mmc: sdhci-esdhc-imx: fix kernel panic when remove module (git-fixes). - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes). - mwifiex: pcie: skip cancel_work_sync() on reset failure path (git-fixes). - net: bridge: use switchdev for port flags set through sysfs too (bsc#1112374). - net: cdc-phonet: fix data-interface release on probe failure (git-fixes). - net: core: introduce __netdev_notify_peers (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - net: ethernet: ibm: ibmvnic: Fix some kernel-doc misdemeanours (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - net: hns3: add a check for index in hclge_get_rss_key() (bsc#1126390). - net: hns3: add a check for queue_id in hclge_reset_vf_queue() (bsc#1104353). - net: hns3: fix bug when calculating the TCAM table info (bsc#1104353). - net: hns3: fix query vlan mask value error for flow director (bsc#1104353). - net/mlx5e: Update max_opened_tc also when channels are closed (bsc#1103990). - net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8081 (bsc#1119113). - net: re-solve some conflicts after net -> net-next merge (bsc#1184114 ltc#192237 bsc#1176855 ltc#187293). - net: usb: ax88179_178a: fix missing stop entry in driver_info (git-fixes). - net: usb: qmi_wwan: allow qmimux add/del with master up (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (git-fixes). - PCI: Align checking of syscall user config accessors (git-fixes). - phy: rockchip-emmc: emmc_phy_init() always return 0 (git-fixes). - platform/x86: i2c-multi-instantiate: Do not create platform device for INT3515 ACPI nodes (git-fixes). - powerpc/book3s64/radix: Remove WARN_ON in destroy_context() (bsc#1183692 ltc#191963). - powerpc: Convert to using %pOFn instead of device_node.name (bsc#1181674 ltc#189159). - powerpc: Fix some spelling mistakes (bsc#1181674 ltc#189159). - powerpc/hvcall: add token and codes for H_VASI_SIGNAL (bsc#1181674 ltc#189159). - powerpc: kABI: add back suspend_disable_cpu in machdep_calls (bsc#1181674 ltc#189159). - powerpc/machdep: remove suspend_disable_cpu() (bsc#1181674 ltc#189159). - powerpc/mm/pkeys: Make pkey access check work on execute_only_key (bsc#1181544 ltc#191080 git-fixes). - powerpc/numa: Fix build when CONFIG_NUMA=n (bsc#1132477 ltc#175530). - powerpc/numa: make vphn_enabled, prrn_enabled flags const (bsc#1181674 ltc#189159). - powerpc/numa: remove ability to enable topology updates (bsc#1181674 ltc#189159). - powerpc/numa: remove arch_update_cpu_topology (bsc#1181674 ltc#189159). - powerpc/numa: Remove late request for home node associativity (bsc#1181674 ltc#189159). - powerpc/numa: remove prrn_is_enabled() (bsc#1181674 ltc#189159). - powerpc/numa: remove start/stop_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove timed_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology timer code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology update code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology workqueue code (bsc#1181674 ltc#189159). - powerpc/numa: remove vphn_enabled and prrn_enabled internal flags (bsc#1181674 ltc#189159). - powerpc/numa: stub out numa_update_cpu_topology() (bsc#1181674 ltc#189159). - powerpc/numa: Suppress "VPHN is not supported" messages (bsc#1181674 ltc#189159). - powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n (bsc#1181674 ltc#189159). - powerpc/pseries: Do not enforce MSI affinity with kdump (bsc#1181655 ltc#190855). - powerpc/pseries: Generalize hcall_vphn() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: pass stream id via function arguments (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: perform post-suspend fixups later (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove prepare_late() callback (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove pseries_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: switch to rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: add missing break to default case (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Add pr_debug() for device tree changes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: do not error on absence of ibm, update-nodes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: error message improvements (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: extract VASI session polling logic (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: handle premature return from H_JOIN (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/mobility: refactor node lookup during DT update (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: retry partition suspend after error (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Set pr_fmt() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: signal suspend cancellation to platform (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use rtas_activate_firmware() on resume (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use stop_machine for join/suspend (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use struct for shared state (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries: remove dlpar_cpu_readd() (bsc#1181674 ltc#189159). - powerpc/pseries: remove memory "re-add" implementation (bsc#1181674 ltc#189159). - powerpc/pseries: remove obsolete memory hotplug DT notifier code (bsc#1181674 ltc#189159). - powerpc/pseries: remove prrn special case from DT update path (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_activate_firmware() (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/rtas: complete ibm,suspend-me status codes (bsc#1181674 ltc#189159). - powerpc/rtas: dispatch partition migration requests to pseries (bsc#1181674 ltc#189159). - powerpc/rtasd: simplify handle_rtas_event(), emit message on events (bsc#1181674 ltc#189159). - powerpc/rtas: prevent suspend-related sys_rtas use on LE (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_ibm_suspend_me_unsafe() (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_last_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_me_data (bsc#1181674 ltc#189159). - powerpc/rtas: rtas_ibm_suspend_me -> rtas_ibm_suspend_me_unsafe (bsc#1181674 ltc#189159). - powerpc/rtas: Unexport rtas_online_cpus_mask, rtas_offline_cpus_mask (bsc#1181674 ltc#189159). - powerpc/vio: Use device_type to detect family (bsc#1181674 ltc#189159). - printk: fix deadlock when kernel panic (bsc#1183018). - pseries/drmem: do not cache node id in drmem_lmb struct (bsc#1132477 ltc#175530). - pseries/hotplug-memory: hot-add: skip redundant LMB lookup (bsc#1132477 ltc#175530). - pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() (git-fixes). - qxl: Fix uninitialised struct field head.surface_id (git-fixes). - random: fix the RNDRESEEDCRNG ioctl (git-fixes). - rcu: Allow only one expedited GP to run concurrently with (git-fixes) - rcu: Fix missed wakeup of exp_wq waiters (git-fixes) - RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation (bsc#1103991). - RDMA/rxe: Remove useless code in rxe_recv.c (bsc#1103992 ). - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - RDMA/uverbs: Fix kernel-doc warning of _uverbs_alloc (bsc#1103992). - Revert "ibmvnic: remove never executed if statement" (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - rpadlpar: fix potential drc_name corruption in store functions (bsc#1183416 ltc#191079). - rsxx: Return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/crypto: return -EFAULT if copy_to_user() fails (git-fixes). - s390/dasd: fix hanging offline processing due to canceled worker (bsc#1175165). - s390/dasd: fix hanging offline processing due to canceled worker (bsc#1175165). - s390/vtime: fix increased steal time accounting (bsc#1183861). - sched/fair: Fix wrong cpu selecting from isolated domain (git-fixes) - sched/vtime: Fix guest/system mis-accounting on task switch (git-fixes) - scsi: lpfc: Change wording of invalid pci reset log message (bsc#1182574). - scsi: lpfc: Correct function header comments related to ndlp reference counting (bsc#1182574). - scsi: lpfc: Fix ADISC handling that never frees nodes (bsc#1182574). - scsi: lpfc: Fix ancient double free (bsc#1182574). - scsi: lpfc: Fix crash caused by switch reboot (bsc#1182574). - scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (bsc#1182574). - scsi: lpfc: Fix EEH encountering oops with NVMe traffic (bsc#1182574). - scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1182574). - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe (bsc#1182574). - scsi: lpfc: Fix kerneldoc inconsistency in lpfc_sli4_dump_page_a0() (bsc#1182574). - scsi: lpfc: Fix lpfc_els_retry() possible null pointer dereference (bsc#1182574). - scsi: lpfc: Fix nodeinfo debugfs output (bsc#1182574). - scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() (bsc#1182574). - scsi: lpfc: Fix 'physical' typos (bsc#1182574). - scsi: lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN (bsc#1182574). - scsi: lpfc: Fix pt2pt connection does not recover after LOGO (bsc#1182574). - scsi: lpfc: Fix pt2pt state transition causing rmmod hang (bsc#1182574). - scsi: lpfc: Fix reftag generation sizing errors (bsc#1182574). - scsi: lpfc: Fix stale node accesses on stale RRQ request (bsc#1182574). - scsi: lpfc: Fix status returned in lpfc_els_retry() error exit path (bsc#1182574). - scsi: lpfc: Fix unnecessary null check in lpfc_release_scsi_buf (bsc#1182574). - scsi: lpfc: Fix use after free in lpfc_els_free_iocb (bsc#1182574). - scsi: lpfc: Fix vport indices in lpfc_find_vport_by_vpid() (bsc#1182574). - scsi: lpfc: Reduce LOG_TRACE_EVENT logging for vports (bsc#1182574). - scsi: lpfc: Update copyrights for 12.8.0.7 and 12.8.0.8 changes (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.8 (bsc#1182574). - selinux: never allow relabeling on context mounts (git-fixes). - smb3: add dynamic trace point to trace when credits obtained (bsc#1181507). - smb3: fix crediting for compounding when only one request in flight (bsc#1181507). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - Update config files: activate CONFIG_CSD_LOCK_WAIT_DEBUG for x86 (bsc#1180846). - Update config files: disable CONFIG_CSD_LOCK_WAIT_DEBUG (bsc#1180846). - USB: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (git-fixes). - USBip: fix stub_dev to check for stream socket (git-fixes). - USBip: fix stub_dev usbip_sockfd_store() races leading to gpf (git-fixes). - USBip: Fix unsafe unaligned pointer usage (git-fixes). - USBip: fix vhci_hcd attach_store() races leading to gpf (git-fixes). - USBip: fix vhci_hcd to check for stream socket (git-fixes). - USBip: tools: fix build error for multiple definition (git-fixes). - USB: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (git-fixes). - USB: replace hardcode maximum usb string length by definition (git-fixes). - USB: serial: io_edgeport: fix memory leak in edge_startup (git-fixes). - USB: serial: option: add Quectel EM160R-GL (git-fixes). - USB-storage: Add quirk to defeat Kindle's automatic unload (git-fixes). - USB: usblp: do not call usb_set_interface if there's a single alt (git-commit). - use __netdev_notify_peers in ibmvnic (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - video: fbdev: acornfb: remove free_unused_pages() (bsc#1129770) - video: fbdev: atmel_lcdfb: fix return error code in (bsc#1129770) Backporting notes: * context changes * fallout from trailing whitespaces - wlcore: Fix command execute failure 19 for wl12xx (git-fixes). - xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367). - xfs: Fix assert failure in xfs_setattr_size() (git-fixes). - xsk: Remove dangling function declaration from header file (bsc#1109837). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1175=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.50.1 kernel-azure-base-4.12.14-16.50.1 kernel-azure-base-debuginfo-4.12.14-16.50.1 kernel-azure-debuginfo-4.12.14-16.50.1 kernel-azure-debugsource-4.12.14-16.50.1 kernel-azure-devel-4.12.14-16.50.1 kernel-syms-azure-4.12.14-16.50.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.50.1 kernel-source-azure-4.12.14-16.50.1 References: https://www.suse.com/security/cve/CVE-2020-0433.html https://www.suse.com/security/cve/CVE-2020-27170.html https://www.suse.com/security/cve/CVE-2020-27171.html https://www.suse.com/security/cve/CVE-2020-27815.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29374.html https://www.suse.com/security/cve/CVE-2020-35519.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://www.suse.com/security/cve/CVE-2021-28038.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-28964.html https://www.suse.com/security/cve/CVE-2021-28971.html https://www.suse.com/security/cve/CVE-2021-28972.html https://www.suse.com/security/cve/CVE-2021-29264.html https://www.suse.com/security/cve/CVE-2021-29265.html https://www.suse.com/security/cve/CVE-2021-29647.html https://www.suse.com/security/cve/CVE-2021-3428.html https://www.suse.com/security/cve/CVE-2021-3444.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104270 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111981 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113994 https://bugzilla.suse.com/1118657 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1119113 https://bugzilla.suse.com/1126390 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1132477 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1152446 https://bugzilla.suse.com/1154048 https://bugzilla.suse.com/1169709 https://bugzilla.suse.com/1172455 https://bugzilla.suse.com/1173485 https://bugzilla.suse.com/1175165 https://bugzilla.suse.com/1176720 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1178163 https://bugzilla.suse.com/1179243 https://bugzilla.suse.com/1179428 https://bugzilla.suse.com/1179454 https://bugzilla.suse.com/1179660 https://bugzilla.suse.com/1179755 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1181507 https://bugzilla.suse.com/1181515 https://bugzilla.suse.com/1181544 https://bugzilla.suse.com/1181655 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1182011 https://bugzilla.suse.com/1182175 https://bugzilla.suse.com/1182485 https://bugzilla.suse.com/1182574 https://bugzilla.suse.com/1182715 https://bugzilla.suse.com/1182716 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1183018 https://bugzilla.suse.com/1183022 https://bugzilla.suse.com/1183023 https://bugzilla.suse.com/1183378 https://bugzilla.suse.com/1183379 https://bugzilla.suse.com/1183380 https://bugzilla.suse.com/1183381 https://bugzilla.suse.com/1183382 https://bugzilla.suse.com/1183416 https://bugzilla.suse.com/1183509 https://bugzilla.suse.com/1183593 https://bugzilla.suse.com/1183646 https://bugzilla.suse.com/1183662 https://bugzilla.suse.com/1183686 https://bugzilla.suse.com/1183692 https://bugzilla.suse.com/1183696 https://bugzilla.suse.com/1183775 https://bugzilla.suse.com/1183861 https://bugzilla.suse.com/1183871 https://bugzilla.suse.com/1184114 https://bugzilla.suse.com/1184167 https://bugzilla.suse.com/1184168 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184192 https://bugzilla.suse.com/1184193 https://bugzilla.suse.com/1184196 https://bugzilla.suse.com/1184198 From sle-security-updates at lists.suse.com Tue Apr 13 19:34:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 21:34:29 +0200 (CEST) Subject: SUSE-SU-2021:14690-1: important: Security update for xorg-x11-server Message-ID: <20210413193429.CDC23F78E@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14690-1 Rating: important References: #1180128 Cross-References: CVE-2021-3472 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-server fixes the following issues: - CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-xorg-x11-server-14690=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xorg-x11-server-14690=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-server-14690=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xorg-x11-server-14690=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): xorg-x11-Xvnc-7.4-27.122.40.1 xorg-x11-server-7.4-27.122.40.1 xorg-x11-server-extra-7.4-27.122.40.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xorg-x11-Xvnc-7.4-27.122.40.1 xorg-x11-server-7.4-27.122.40.1 xorg-x11-server-extra-7.4-27.122.40.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): xorg-x11-server-debuginfo-7.4-27.122.40.1 xorg-x11-server-debugsource-7.4-27.122.40.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): xorg-x11-server-debuginfo-7.4-27.122.40.1 xorg-x11-server-debugsource-7.4-27.122.40.1 References: https://www.suse.com/security/cve/CVE-2021-3472.html https://bugzilla.suse.com/1180128 From sle-security-updates at lists.suse.com Tue Apr 13 19:35:39 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 21:35:39 +0200 (CEST) Subject: SUSE-SU-2021:1176-1: important: Security update for the Linux Kernel Message-ID: <20210413193539.29A7FF78E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1176-1 Rating: important References: #1065600 #1065729 #1103990 #1103991 #1103992 #1104270 #1104353 #1109837 #1111981 #1112374 #1113994 #1118657 #1118661 #1119113 #1126390 #1129770 #1132477 #1142635 #1152446 #1154048 #1169709 #1172455 #1173485 #1175165 #1176720 #1176855 #1177411 #1178163 #1179243 #1179428 #1179454 #1179660 #1179755 #1180846 #1181515 #1181544 #1181655 #1181674 #1181747 #1181753 #1181843 #1182011 #1182175 #1182485 #1182574 #1182715 #1182716 #1182717 #1183018 #1183022 #1183023 #1183378 #1183379 #1183380 #1183381 #1183382 #1183416 #1183509 #1183593 #1183646 #1183686 #1183692 #1183696 #1183775 #1183861 #1183871 #1184114 #1184167 #1184168 #1184170 #1184192 #1184193 #1184196 #1184198 Cross-References: CVE-2020-0433 CVE-2020-27170 CVE-2020-27171 CVE-2020-27673 CVE-2020-27815 CVE-2020-29368 CVE-2020-29374 CVE-2020-35519 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28660 CVE-2021-28688 CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29264 CVE-2021-29265 CVE-2021-29647 CVE-2021-3428 CVE-2021-3444 CVSS scores: CVE-2020-0433 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-0433 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27170 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27171 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27673 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27673 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-27815 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35519 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28038 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28964 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28971 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28972 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28972 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-29264 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3428 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP5 ______________________________________________________________________________ An update that solves 25 vulnerabilities and has 49 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170). - CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485). - CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ). - CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167). - CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168). - CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198). - CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ). - CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ). - CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022). - CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715). - CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716). - CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696). - CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454). - CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775). - CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686). - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). - CVE-2020-0433: Fixed a use after free due to improper locking which could have led to local escalation of privilege (bsc#1176720). - CVE-2020-27673: Fixed a potential denial of service at high rate of events to dom0, aka CID-e99502f76271 (bsc#1177411 ). The following non-security bugs were fixed: - ACPI: scan: Rearrange memory allocation in acpi_device_add() (git-fixes). - ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits (git-fixes). - ALSA: hda: Drop the BATCH workaround for AMD controllers (git-fixes). - ALSA: hda/realtek: modify EAPD in the ALC886 (git-fixes). - amba: Fix resource leak for drivers without .remove (git-fixes). - bfq: Fix kABI for update internal depth state when queue depth changes (bsc#1172455). - bfq: update internal depth state when queue depth changes (bsc#1172455). - block: rsxx: fix error return code of rsxx_pci_probe() (git-fixes). - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (git-fixes). - Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes). - Bluetooth: hci_uart: Fix a race for write_work scheduling (git-fixes). - bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775). - bpf: Fix 32 bit src register truncation on div/mod (bsc#1184170). - bpf: fix subprog verifier bypass by div/mod by 0 exception (bsc#1184170). - bpf: fix x64 JIT code generation for jmp to 1st insn (bsc#1178163). - bpf_lru_list: Read double-checked variable once without lock (git-fixes). - bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775). - bpf,x64: Pad NOPs to make images converge more easily (bsc#1178163). - bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (git-fixes). - can: c_can: move runtime PM enable/disable to c_can_platform (git-fixes). - can: c_can_pci: c_can_pci_remove(): fix use-after-free (git-fixes). - can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (git-fixes). - can: peak_usb: add forgotten supported devices (git-fixes). - can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" (git-fixes). - can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (git-fixes). - cifs: check all path components in resolved dfs target (bsc#1179755). - cifs: fix nodfs mount option (bsc#1179755). - cifs: introduce helper for finding referral server (bsc#1179755). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (bsc#1104270). - dmaengine: hsu: disable spurious interrupt (git-fixes). - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if (bsc#1129770) Backporting notes: * context changes - drm/atomic: Create __drm_atomic_helper_crtc_reset() for subclassing (bsc#1142635) Backporting notes: * taken for 427c4a0680a2 ("drm/vc4: crtc: Rework a bit the CRTC state code") * renamed drm_atomic_state_helper.{c,h} to drm_atomic_helper.{c,h} * context changes - drm: bridge: dw-hdmi: Avoid resetting force in the detect function (bsc#1129770) Backporting notes: * context changes - drm/compat: Clear bounce structures (bsc#1129770) Backporting notes: * context changes - drm/etnaviv: replace MMU flush marker with flush sequence (bsc#1154048) Backporting notes: * context changes - drm/gma500: Fix error return code in psb_driver_load() (bsc#1129770) - drm/mediatek: Add missing put_device() call in mtk_drm_kms_init() (bsc#1152446) Backporting notes: * context changes - drm/mediatek: Fix aal size config (bsc#1129770) Backporting notes: * access I/O memory with writel() - drm: meson_drv add shutdown function (git-fixes). - drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (git-fixes). - drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) (bsc#1129770) - drm/msm: fix shutdown hook in case GPU components failed to bind (git-fixes). - drm: mxsfb: check framebuffer pitch (bsc#1129770) Backporting notes: * context changes - drm/omap: fix max fclk divider for omap36xx (bsc#1152446) - drm: panel: Fix bpc for OrtusTech COM43H4M85ULC panel (bsc#1129770) - drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel (bsc#1129770) Backporting notes: * context changes - drm/radeon: fix AGP dependency (git-fixes). - drm: rcar-du: Put reference to VSP device (bsc#1129770) Backporting notes: * context changes - drm/vc4: crtc: Rework a bit the CRTC state code (bsc#1129770) Backporting notes: * context changes - drm/vc4: hdmi: Avoid sleeping in atomic context (bsc#1129770) Backporting notes: * context changes - ethernet: alx: fix order of calls on resume (git-fixes). - fbdev: aty: SPARC64 requires FB_ATY_CT (bsc#1129770) - firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (git-fixes). - futex: Prevent robust futex exit race (git-fixes). - gma500: clean up error handling in init (bsc#1129770) - gpiolib: acpi: Add missing IRQF_ONESHOT (git-fixes). - HID: make arrays usage and value to be the same (git-fixes). - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (git-fixes). - i40e: Add zero-initialization of AQ command structures (bsc#1109837 bsc#1111981). - i40e: Fix add TC filter for IPv6 (bsc#1109837 bsc#1111981 ). - i40e: Fix endianness conversions (bsc#1109837 bsc#1111981 ). - IB/mlx5: Return appropriate error code instead of ENOMEM (bsc#1103991). - ibmvnic: add comments for spinlock_t definitions (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: add memory barrier to protect long term buffer (bsc#1184114 ltc#192237 bsc#1182485 ltc#191591). - ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844). - ibmvnic: avoid multiple line dereference (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: compare adapter->init_done_rc with more readable ibmvnic_rc_codes (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Correctly re-enable interrupts in NAPI polling routine (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: create send_control_ip_offload (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: create send_query_ip_offload (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Do not replenish RX buffers after every polling loop (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1184114 ltc#192237 bsc#1182485 ltc#191591). - ibmvnic: Ensure that device queue memory is cache-line aligned (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Ensure that SCRQ entry reads are correctly ordered (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: fix block comments (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: fix braces (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: fix miscellaneous checks (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Fix possibly uninitialized old_num_tx_queues variable warning (bsc#1184114 ltc#192237). - ibmvnic: Fix TX completion error handling (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Fix use-after-free of VNIC login response buffer (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: handle inconsistent login with reset (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Harden device Command Response Queue handshake (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: improve ibmvnic_init and ibmvnic_reset_init (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: merge do_change_param_reset into do_reset (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: merge ibmvnic_reset_init and ibmvnic_init (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: no reset timeout for 5 seconds after reset (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: prefer strscpy over strlcpy (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: prefer 'unsigned long' over 'unsigned long int' (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: reduce wait for completion time (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: remove excessive irqsave (bsc#1065729). - ibmvnic: remove never executed if statement (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: remove unnecessary rmb() inside ibmvnic_poll (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: remove unused spinlock_t stats_lock definition (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: rename ibmvnic_send_req_caps to send_request_cap (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: rename send_cap_queries to send_query_cap (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: rename send_map_query to send_query_map (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: rework to ensure SCRQ entry reads are properly ordered (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: send_login should check for crq errors (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: simplify reset_long_term_buff function (bsc#1184114 ltc#192237 bsc#1183023 ltc#191791). - ibmvnic: skip send_request_unmap for timeout reset (bsc#1184114 ltc#192237 bsc#1182485 ltc#191591). - ibmvnic: skip tx timeout reset while in resetting (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: stop free_all_rwi on failed reset (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: substitute mb() with dma_wmb() for send_*crq* functions (bsc#1184114 ltc#192237 bsc#1183023 ltc#191791). - ibmvnic: track pending login (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Use netdev_alloc_skb instead of alloc_skb to replenish RX buffers (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ice: Account for port VLAN in VF max packet size calculation (bsc#1118661). - igc: check return value of ret_val in igc_config_fc_after_link_up (bsc#1118657). - igc: Report speed and duplex as unknown when device is runtime suspended (jsc#SLE-4799). - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr (bsc#1118657). - iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (git-fixes). - iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (git-fixes). - iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (git-fixes). - iio: hid-sensor-prox: Fix scale not correct issue (git-fixes). - iio: hid-sensor-temperature: Fix issues of timestamp channel (git-fixes). - Input: i8042 - add ASUS Zenbook Flip to noselftest list (git-fixes). - Input: i8042 - unbreak Pegatron C15B (git-fixes). - Input: raydium_ts_i2c - do not send zero length (git-fixes). - Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S (git-fixes). - Input: xpad - sync supported devices with fork on GitHub (git-fixes). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183378). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183379). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183380). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183381). - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (bsc#1113994). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kabi/severities: Add rtas_online_cpus_mask, rtas_offline_cpus_mask - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183382). - lib/crc32test: remove extra local_irq_disable/enable (git-fixes). - mac80211: fix double free in ibss_leave (git-fixes). - mac80211: fix rate mask reset (git-fixes). - media: usbtv: Fix deadlock on suspend (git-fixes). - media: uvcvideo: Allow entities with no pads (git-fixes). - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (git-fixes). - mmc: core: Fix partition switch time for eMMC (git-fixes). - mmc: core: Use DEFINE_DEBUGFS_ATTRIBUTE instead of DEFINE_SIMPLE_ATTRIBUTE. - mmc: cqhci: Fix random crash when remove mmc module/card (git-fixes). - mmc: sdhci-esdhc-imx: fix kernel panic when remove module (git-fixes). - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes). - mwifiex: pcie: skip cancel_work_sync() on reset failure path (git-fixes). - net: bridge: use switchdev for port flags set through sysfs too (bsc#1112374). - net: cdc-phonet: fix data-interface release on probe failure (git-fixes). - net: core: introduce __netdev_notify_peers (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - net: ethernet: ibm: ibmvnic: Fix some kernel-doc misdemeanours (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - net: hns3: add a check for index in hclge_get_rss_key() (bsc#1126390). - net: hns3: add a check for queue_id in hclge_reset_vf_queue() (bsc#1104353). - net: hns3: fix bug when calculating the TCAM table info (bsc#1104353). - net: hns3: fix query vlan mask value error for flow director (bsc#1104353). - net/mlx5e: Update max_opened_tc also when channels are closed (bsc#1103990). - net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8081 (bsc#1119113). - net: re-solve some conflicts after net -> net-next merge (bsc#1184114 ltc#192237 bsc#1176855 ltc#187293). - net: usb: ax88179_178a: fix missing stop entry in driver_info (git-fixes). - net: usb: qmi_wwan: allow qmimux add/del with master up (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (git-fixes). - PCI: Align checking of syscall user config accessors (git-fixes). - phy: rockchip-emmc: emmc_phy_init() always return 0 (git-fixes). - platform/x86: i2c-multi-instantiate: Do not create platform device for INT3515 ACPI nodes (git-fixes). - powerpc/book3s64/radix: Remove WARN_ON in destroy_context() (bsc#1183692 ltc#191963). - powerpc: Convert to using %pOFn instead of device_node.name (bsc#1181674 ltc#189159). - powerpc: Fix some spelling mistakes (bsc#1181674 ltc#189159). - powerpc/hvcall: add token and codes for H_VASI_SIGNAL (bsc#1181674 ltc#189159). - powerpc: kABI: add back suspend_disable_cpu in machdep_calls (bsc#1181674 ltc#189159). - powerpc/machdep: remove suspend_disable_cpu() (bsc#1181674 ltc#189159). - powerpc/mm/pkeys: Make pkey access check work on execute_only_key (bsc#1181544 ltc#191080 git-fixes). - powerpc/numa: Fix build when CONFIG_NUMA=n (bsc#1132477 ltc#175530). - powerpc/numa: make vphn_enabled, prrn_enabled flags const (bsc#1181674 ltc#189159). - powerpc/numa: remove ability to enable topology updates (bsc#1181674 ltc#189159). - powerpc/numa: remove arch_update_cpu_topology (bsc#1181674 ltc#189159). - powerpc/numa: Remove late request for home node associativity (bsc#1181674 ltc#189159). - powerpc/numa: remove prrn_is_enabled() (bsc#1181674 ltc#189159). - powerpc/numa: remove start/stop_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove timed_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology timer code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology update code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology workqueue code (bsc#1181674 ltc#189159). - powerpc/numa: remove vphn_enabled and prrn_enabled internal flags (bsc#1181674 ltc#189159). - powerpc/numa: stub out numa_update_cpu_topology() (bsc#1181674 ltc#189159). - powerpc/numa: Suppress "VPHN is not supported" messages (bsc#1181674 ltc#189159). - powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n (bsc#1181674 ltc#189159). - powerpc/pseries: Do not enforce MSI affinity with kdump (bsc#1181655 ltc#190855). - powerpc/pseries: Generalize hcall_vphn() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: pass stream id via function arguments (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: perform post-suspend fixups later (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove prepare_late() callback (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove pseries_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: switch to rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: add missing break to default case (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Add pr_debug() for device tree changes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: do not error on absence of ibm, update-nodes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: error message improvements (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: extract VASI session polling logic (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: refactor node lookup during DT update (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: retry partition suspend after error (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Set pr_fmt() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: signal suspend cancellation to platform (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use rtas_activate_firmware() on resume (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use stop_machine for join/suspend (bsc#1181674 ltc#189159). - powerpc/pseries: remove dlpar_cpu_readd() (bsc#1181674 ltc#189159). - powerpc/pseries: remove memory "re-add" implementation (bsc#1181674 ltc#189159). - powerpc/pseries: remove obsolete memory hotplug DT notifier code (bsc#1181674 ltc#189159). - powerpc/pseries: remove prrn special case from DT update path (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_activate_firmware() (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/rtas: complete ibm,suspend-me status codes (bsc#1181674 ltc#189159). - powerpc/rtas: dispatch partition migration requests to pseries (bsc#1181674 ltc#189159). - powerpc/rtasd: simplify handle_rtas_event(), emit message on events (bsc#1181674 ltc#189159). - powerpc/rtas: prevent suspend-related sys_rtas use on LE (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_ibm_suspend_me_unsafe() (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_last_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_me_data (bsc#1181674 ltc#189159). - powerpc/rtas: rtas_ibm_suspend_me -> rtas_ibm_suspend_me_unsafe (bsc#1181674 ltc#189159). - powerpc/rtas: Unexport rtas_online_cpus_mask, rtas_offline_cpus_mask (bsc#1181674 ltc#189159). - powerpc/vio: Use device_type to detect family (bsc#1181674 ltc#189159). - printk: fix deadlock when kernel panic (bsc#1183018). - pseries/drmem: do not cache node id in drmem_lmb struct (bsc#1132477 ltc#175530). - pseries/hotplug-memory: hot-add: skip redundant LMB lookup (bsc#1132477 ltc#175530). - pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() (git-fixes). - qxl: Fix uninitialised struct field head.surface_id (git-fixes). - random: fix the RNDRESEEDCRNG ioctl (git-fixes). - rcu: Allow only one expedited GP to run concurrently with (git-fixes) - rcu: Fix missed wakeup of exp_wq waiters (git-fixes) - RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation (bsc#1103991). - RDMA/rxe: Remove useless code in rxe_recv.c (bsc#1103992 ). - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - RDMA/uverbs: Fix kernel-doc warning of _uverbs_alloc (bsc#1103992). - Revert "ibmvnic: remove never executed if statement" (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - rpadlpar: fix potential drc_name corruption in store functions (bsc#1183416 ltc#191079). - rsxx: Return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/crypto: return -EFAULT if copy_to_user() fails (git-fixes). - s390/dasd: fix hanging offline processing due to canceled worker (bsc#1175165). - s390/dasd: fix hanging offline processing due to canceled worker (bsc#1175165). - s390/vtime: fix increased steal time accounting (bsc#1183861). - sched/fair: Fix wrong cpu selecting from isolated domain (git-fixes) - sched/vtime: Fix guest/system mis-accounting on task switch (git-fixes) - scsi: lpfc: Change wording of invalid pci reset log message (bsc#1182574). - scsi: lpfc: Correct function header comments related to ndlp reference counting (bsc#1182574). - scsi: lpfc: Fix ADISC handling that never frees nodes (bsc#1182574). - scsi: lpfc: Fix ancient double free (bsc#1182574). - scsi: lpfc: Fix crash caused by switch reboot (bsc#1182574). - scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (bsc#1182574). - scsi: lpfc: Fix EEH encountering oops with NVMe traffic (bsc#1182574). - scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1182574). - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe (bsc#1182574). - scsi: lpfc: Fix kerneldoc inconsistency in lpfc_sli4_dump_page_a0() (bsc#1182574). - scsi: lpfc: Fix lpfc_els_retry() possible null pointer dereference (bsc#1182574). - scsi: lpfc: Fix nodeinfo debugfs output (bsc#1182574). - scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() (bsc#1182574). - scsi: lpfc: Fix 'physical' typos (bsc#1182574). - scsi: lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN (bsc#1182574). - scsi: lpfc: Fix pt2pt connection does not recover after LOGO (bsc#1182574). - scsi: lpfc: Fix pt2pt state transition causing rmmod hang (bsc#1182574). - scsi: lpfc: Fix reftag generation sizing errors (bsc#1182574). - scsi: lpfc: Fix stale node accesses on stale RRQ request (bsc#1182574). - scsi: lpfc: Fix status returned in lpfc_els_retry() error exit path (bsc#1182574). - scsi: lpfc: Fix unnecessary null check in lpfc_release_scsi_buf (bsc#1182574). - scsi: lpfc: Fix use after free in lpfc_els_free_iocb (bsc#1182574). - scsi: lpfc: Fix vport indices in lpfc_find_vport_by_vpid() (bsc#1182574). - scsi: lpfc: Reduce LOG_TRACE_EVENT logging for vports (bsc#1182574). - scsi: lpfc: Update copyrights for 12.8.0.7 and 12.8.0.8 changes (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.8 (bsc#1182574). - selinux: never allow relabeling on context mounts (git-fixes). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - Update config files: activate CONFIG_CSD_LOCK_WAIT_DEBUG for x86 (bsc#1180846). - Update config files: disable CONFIG_CSD_LOCK_WAIT_DEBUG (bsc#1180846). - USB: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (git-fixes). - USBip: fix stub_dev usbip_sockfd_store() races leading to gpf (git-fixes). - USBip: Fix unsafe unaligned pointer usage (git-fixes). - USBip: fix vhci_hcd attach_store() races leading to gpf (git-fixes). - USBip: tools: fix build error for multiple definition (git-fixes). - USB: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (git-fixes). - USB: serial: io_edgeport: fix memory leak in edge_startup (git-fixes). - USB: serial: option: add Quectel EM160R-GL (git-fixes). - USB-storage: Add quirk to defeat Kindle's automatic unload (git-fixes). - USB: usblp: do not call usb_set_interface if there's a single alt (git-commit). - use __netdev_notify_peers in ibmvnic (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - video: fbdev: acornfb: remove free_unused_pages() (bsc#1129770) - video: fbdev: atmel_lcdfb: fix return error code in (bsc#1129770) Backporting notes: * context changes * fallout from trailing whitespaces - wlcore: Fix command execute failure 19 for wl12xx (git-fixes). - xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367). - xfs: Fix assert failure in xfs_setattr_size() (git-fixes). - xsk: Remove dangling function declaration from header file (bsc#1109837). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP5: zypper in -t patch SUSE-SLE-RT-12-SP5-2021-1176=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64): cluster-md-kmp-rt-4.12.14-10.37.1 cluster-md-kmp-rt-debuginfo-4.12.14-10.37.1 dlm-kmp-rt-4.12.14-10.37.1 dlm-kmp-rt-debuginfo-4.12.14-10.37.1 gfs2-kmp-rt-4.12.14-10.37.1 gfs2-kmp-rt-debuginfo-4.12.14-10.37.1 kernel-rt-4.12.14-10.37.1 kernel-rt-base-4.12.14-10.37.1 kernel-rt-base-debuginfo-4.12.14-10.37.1 kernel-rt-debuginfo-4.12.14-10.37.1 kernel-rt-debugsource-4.12.14-10.37.1 kernel-rt-devel-4.12.14-10.37.1 kernel-rt-devel-debuginfo-4.12.14-10.37.1 kernel-rt_debug-4.12.14-10.37.1 kernel-rt_debug-debuginfo-4.12.14-10.37.1 kernel-rt_debug-debugsource-4.12.14-10.37.1 kernel-rt_debug-devel-4.12.14-10.37.1 kernel-rt_debug-devel-debuginfo-4.12.14-10.37.1 kernel-syms-rt-4.12.14-10.37.1 ocfs2-kmp-rt-4.12.14-10.37.1 ocfs2-kmp-rt-debuginfo-4.12.14-10.37.1 - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch): kernel-devel-rt-4.12.14-10.37.1 kernel-source-rt-4.12.14-10.37.1 References: https://www.suse.com/security/cve/CVE-2020-0433.html https://www.suse.com/security/cve/CVE-2020-27170.html https://www.suse.com/security/cve/CVE-2020-27171.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27815.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29374.html https://www.suse.com/security/cve/CVE-2020-35519.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://www.suse.com/security/cve/CVE-2021-28038.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-28964.html https://www.suse.com/security/cve/CVE-2021-28971.html https://www.suse.com/security/cve/CVE-2021-28972.html https://www.suse.com/security/cve/CVE-2021-29264.html https://www.suse.com/security/cve/CVE-2021-29265.html https://www.suse.com/security/cve/CVE-2021-29647.html https://www.suse.com/security/cve/CVE-2021-3428.html https://www.suse.com/security/cve/CVE-2021-3444.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104270 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111981 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113994 https://bugzilla.suse.com/1118657 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1119113 https://bugzilla.suse.com/1126390 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1132477 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1152446 https://bugzilla.suse.com/1154048 https://bugzilla.suse.com/1169709 https://bugzilla.suse.com/1172455 https://bugzilla.suse.com/1173485 https://bugzilla.suse.com/1175165 https://bugzilla.suse.com/1176720 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1178163 https://bugzilla.suse.com/1179243 https://bugzilla.suse.com/1179428 https://bugzilla.suse.com/1179454 https://bugzilla.suse.com/1179660 https://bugzilla.suse.com/1179755 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1181515 https://bugzilla.suse.com/1181544 https://bugzilla.suse.com/1181655 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1182011 https://bugzilla.suse.com/1182175 https://bugzilla.suse.com/1182485 https://bugzilla.suse.com/1182574 https://bugzilla.suse.com/1182715 https://bugzilla.suse.com/1182716 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1183018 https://bugzilla.suse.com/1183022 https://bugzilla.suse.com/1183023 https://bugzilla.suse.com/1183378 https://bugzilla.suse.com/1183379 https://bugzilla.suse.com/1183380 https://bugzilla.suse.com/1183381 https://bugzilla.suse.com/1183382 https://bugzilla.suse.com/1183416 https://bugzilla.suse.com/1183509 https://bugzilla.suse.com/1183593 https://bugzilla.suse.com/1183646 https://bugzilla.suse.com/1183686 https://bugzilla.suse.com/1183692 https://bugzilla.suse.com/1183696 https://bugzilla.suse.com/1183775 https://bugzilla.suse.com/1183861 https://bugzilla.suse.com/1183871 https://bugzilla.suse.com/1184114 https://bugzilla.suse.com/1184167 https://bugzilla.suse.com/1184168 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184192 https://bugzilla.suse.com/1184193 https://bugzilla.suse.com/1184196 https://bugzilla.suse.com/1184198 From sle-security-updates at lists.suse.com Tue Apr 13 19:43:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 21:43:11 +0200 (CEST) Subject: SUSE-SU-2021:1179-1: important: Security update for xorg-x11-server Message-ID: <20210413194311.A8836F78E@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1179-1 Rating: important References: #1180128 Cross-References: CVE-2021-3472 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-server fixes the following issues: - CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1179=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1179=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1179=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1179=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): xorg-x11-server-1.19.6-8.30.1 xorg-x11-server-debuginfo-1.19.6-8.30.1 xorg-x11-server-debugsource-1.19.6-8.30.1 xorg-x11-server-extra-1.19.6-8.30.1 xorg-x11-server-extra-debuginfo-1.19.6-8.30.1 xorg-x11-server-sdk-1.19.6-8.30.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): xorg-x11-server-1.19.6-8.30.1 xorg-x11-server-debuginfo-1.19.6-8.30.1 xorg-x11-server-debugsource-1.19.6-8.30.1 xorg-x11-server-extra-1.19.6-8.30.1 xorg-x11-server-extra-debuginfo-1.19.6-8.30.1 xorg-x11-server-sdk-1.19.6-8.30.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): xorg-x11-server-1.19.6-8.30.1 xorg-x11-server-debuginfo-1.19.6-8.30.1 xorg-x11-server-debugsource-1.19.6-8.30.1 xorg-x11-server-extra-1.19.6-8.30.1 xorg-x11-server-extra-debuginfo-1.19.6-8.30.1 xorg-x11-server-sdk-1.19.6-8.30.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): xorg-x11-server-1.19.6-8.30.1 xorg-x11-server-debuginfo-1.19.6-8.30.1 xorg-x11-server-debugsource-1.19.6-8.30.1 xorg-x11-server-extra-1.19.6-8.30.1 xorg-x11-server-extra-debuginfo-1.19.6-8.30.1 xorg-x11-server-sdk-1.19.6-8.30.1 References: https://www.suse.com/security/cve/CVE-2021-3472.html https://bugzilla.suse.com/1180128 From sle-security-updates at lists.suse.com Tue Apr 13 19:44:08 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 21:44:08 +0200 (CEST) Subject: SUSE-SU-2021:1174-1: important: Security update for clamav Message-ID: <20210413194408.CD249F78E@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1174-1 Rating: important References: #1181256 #1184532 #1184533 #1184534 Cross-References: CVE-2021-1252 CVE-2021-1404 CVE-2021-1405 CVSS scores: CVE-2021-1252 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1404 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1405 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for clamav fixes the following issues: - CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532) - CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533) - CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534) - Fix errors when scanning files > 4G (bsc#1181256) - Update clamav.keyring - Update to 0.103.2 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1174=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): clamav-0.103.2-3.6.1 clamav-debuginfo-0.103.2-3.6.1 clamav-debugsource-0.103.2-3.6.1 References: https://www.suse.com/security/cve/CVE-2021-1252.html https://www.suse.com/security/cve/CVE-2021-1404.html https://www.suse.com/security/cve/CVE-2021-1405.html https://bugzilla.suse.com/1181256 https://bugzilla.suse.com/1184532 https://bugzilla.suse.com/1184533 https://bugzilla.suse.com/1184534 From sle-security-updates at lists.suse.com Tue Apr 13 19:45:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 21:45:17 +0200 (CEST) Subject: SUSE-SU-2021:1181-1: important: Security update for xorg-x11-server Message-ID: <20210413194517.0B461F78E@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1181-1 Rating: important References: #1180128 Cross-References: CVE-2021-3472 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-server fixes the following issues: - CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1181=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1181=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): xorg-x11-server-debuginfo-1.19.6-10.23.1 xorg-x11-server-debugsource-1.19.6-10.23.1 xorg-x11-server-sdk-1.19.6-10.23.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): xorg-x11-server-1.19.6-10.23.1 xorg-x11-server-debuginfo-1.19.6-10.23.1 xorg-x11-server-debugsource-1.19.6-10.23.1 xorg-x11-server-extra-1.19.6-10.23.1 xorg-x11-server-extra-debuginfo-1.19.6-10.23.1 References: https://www.suse.com/security/cve/CVE-2021-3472.html https://bugzilla.suse.com/1180128 From sle-security-updates at lists.suse.com Tue Apr 13 19:46:12 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 21:46:12 +0200 (CEST) Subject: SUSE-SU-2021:1180-1: important: Security update for xorg-x11-server Message-ID: <20210413194612.43DB3F78E@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1180-1 Rating: important References: #1180128 Cross-References: CVE-2021-3472 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-server fixes the following issues: - CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1180=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1180=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1180=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1180=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): xorg-x11-server-1.19.6-4.22.1 xorg-x11-server-debuginfo-1.19.6-4.22.1 xorg-x11-server-debugsource-1.19.6-4.22.1 xorg-x11-server-extra-1.19.6-4.22.1 xorg-x11-server-extra-debuginfo-1.19.6-4.22.1 - SUSE OpenStack Cloud 9 (x86_64): xorg-x11-server-1.19.6-4.22.1 xorg-x11-server-debuginfo-1.19.6-4.22.1 xorg-x11-server-debugsource-1.19.6-4.22.1 xorg-x11-server-extra-1.19.6-4.22.1 xorg-x11-server-extra-debuginfo-1.19.6-4.22.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): xorg-x11-server-1.19.6-4.22.1 xorg-x11-server-debuginfo-1.19.6-4.22.1 xorg-x11-server-debugsource-1.19.6-4.22.1 xorg-x11-server-extra-1.19.6-4.22.1 xorg-x11-server-extra-debuginfo-1.19.6-4.22.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): xorg-x11-server-1.19.6-4.22.1 xorg-x11-server-debuginfo-1.19.6-4.22.1 xorg-x11-server-debugsource-1.19.6-4.22.1 xorg-x11-server-extra-1.19.6-4.22.1 xorg-x11-server-extra-debuginfo-1.19.6-4.22.1 References: https://www.suse.com/security/cve/CVE-2021-3472.html https://bugzilla.suse.com/1180128 From sle-security-updates at lists.suse.com Tue Apr 13 19:47:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 13 Apr 2021 21:47:10 +0200 (CEST) Subject: SUSE-SU-2021:1182-1: important: Security update for xorg-x11-server Message-ID: <20210413194710.BAF78F78E@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1182-1 Rating: important References: #1180128 Cross-References: CVE-2021-3472 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-server fixes the following issues: - CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-1182=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1182=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-1182=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1182=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1182=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1182=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): xorg-x11-server-debuginfo-1.20.3-22.5.25.1 xorg-x11-server-debugsource-1.20.3-22.5.25.1 xorg-x11-server-wayland-1.20.3-22.5.25.1 xorg-x11-server-wayland-debuginfo-1.20.3-22.5.25.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): xorg-x11-server-debuginfo-1.20.3-22.5.25.1 xorg-x11-server-debugsource-1.20.3-22.5.25.1 xorg-x11-server-wayland-1.20.3-22.5.25.1 xorg-x11-server-wayland-debuginfo-1.20.3-22.5.25.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): xorg-x11-server-debuginfo-1.20.3-22.5.25.1 xorg-x11-server-debugsource-1.20.3-22.5.25.1 xorg-x11-server-sdk-1.20.3-22.5.25.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): xorg-x11-server-debuginfo-1.20.3-22.5.25.1 xorg-x11-server-debugsource-1.20.3-22.5.25.1 xorg-x11-server-sdk-1.20.3-22.5.25.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): xorg-x11-server-1.20.3-22.5.25.1 xorg-x11-server-debuginfo-1.20.3-22.5.25.1 xorg-x11-server-debugsource-1.20.3-22.5.25.1 xorg-x11-server-extra-1.20.3-22.5.25.1 xorg-x11-server-extra-debuginfo-1.20.3-22.5.25.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): xorg-x11-server-1.20.3-22.5.25.1 xorg-x11-server-debuginfo-1.20.3-22.5.25.1 xorg-x11-server-debugsource-1.20.3-22.5.25.1 xorg-x11-server-extra-1.20.3-22.5.25.1 xorg-x11-server-extra-debuginfo-1.20.3-22.5.25.1 References: https://www.suse.com/security/cve/CVE-2021-3472.html https://bugzilla.suse.com/1180128 From sle-security-updates at lists.suse.com Wed Apr 14 06:08:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Apr 2021 08:08:29 +0200 (CEST) Subject: SUSE-CU-2021:104-1: Security update of suse/sles12sp4 Message-ID: <20210414060829.BBB5DB4624F@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:104-1 Container Tags : suse/sles12sp4:26.273 , suse/sles12sp4:latest Container Release : 26.273 Severity : important Type : security References : 1178386 1179694 1179721 1184034 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1165-1 Released: Tue Apr 13 14:03:17 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1184034,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573 This update for glibc fixes the following issues: - CVE-2020-27618: Accept redundant shift sequences in IBM1364 (bsc#1178386) - CVE-2020-29562: Fix incorrect UCS4 inner loop bounds (bsc#1179694) - CVE-2020-29573: Harden printf against non-normal long double values (bsc#1179721) - Check vector support in memmove ifunc-selector (bsc#1184034) From sle-security-updates at lists.suse.com Wed Apr 14 06:15:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Apr 2021 08:15:54 +0200 (CEST) Subject: SUSE-CU-2021:105-1: Security update of suse/sles12sp5 Message-ID: <20210414061555.0657BB4624F@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:105-1 Container Tags : suse/sles12sp5:6.5.159 , suse/sles12sp5:latest Container Release : 6.5.159 Severity : important Type : security References : 1178386 1179694 1179721 1184034 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1165-1 Released: Tue Apr 13 14:03:17 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1184034,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573 This update for glibc fixes the following issues: - CVE-2020-27618: Accept redundant shift sequences in IBM1364 (bsc#1178386) - CVE-2020-29562: Fix incorrect UCS4 inner loop bounds (bsc#1179694) - CVE-2020-29573: Harden printf against non-normal long double values (bsc#1179721) - Check vector support in memmove ifunc-selector (bsc#1184034) From sle-security-updates at lists.suse.com Wed Apr 14 13:18:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Apr 2021 15:18:32 +0200 (CEST) Subject: SUSE-SU-2021:14692-1: important: Security update for clamav Message-ID: <20210414131832.E13CFFCFA@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14692-1 Rating: important References: #1181256 #1184532 #1184533 #1184534 Cross-References: CVE-2021-1252 CVE-2021-1404 CVE-2021-1405 CVSS scores: CVE-2021-1252 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1404 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1405 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for clamav fixes the following issues: - CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532) - CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533) - CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534) - Fix errors when scanning files > 4G (bsc#1181256) - Update clamav.keyring - Update to 0.103.2 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-clamav-14692=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-clamav-14692=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-clamav-14692=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-clamav-14692=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): clamav-0.103.2-0.20.35.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): clamav-0.103.2-0.20.35.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): clamav-debuginfo-0.103.2-0.20.35.1 clamav-debugsource-0.103.2-0.20.35.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): clamav-debuginfo-0.103.2-0.20.35.1 clamav-debugsource-0.103.2-0.20.35.1 References: https://www.suse.com/security/cve/CVE-2021-1252.html https://www.suse.com/security/cve/CVE-2021-1404.html https://www.suse.com/security/cve/CVE-2021-1405.html https://bugzilla.suse.com/1181256 https://bugzilla.suse.com/1184532 https://bugzilla.suse.com/1184533 https://bugzilla.suse.com/1184534 From sle-security-updates at lists.suse.com Wed Apr 14 16:16:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Apr 2021 18:16:04 +0200 (CEST) Subject: SUSE-SU-2021:1190-1: important: Security update for clamav Message-ID: <20210414161604.1B042FCF8@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1190-1 Rating: important References: #1181256 #1184532 #1184533 #1184534 Cross-References: CVE-2021-1252 CVE-2021-1404 CVE-2021-1405 CVSS scores: CVE-2021-1252 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1404 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1405 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for clamav fixes the following issues: - CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532) - CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533) - CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534) - Fix errors when scanning files > 4G (bsc#1181256) - Update clamav.keyring - Update to 0.103.2 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1190=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1190=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1190=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1190=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1190=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1190=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1190=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1190=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1190=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1190=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1190=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1190=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1190=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1190=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1190=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Manager Proxy 4.0 (x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 - SUSE CaaS Platform 4.0 (x86_64): clamav-0.103.2-3.26.1 clamav-debuginfo-0.103.2-3.26.1 clamav-debugsource-0.103.2-3.26.1 clamav-devel-0.103.2-3.26.1 libclamav9-0.103.2-3.26.1 libclamav9-debuginfo-0.103.2-3.26.1 libfreshclam2-0.103.2-3.26.1 libfreshclam2-debuginfo-0.103.2-3.26.1 References: https://www.suse.com/security/cve/CVE-2021-1252.html https://www.suse.com/security/cve/CVE-2021-1404.html https://www.suse.com/security/cve/CVE-2021-1405.html https://bugzilla.suse.com/1181256 https://bugzilla.suse.com/1184532 https://bugzilla.suse.com/1184533 https://bugzilla.suse.com/1184534 From sle-security-updates at lists.suse.com Wed Apr 14 16:17:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Apr 2021 18:17:29 +0200 (CEST) Subject: SUSE-SU-2021:1188-1: important: Security update for xorg-x11-server Message-ID: <20210414161729.8AA4DFCF8@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1188-1 Rating: important References: #1180128 Cross-References: CVE-2021-3472 Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-server fixes the following issues: - CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1188=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1188=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1188=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1188=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1188=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1188=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1188=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1188=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1188=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 - SUSE Manager Proxy 4.0 (x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 - SUSE CaaS Platform 4.0 (x86_64): xorg-x11-server-1.20.3-14.5.16.1 xorg-x11-server-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-debugsource-1.20.3-14.5.16.1 xorg-x11-server-extra-1.20.3-14.5.16.1 xorg-x11-server-extra-debuginfo-1.20.3-14.5.16.1 xorg-x11-server-sdk-1.20.3-14.5.16.1 References: https://www.suse.com/security/cve/CVE-2021-3472.html https://bugzilla.suse.com/1180128 From sle-security-updates at lists.suse.com Wed Apr 14 16:18:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Apr 2021 18:18:38 +0200 (CEST) Subject: SUSE-SU-2021:1189-1: important: Security update for clamav Message-ID: <20210414161838.9AA4AFCF8@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1189-1 Rating: important References: #1181256 #1184532 #1184533 #1184534 Cross-References: CVE-2021-1252 CVE-2021-1404 CVE-2021-1405 CVSS scores: CVE-2021-1252 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1404 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-1405 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for clamav fixes the following issues: - CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532) - CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533) - CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534) - Fix errors when scanning files > 4G (bsc#1181256) - Update clamav.keyring - Update to 0.103.2 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1189=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1189=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1189=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1189=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1189=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1189=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1189=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1189=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1189=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1189=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1189=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1189=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1189=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE OpenStack Cloud 9 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE OpenStack Cloud 8 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 - HPE Helion Openstack 8 (x86_64): clamav-0.103.2-33.35.1 clamav-debuginfo-0.103.2-33.35.1 clamav-debugsource-0.103.2-33.35.1 References: https://www.suse.com/security/cve/CVE-2021-1252.html https://www.suse.com/security/cve/CVE-2021-1404.html https://www.suse.com/security/cve/CVE-2021-1405.html https://bugzilla.suse.com/1181256 https://bugzilla.suse.com/1184532 https://bugzilla.suse.com/1184533 https://bugzilla.suse.com/1184534 From sle-security-updates at lists.suse.com Wed Apr 14 16:20:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Apr 2021 18:20:00 +0200 (CEST) Subject: SUSE-SU-2021:1187-1: important: Security update for xorg-x11-server Message-ID: <20210414162000.B32EAFCF8@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1187-1 Rating: important References: #1180128 Cross-References: CVE-2021-3472 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-server fixes the following issues: - CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1187=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1187=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1187=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1187=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1187=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1187=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1187=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1187=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1187=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): xorg-x11-server-7.6_1.18.3-76.40.1 xorg-x11-server-debuginfo-7.6_1.18.3-76.40.1 xorg-x11-server-debugsource-7.6_1.18.3-76.40.1 xorg-x11-server-extra-7.6_1.18.3-76.40.1 xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.40.1 - SUSE OpenStack Cloud 8 (x86_64): xorg-x11-server-7.6_1.18.3-76.40.1 xorg-x11-server-debuginfo-7.6_1.18.3-76.40.1 xorg-x11-server-debugsource-7.6_1.18.3-76.40.1 xorg-x11-server-extra-7.6_1.18.3-76.40.1 xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.40.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): xorg-x11-server-7.6_1.18.3-76.40.1 xorg-x11-server-debuginfo-7.6_1.18.3-76.40.1 xorg-x11-server-debugsource-7.6_1.18.3-76.40.1 xorg-x11-server-extra-7.6_1.18.3-76.40.1 xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.40.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): xorg-x11-server-7.6_1.18.3-76.40.1 xorg-x11-server-debuginfo-7.6_1.18.3-76.40.1 xorg-x11-server-debugsource-7.6_1.18.3-76.40.1 xorg-x11-server-extra-7.6_1.18.3-76.40.1 xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.40.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): xorg-x11-server-7.6_1.18.3-76.40.1 xorg-x11-server-debuginfo-7.6_1.18.3-76.40.1 xorg-x11-server-debugsource-7.6_1.18.3-76.40.1 xorg-x11-server-extra-7.6_1.18.3-76.40.1 xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.40.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): xorg-x11-server-7.6_1.18.3-76.40.1 xorg-x11-server-debuginfo-7.6_1.18.3-76.40.1 xorg-x11-server-debugsource-7.6_1.18.3-76.40.1 xorg-x11-server-extra-7.6_1.18.3-76.40.1 xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.40.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): xorg-x11-server-7.6_1.18.3-76.40.1 xorg-x11-server-debuginfo-7.6_1.18.3-76.40.1 xorg-x11-server-debugsource-7.6_1.18.3-76.40.1 xorg-x11-server-extra-7.6_1.18.3-76.40.1 xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.40.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): xorg-x11-server-7.6_1.18.3-76.40.1 xorg-x11-server-debuginfo-7.6_1.18.3-76.40.1 xorg-x11-server-debugsource-7.6_1.18.3-76.40.1 xorg-x11-server-extra-7.6_1.18.3-76.40.1 xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.40.1 - HPE Helion Openstack 8 (x86_64): xorg-x11-server-7.6_1.18.3-76.40.1 xorg-x11-server-debuginfo-7.6_1.18.3-76.40.1 xorg-x11-server-debugsource-7.6_1.18.3-76.40.1 xorg-x11-server-extra-7.6_1.18.3-76.40.1 xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.40.1 References: https://www.suse.com/security/cve/CVE-2021-3472.html https://bugzilla.suse.com/1180128 From sle-security-updates at lists.suse.com Wed Apr 14 22:16:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Apr 2021 00:16:57 +0200 (CEST) Subject: SUSE-SU-2021:14693-1: important: Security update for util-linux Message-ID: <20210414221657.0F5C7FCF8@maintenance.suse.de> SUSE Security Update: Security update for util-linux ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14693-1 Rating: important References: #1040414 #903440 #903738 #923777 #923904 #924994 #925705 #930236 #931607 #949754 Cross-References: CVE-2015-5218 Affected Products: SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has 9 fixes is now available. Description: This update for util-linux fixes the following issues: - CVE-2015-5218: Prevent colcrt buffer overflow. (bsc#949754) These non-security issues were fixed: - Mount crashes when trying to mount `shmfs` while `SELinux` is active. (bsc#1040414) - Fix `lsblk -f` on `CCISS` and other devices with nodes in `/dev` subdirectory. (bsc#924994) - Fix `script(1)` hang caused by mis-interpreted EOF on big-endian platforms. (bsc#930236) - Do not segfault when TERM is not defined or wrong. (bsc#903440) - Update and fix mount XFS documentation. (bsc#925705) - Fix recognition of `/dev/dm-N` partitions names. (bsc#931607) - Follow SUSE Linux Enterprise 11 device mapper partition names configuration. (bsc#931607) - Fix recognition of device mapper partitions. (bsc#923904) - Fix `fsck -C {fd}` parsing. (bsc#923777, bsc#903738) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-util-linux-14693=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-util-linux-14693=1 Package List: - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libblkid1-2.19.1-6.62.7.1 libuuid1-2.19.1-6.62.7.1 util-linux-2.19.1-6.62.7.1 util-linux-lang-2.19.1-6.62.7.1 uuid-runtime-2.19.1-6.62.7.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): util-linux-debuginfo-2.19.1-6.62.7.1 util-linux-debugsource-2.19.1-6.62.7.1 References: https://www.suse.com/security/cve/CVE-2015-5218.html https://bugzilla.suse.com/1040414 https://bugzilla.suse.com/903440 https://bugzilla.suse.com/903738 https://bugzilla.suse.com/923777 https://bugzilla.suse.com/923904 https://bugzilla.suse.com/924994 https://bugzilla.suse.com/925705 https://bugzilla.suse.com/930236 https://bugzilla.suse.com/931607 https://bugzilla.suse.com/949754 From sle-security-updates at lists.suse.com Thu Apr 15 16:31:47 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Apr 2021 18:31:47 +0200 (CEST) Subject: SUSE-SU-2021:1210-1: important: Security update for the Linux Kernel Message-ID: <20210415163147.566C5FCF8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1210-1 Rating: important References: #1065600 #1065729 #1103990 #1103991 #1103992 #1104270 #1104353 #1109837 #1111981 #1112374 #1113295 #1113994 #1118657 #1118661 #1119113 #1126390 #1129770 #1132477 #1142635 #1152446 #1154048 #1169709 #1172455 #1173485 #1175165 #1176720 #1176855 #1178163 #1178181 #1179243 #1179428 #1179454 #1179660 #1179755 #1180846 #1181507 #1181515 #1181544 #1181655 #1181674 #1181747 #1181753 #1181843 #1182011 #1182175 #1182485 #1182574 #1182715 #1182716 #1182717 #1183018 #1183022 #1183023 #1183378 #1183379 #1183380 #1183381 #1183382 #1183405 #1183416 #1183509 #1183593 #1183646 #1183662 #1183686 #1183692 #1183696 #1183755 #1183775 #1183861 #1183871 #1184114 #1184120 #1184167 #1184168 #1184170 #1184192 #1184193 #1184196 #1184198 #1184391 #1184393 #1184397 #1184494 #1184511 #1184583 Cross-References: CVE-2020-0433 CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-27170 CVE-2020-27171 CVE-2020-27815 CVE-2020-29368 CVE-2020-29374 CVE-2020-35519 CVE-2020-36311 CVE-2021-20219 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28660 CVE-2021-28688 CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29154 CVE-2021-29264 CVE-2021-29265 CVE-2021-29647 CVE-2021-30002 CVE-2021-3428 CVE-2021-3444 CVE-2021-3483 CVSS scores: CVE-2020-0433 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-0433 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-25670 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25671 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2020-27170 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27171 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27815 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35519 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-36311 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-20219 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28038 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28964 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28971 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28972 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28972 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29264 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-30002 (NVD) : 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3428 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 33 vulnerabilities and has 53 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170). - CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485). - CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ). - CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167). - CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168). - CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198). - CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ). - CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ). - CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022). - CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715). - CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access (bsc#1179660, bsc#1179428). - CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454). - CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775). - CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686). - CVE-2020-0433: Fixed a use after free due to improper locking which could have led to local escalation of privilege (bsc#1176720). - CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393). - CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120). - CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391). - CVE-2021-20219: Fixed a denial of service in n_tty_receive_char_special (bsc#1184397). - CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511). - CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181). The following non-security bugs were fixed: - ACPI: scan: Rearrange memory allocation in acpi_device_add() (git-fixes). - ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits (git-fixes). - ALSA: hda: Drop the BATCH workaround for AMD controllers (git-fixes). - ALSA: hda/realtek: modify EAPD in the ALC886 (git-fixes). - amba: Fix resource leak for drivers without .remove (git-fixes). - bfq: Fix kABI for update internal depth state when queue depth changes (bsc#1172455). - bfq: update internal depth state when queue depth changes (bsc#1172455). - block: rsxx: fix error return code of rsxx_pci_probe() (git-fixes). - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (git-fixes). - Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes). - Bluetooth: hci_uart: Fix a race for write_work scheduling (git-fixes). - bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775). - bpf: Fix 32 bit src register truncation on div/mod (bsc#1184170). - bpf: fix subprog verifier bypass by div/mod by 0 exception (bsc#1184170). - bpf: fix x64 JIT code generation for jmp to 1st insn (bsc#1178163). - bpf_lru_list: Read double-checked variable once without lock (git-fixes). - bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775). - bpf,x64: Pad NOPs to make images converge more easily (bsc#1178163). - bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (git-fixes). - can: c_can: move runtime PM enable/disable to c_can_platform (git-fixes). - can: c_can_pci: c_can_pci_remove(): fix use-after-free (git-fixes). - can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (git-fixes). - can: peak_usb: add forgotten supported devices (git-fixes). - can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" (git-fixes). - can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (git-fixes). - cifs: change noisy error message to FYI (bsc#1181507). - cifs: check all path components in resolved dfs target (bsc#1179755). - cifs_debug: use %pd instead of messing with ->d_name (bsc#1181507). - cifs: do not send close in compound create+close requests (bsc#1181507). - cifs: fix nodfs mount option (bsc#1179755). - cifs: introduce helper for finding referral server (bsc#1179755). - cifs: New optype for session operations (bsc#1181507). - cifs: print MIDs in decimal notation (bsc#1181507). - cifs: return proper error code in statfs(2) (bsc#1181507). - cifs: Tracepoints and logs for tracing credit changes (bsc#1181507). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (bsc#1104270). - dmaengine: hsu: disable spurious interrupt (git-fixes). - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if (bsc#1129770) - drm/atomic: Create __drm_atomic_helper_crtc_reset() for subclassing (bsc#1142635) - drm: bridge: dw-hdmi: Avoid resetting force in the detect function (bsc#1129770) - drm/compat: Clear bounce structures (bsc#1129770) - drm/etnaviv: replace MMU flush marker with flush sequence (bsc#1154048) - drm/gma500: Fix error return code in psb_driver_load() (bsc#1129770) - drm/mediatek: Add missing put_device() call in mtk_drm_kms_init() (bsc#1152446) - drm/mediatek: Fix aal size config (bsc#1129770) - drm: meson_drv add shutdown function (git-fixes). - drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (git-fixes). - drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) (bsc#1129770) - drm/msm: fix shutdown hook in case GPU components failed to bind (git-fixes). - drm: mxsfb: check framebuffer pitch (bsc#1129770) - drm/omap: fix max fclk divider for omap36xx (bsc#1152446) - drm: panel: Fix bpc for OrtusTech COM43H4M85ULC panel (bsc#1129770) - drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel (bsc#1129770) - drm/radeon: fix AGP dependency (git-fixes). - drm: rcar-du: Put reference to VSP device (bsc#1129770) - drm/vc4: crtc: Rework a bit the CRTC state code (bsc#1129770) - drm/vc4: hdmi: Avoid sleeping in atomic context (bsc#1129770) - ethernet: alx: fix order of calls on resume (git-fixes). - fbdev: aty: SPARC64 requires FB_ATY_CT (bsc#1129770) - firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (git-fixes). - fix setting irq affinity (bsc#1184583) - futex: Prevent robust futex exit race (git-fixes). - gma500: clean up error handling in init (bsc#1129770) - gpiolib: acpi: Add missing IRQF_ONESHOT (git-fixes). - HID: make arrays usage and value to be the same (git-fixes). - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (git-fixes). - i40e: Add zero-initialization of AQ command structures (bsc#1109837 bsc#1111981). - i40e: Fix add TC filter for IPv6 (bsc#1109837 bsc#1111981 ). - i40e: Fix endianness conversions (bsc#1109837 bsc#1111981 ). - IB/mlx5: Return appropriate error code instead of ENOMEM (bsc#1103991). - ibmvnic: add comments for spinlock_t definitions (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: add memory barrier to protect long term buffer (bsc#1184114 ltc#192237 bsc#1182485 ltc#191591). - ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844). - ibmvnic: avoid multiple line dereference (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: compare adapter->init_done_rc with more readable ibmvnic_rc_codes (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Correctly re-enable interrupts in NAPI polling routine (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: create send_control_ip_offload (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: create send_query_ip_offload (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Do not replenish RX buffers after every polling loop (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1184114 ltc#192237 bsc#1182485 ltc#191591). - ibmvnic: Ensure that device queue memory is cache-line aligned (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Ensure that SCRQ entry reads are correctly ordered (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: fix block comments (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: fix braces (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: fix miscellaneous checks (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Fix possibly uninitialized old_num_tx_queues variable warning (bsc#1184114 ltc#192237). - ibmvnic: Fix TX completion error handling (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Fix use-after-free of VNIC login response buffer (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: handle inconsistent login with reset (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Harden device Command Response Queue handshake (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: improve ibmvnic_init and ibmvnic_reset_init (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: merge do_change_param_reset into do_reset (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: merge ibmvnic_reset_init and ibmvnic_init (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: no reset timeout for 5 seconds after reset (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: prefer strscpy over strlcpy (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: prefer 'unsigned long' over 'unsigned long int' (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: reduce wait for completion time (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: remove excessive irqsave (bsc#1065729). - ibmvnic: remove never executed if statement (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: remove unnecessary rmb() inside ibmvnic_poll (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: remove unused spinlock_t stats_lock definition (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: rename ibmvnic_send_req_caps to send_request_cap (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: rename send_cap_queries to send_query_cap (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: rename send_map_query to send_query_map (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: rework to ensure SCRQ entry reads are properly ordered (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - ibmvnic: send_login should check for crq errors (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: simplify reset_long_term_buff function (bsc#1184114 ltc#192237 bsc#1183023 ltc#191791). - ibmvnic: skip send_request_unmap for timeout reset (bsc#1184114 ltc#192237 bsc#1182485 ltc#191591). - ibmvnic: skip tx timeout reset while in resetting (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: stop free_all_rwi on failed reset (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: substitute mb() with dma_wmb() for send_*crq* functions (bsc#1184114 ltc#192237 bsc#1183023 ltc#191791). - ibmvnic: track pending login (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Use netdev_alloc_skb instead of alloc_skb to replenish RX buffers (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - ibmvnic: Use 'skb_frag_address()' instead of hand coding it (bsc#1184114 ltc#192237). - ice: Account for port VLAN in VF max packet size calculation (bsc#1118661). - igc: check return value of ret_val in igc_config_fc_after_link_up (bsc#1118657). - igc: Report speed and duplex as unknown when device is runtime suspended (jsc#SLE-4799). - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr (bsc#1118657). - iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (git-fixes). - iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (git-fixes). - iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (git-fixes). - iio: hid-sensor-prox: Fix scale not correct issue (git-fixes). - iio: hid-sensor-temperature: Fix issues of timestamp channel (git-fixes). - Input: i8042 - add ASUS Zenbook Flip to noselftest list (git-fixes). - Input: i8042 - unbreak Pegatron C15B (git-fixes). - Input: raydium_ts_i2c - do not send zero length (git-fixes). - Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S (git-fixes). - Input: xpad - sync supported devices with fork on GitHub (git-fixes). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183378). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183379). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183380). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183381). - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (bsc#1113994). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kabi/severities: Add rtas_online_cpus_mask, rtas_offline_cpus_mask - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183382). - lib/crc32test: remove extra local_irq_disable/enable (git-fixes). - locking/mutex: Fix non debug version of mutex_lock_io_nested() (git-fixes). - mac80211: fix double free in ibss_leave (git-fixes). - mac80211: fix rate mask reset (git-fixes). - media: usbtv: Fix deadlock on suspend (git-fixes). - media: uvcvideo: Allow entities with no pads (git-fixes). - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (git-fixes). - mmc: core: Fix partition switch time for eMMC (git-fixes). - mmc: core: Use DEFINE_DEBUGFS_ATTRIBUTE instead of DEFINE_SIMPLE_ATTRIBUTE. - mmc: cqhci: Fix random crash when remove mmc module/card (git-fixes). - mmc: sdhci-esdhc-imx: fix kernel panic when remove module (git-fixes). - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes). - mwifiex: pcie: skip cancel_work_sync() on reset failure path (git-fixes). - net: bridge: use switchdev for port flags set through sysfs too (bsc#1112374). - net: cdc-phonet: fix data-interface release on probe failure (git-fixes). - net: core: introduce __netdev_notify_peers (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - net: ethernet: ibm: ibmvnic: Fix some kernel-doc misdemeanours (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - net: hns3: add a check for index in hclge_get_rss_key() (bsc#1126390). - net: hns3: add a check for queue_id in hclge_reset_vf_queue() (bsc#1104353). - net: hns3: fix bug when calculating the TCAM table info (bsc#1104353). - net: hns3: fix query vlan mask value error for flow director (bsc#1104353). - net/mlx5e: Update max_opened_tc also when channels are closed (bsc#1103990). - net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8081 (bsc#1119113). - net: re-solve some conflicts after net -> net-next merge (bsc#1184114 ltc#192237 bsc#1176855 ltc#187293). - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - net: usb: ax88179_178a: fix missing stop entry in driver_info (git-fixes). - net: usb: qmi_wwan: allow qmimux add/del with master up (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (git-fixes). - PCI: Align checking of syscall user config accessors (git-fixes). - phy: rockchip-emmc: emmc_phy_init() always return 0 (git-fixes). - platform/x86: i2c-multi-instantiate: Do not create platform device for INT3515 ACPI nodes (git-fixes). - powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (bsc#1065729). - powerpc/book3s64/radix: Remove WARN_ON in destroy_context() (bsc#1183692 ltc#191963). - powerpc: Convert to using %pOFn instead of device_node.name (bsc#1181674 ltc#189159). - powerpc: Fix some spelling mistakes (bsc#1181674 ltc#189159). - powerpc/hvcall: add token and codes for H_VASI_SIGNAL (bsc#1181674 ltc#189159). - powerpc: kABI: add back suspend_disable_cpu in machdep_calls (bsc#1181674 ltc#189159). - powerpc/machdep: remove suspend_disable_cpu() (bsc#1181674 ltc#189159). - powerpc/mm/pkeys: Make pkey access check work on execute_only_key (bsc#1181544 ltc#191080 git-fixes). - powerpc/numa: Fix build when CONFIG_NUMA=n (bsc#1132477 ltc#175530). - powerpc/numa: make vphn_enabled, prrn_enabled flags const (bsc#1181674 ltc#189159). - powerpc/numa: remove ability to enable topology updates (bsc#1181674 ltc#189159). - powerpc/numa: remove arch_update_cpu_topology (bsc#1181674 ltc#189159). - powerpc/numa: Remove late request for home node associativity (bsc#1181674 ltc#189159). - powerpc/numa: remove prrn_is_enabled() (bsc#1181674 ltc#189159). - powerpc/numa: remove start/stop_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove timed_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology timer code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology update code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology workqueue code (bsc#1181674 ltc#189159). - powerpc/numa: remove vphn_enabled and prrn_enabled internal flags (bsc#1181674 ltc#189159). - powerpc/numa: stub out numa_update_cpu_topology() (bsc#1181674 ltc#189159). - powerpc/numa: Suppress "VPHN is not supported" messages (bsc#1181674 ltc#189159). - powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n (bsc#1181674 ltc#189159). - powerpc/pseries: Do not enforce MSI affinity with kdump (bsc#1181655 ltc#190855). - powerpc/pseries: Generalize hcall_vphn() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: pass stream id via function arguments (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: perform post-suspend fixups later (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove prepare_late() callback (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove pseries_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: switch to rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: add missing break to default case (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Add pr_debug() for device tree changes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: do not error on absence of ibm, update-nodes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: error message improvements (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: extract VASI session polling logic (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: handle premature return from H_JOIN (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/mobility: refactor node lookup during DT update (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: retry partition suspend after error (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Set pr_fmt() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: signal suspend cancellation to platform (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use rtas_activate_firmware() on resume (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use stop_machine for join/suspend (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use struct for shared state (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/ras: Remove unused variable 'status' (bsc#1065729). - powerpc/pseries: remove dlpar_cpu_readd() (bsc#1181674 ltc#189159). - powerpc/pseries: remove memory "re-add" implementation (bsc#1181674 ltc#189159). - powerpc/pseries: remove obsolete memory hotplug DT notifier code (bsc#1181674 ltc#189159). - powerpc/pseries: remove prrn special case from DT update path (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_activate_firmware() (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/rtas: complete ibm,suspend-me status codes (bsc#1181674 ltc#189159). - powerpc/rtas: dispatch partition migration requests to pseries (bsc#1181674 ltc#189159). - powerpc/rtasd: simplify handle_rtas_event(), emit message on events (bsc#1181674 ltc#189159). - powerpc/rtas: prevent suspend-related sys_rtas use on LE (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_ibm_suspend_me_unsafe() (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_last_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_me_data (bsc#1181674 ltc#189159). - powerpc/rtas: rtas_ibm_suspend_me -> rtas_ibm_suspend_me_unsafe (bsc#1181674 ltc#189159). - powerpc/rtas: Unexport rtas_online_cpus_mask, rtas_offline_cpus_mask (bsc#1181674 ltc#189159). - powerpc/vio: Use device_type to detect family (bsc#1181674 ltc#189159). - printk: fix deadlock when kernel panic (bsc#1183018). - pseries/drmem: do not cache node id in drmem_lmb struct (bsc#1132477 ltc#175530). - pseries/hotplug-memory: hot-add: skip redundant LMB lookup (bsc#1132477 ltc#175530). - pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() (git-fixes). - qxl: Fix uninitialised struct field head.surface_id (git-fixes). - random: fix the RNDRESEEDCRNG ioctl (git-fixes). - rcu: Allow only one expedited GP to run concurrently with (git-fixes) - rcu: Fix missed wakeup of exp_wq waiters (git-fixes) - RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation (bsc#1103991). - RDMA/rxe: Remove useless code in rxe_recv.c (bsc#1103992 ). - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - RDMA/uverbs: Fix kernel-doc warning of _uverbs_alloc (bsc#1103992). - Revert "ibmvnic: remove never executed if statement" (bsc#1184114 ltc#192237 bsc#1179243 ltc#189290). - rpadlpar: fix potential drc_name corruption in store functions (bsc#1183416 ltc#191079). - rsxx: Return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/crypto: return -EFAULT if copy_to_user() fails (git-fixes). - s390/dasd: fix hanging offline processing due to canceled worker (bsc#1175165). - s390/dasd: fix hanging offline processing due to canceled worker (bsc#1175165). - s390/pci: Fix s390_mmio_read/write with MIO (LTC#192079 bsc#1183755). - s390/vtime: fix increased steal time accounting (bsc#1183861). - sched/fair: Fix wrong cpu selecting from isolated domain (git-fixes) - sched/vtime: Fix guest/system mis-accounting on task switch (git-fixes) - scsi: lpfc: Change wording of invalid pci reset log message (bsc#1182574). - scsi: lpfc: Correct function header comments related to ndlp reference counting (bsc#1182574). - scsi: lpfc: Fix ADISC handling that never frees nodes (bsc#1182574). - scsi: lpfc: Fix ancient double free (bsc#1182574). - scsi: lpfc: Fix crash caused by switch reboot (bsc#1182574). - scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (bsc#1182574). - scsi: lpfc: Fix EEH encountering oops with NVMe traffic (bsc#1182574). - scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1182574). - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe (bsc#1182574). - scsi: lpfc: Fix kerneldoc inconsistency in lpfc_sli4_dump_page_a0() (bsc#1182574). - scsi: lpfc: Fix lpfc_els_retry() possible null pointer dereference (bsc#1182574). - scsi: lpfc: Fix nodeinfo debugfs output (bsc#1182574). - scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() (bsc#1182574). - scsi: lpfc: Fix 'physical' typos (bsc#1182574). - scsi: lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN (bsc#1182574). - scsi: lpfc: Fix pt2pt connection does not recover after LOGO (bsc#1182574). - scsi: lpfc: Fix pt2pt state transition causing rmmod hang (bsc#1182574). - scsi: lpfc: Fix reftag generation sizing errors (bsc#1182574). - scsi: lpfc: Fix stale node accesses on stale RRQ request (bsc#1182574). - scsi: lpfc: Fix status returned in lpfc_els_retry() error exit path (bsc#1182574). - scsi: lpfc: Fix unnecessary null check in lpfc_release_scsi_buf (bsc#1182574). - scsi: lpfc: Fix use after free in lpfc_els_free_iocb (bsc#1182574). - scsi: lpfc: Fix vport indices in lpfc_find_vport_by_vpid() (bsc#1182574). - scsi: lpfc: Reduce LOG_TRACE_EVENT logging for vports (bsc#1182574). - scsi: lpfc: Update copyrights for 12.8.0.7 and 12.8.0.8 changes (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.8 (bsc#1182574). - selinux: never allow relabeling on context mounts (git-fixes). - smb3: add dynamic trace point to trace when credits obtained (bsc#1181507). - smb3: fix crediting for compounding when only one request in flight (bsc#1181507). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - Update config files: activate CONFIG_CSD_LOCK_WAIT_DEBUG for x86 (bsc#1180846). - Update config files: disable CONFIG_CSD_LOCK_WAIT_DEBUG (bsc#1180846). - usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (git-fixes). - usbip: fix stub_dev to check for stream socket (git-fixes). - usbip: fix stub_dev usbip_sockfd_store() races leading to gpf (git-fixes). - usbip: Fix unsafe unaligned pointer usage (git-fixes). - usbip: fix vhci_hcd attach_store() races leading to gpf (git-fixes). - usbip: fix vhci_hcd to check for stream socket (git-fixes). - usbip: tools: fix build error for multiple definition (git-fixes). - usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (git-fixes). - usb: replace hardcode maximum usb string length by definition (git-fixes). - usb: serial: io_edgeport: fix memory leak in edge_startup (git-fixes). - usb: serial: option: add Quectel EM160R-GL (git-fixes). - usb-storage: Add quirk to defeat Kindle's automatic unload (git-fixes). - use __netdev_notify_peers in ibmvnic (bsc#1184114 ltc#192237 bsc#1183871 ltc#192139). - video: fbdev: acornfb: remove free_unused_pages() (bsc#1129770) - video: fbdev: atmel_lcdfb: fix return error code in (bsc#1129770) Backporting notes: * context changes * fallout from trailing whitespaces - vsprintf: Do not have bprintf dereference pointers (bsc#1184494). - vsprintf: Do not preprocess non-dereferenced pointers for bprintf (%px and %pK) (bsc#1184494). - vsprintf: Fix off-by-one bug in bstr_printf() processing dereferenced pointers (bsc#1184494). - wlcore: Fix command execute failure 19 for wl12xx (git-fixes). - x86/ioapic: Ignore IRQ2 again (12sp5). - x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() (12sp5). - xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367). - xfs: Fix assert failure in xfs_setattr_size() (git-fixes). - xsk: Remove dangling function declaration from header file (bsc#1109837). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-1210=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1210=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1210=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-1210=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2021-1210=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.66.2 kernel-default-debugsource-4.12.14-122.66.2 kernel-default-extra-4.12.14-122.66.2 kernel-default-extra-debuginfo-4.12.14-122.66.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.66.2 kernel-obs-build-debugsource-4.12.14-122.66.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.66.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.66.2 kernel-default-base-4.12.14-122.66.2 kernel-default-base-debuginfo-4.12.14-122.66.2 kernel-default-debuginfo-4.12.14-122.66.2 kernel-default-debugsource-4.12.14-122.66.2 kernel-default-devel-4.12.14-122.66.2 kernel-syms-4.12.14-122.66.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.66.2 kernel-macros-4.12.14-122.66.2 kernel-source-4.12.14-122.66.2 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.66.2 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.66.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.66.2 kernel-default-debugsource-4.12.14-122.66.2 kernel-default-kgraft-4.12.14-122.66.2 kernel-default-kgraft-devel-4.12.14-122.66.2 kgraft-patch-4_12_14-122_66-default-1-8.3.2 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.66.2 cluster-md-kmp-default-debuginfo-4.12.14-122.66.2 dlm-kmp-default-4.12.14-122.66.2 dlm-kmp-default-debuginfo-4.12.14-122.66.2 gfs2-kmp-default-4.12.14-122.66.2 gfs2-kmp-default-debuginfo-4.12.14-122.66.2 kernel-default-debuginfo-4.12.14-122.66.2 kernel-default-debugsource-4.12.14-122.66.2 ocfs2-kmp-default-4.12.14-122.66.2 ocfs2-kmp-default-debuginfo-4.12.14-122.66.2 References: https://www.suse.com/security/cve/CVE-2020-0433.html https://www.suse.com/security/cve/CVE-2020-25670.html https://www.suse.com/security/cve/CVE-2020-25671.html https://www.suse.com/security/cve/CVE-2020-25672.html https://www.suse.com/security/cve/CVE-2020-25673.html https://www.suse.com/security/cve/CVE-2020-27170.html https://www.suse.com/security/cve/CVE-2020-27171.html https://www.suse.com/security/cve/CVE-2020-27815.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29374.html https://www.suse.com/security/cve/CVE-2020-35519.html https://www.suse.com/security/cve/CVE-2020-36311.html https://www.suse.com/security/cve/CVE-2021-20219.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://www.suse.com/security/cve/CVE-2021-28038.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-28964.html https://www.suse.com/security/cve/CVE-2021-28971.html https://www.suse.com/security/cve/CVE-2021-28972.html https://www.suse.com/security/cve/CVE-2021-29154.html https://www.suse.com/security/cve/CVE-2021-29264.html https://www.suse.com/security/cve/CVE-2021-29265.html https://www.suse.com/security/cve/CVE-2021-29647.html https://www.suse.com/security/cve/CVE-2021-30002.html https://www.suse.com/security/cve/CVE-2021-3428.html https://www.suse.com/security/cve/CVE-2021-3444.html https://www.suse.com/security/cve/CVE-2021-3483.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104270 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111981 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113295 https://bugzilla.suse.com/1113994 https://bugzilla.suse.com/1118657 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1119113 https://bugzilla.suse.com/1126390 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1132477 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1152446 https://bugzilla.suse.com/1154048 https://bugzilla.suse.com/1169709 https://bugzilla.suse.com/1172455 https://bugzilla.suse.com/1173485 https://bugzilla.suse.com/1175165 https://bugzilla.suse.com/1176720 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1178163 https://bugzilla.suse.com/1178181 https://bugzilla.suse.com/1179243 https://bugzilla.suse.com/1179428 https://bugzilla.suse.com/1179454 https://bugzilla.suse.com/1179660 https://bugzilla.suse.com/1179755 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1181507 https://bugzilla.suse.com/1181515 https://bugzilla.suse.com/1181544 https://bugzilla.suse.com/1181655 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1182011 https://bugzilla.suse.com/1182175 https://bugzilla.suse.com/1182485 https://bugzilla.suse.com/1182574 https://bugzilla.suse.com/1182715 https://bugzilla.suse.com/1182716 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1183018 https://bugzilla.suse.com/1183022 https://bugzilla.suse.com/1183023 https://bugzilla.suse.com/1183378 https://bugzilla.suse.com/1183379 https://bugzilla.suse.com/1183380 https://bugzilla.suse.com/1183381 https://bugzilla.suse.com/1183382 https://bugzilla.suse.com/1183405 https://bugzilla.suse.com/1183416 https://bugzilla.suse.com/1183509 https://bugzilla.suse.com/1183593 https://bugzilla.suse.com/1183646 https://bugzilla.suse.com/1183662 https://bugzilla.suse.com/1183686 https://bugzilla.suse.com/1183692 https://bugzilla.suse.com/1183696 https://bugzilla.suse.com/1183755 https://bugzilla.suse.com/1183775 https://bugzilla.suse.com/1183861 https://bugzilla.suse.com/1183871 https://bugzilla.suse.com/1184114 https://bugzilla.suse.com/1184120 https://bugzilla.suse.com/1184167 https://bugzilla.suse.com/1184168 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184192 https://bugzilla.suse.com/1184193 https://bugzilla.suse.com/1184196 https://bugzilla.suse.com/1184198 https://bugzilla.suse.com/1184391 https://bugzilla.suse.com/1184393 https://bugzilla.suse.com/1184397 https://bugzilla.suse.com/1184494 https://bugzilla.suse.com/1184511 https://bugzilla.suse.com/1184583 From sle-security-updates at lists.suse.com Thu Apr 15 19:32:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Apr 2021 21:32:20 +0200 (CEST) Subject: SUSE-SU-2021:1211-1: important: Security update for the Linux Kernel Message-ID: <20210415193220.13B61FCF8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1211-1 Rating: important References: #1047233 #1065729 #1113295 #1152472 #1152489 #1153274 #1154353 #1155518 #1156256 #1156395 #1159280 #1160634 #1167773 #1168777 #1169514 #1169709 #1171295 #1173485 #1177326 #1178163 #1178181 #1178330 #1179454 #1180197 #1180980 #1181383 #1181507 #1181674 #1181862 #1182011 #1182077 #1182485 #1182552 #1182574 #1182591 #1182595 #1182712 #1182713 #1182715 #1182716 #1182717 #1182770 #1182989 #1183015 #1183018 #1183022 #1183023 #1183048 #1183252 #1183277 #1183278 #1183279 #1183280 #1183281 #1183282 #1183283 #1183284 #1183285 #1183286 #1183287 #1183288 #1183366 #1183369 #1183386 #1183405 #1183412 #1183416 #1183427 #1183428 #1183445 #1183447 #1183501 #1183509 #1183530 #1183534 #1183540 #1183593 #1183596 #1183598 #1183637 #1183646 #1183662 #1183686 #1183692 #1183696 #1183750 #1183757 #1183775 #1183843 #1183859 #1183871 #1184074 #1184120 #1184167 #1184168 #1184170 #1184176 #1184192 #1184193 #1184194 #1184196 #1184198 #1184211 #1184217 #1184218 #1184219 #1184220 #1184224 #1184388 #1184391 #1184393 #1184509 #1184511 #1184512 #1184514 #1184583 #1184647 Cross-References: CVE-2019-18814 CVE-2019-19769 CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-27170 CVE-2020-27171 CVE-2020-27815 CVE-2020-35519 CVE-2020-36310 CVE-2020-36311 CVE-2020-36312 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28375 CVE-2021-28660 CVE-2021-28688 CVE-2021-28950 CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29154 CVE-2021-29264 CVE-2021-29265 CVE-2021-29647 CVE-2021-30002 CVE-2021-3428 CVE-2021-3444 CVE-2021-3483 CVSS scores: CVE-2019-18814 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-18814 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-19769 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2019-19769 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H CVE-2020-25670 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25671 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2020-27170 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27171 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27815 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-35519 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-36310 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36311 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36312 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28038 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28375 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28950 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28964 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28971 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28972 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28972 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29264 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-30002 (NVD) : 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3428 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP2 ______________________________________________________________________________ An update that solves 32 vulnerabilities and has 85 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel RT was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170). - CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485). - CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ). - CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167). - CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168). - CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198). - CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ). - CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ). - CVE-2021-28375: Fixed an issue in fastrpc_internal_invoke which did not prevent user applications from sending kernel RPC messages (bsc#1183596). - CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022). - CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715). - CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716). - CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696). - CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454). - CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775). - CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686). - CVE-2019-19769: Fixed a use-after-free in the perf_trace_lock_acquire function (bsc#1159280 ). - CVE-2019-18814: Fixed a use-after-free when aa_label_parse() fails in aa_audit_rule_init() (bsc#1156256). - CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181). - CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511). - CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391). - CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120). - CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393). - CVE-2020-36310: Fixed infinite loop for certain nested page faults (bsc#1184512). - CVE-2020-36312: Fixed a memory leak upon a kmalloc failure (bsc#1184509 ). - CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h due to a retry loop continually was finding the same bad inode (bsc#1184194). The following non-security bugs were fixed: - 0007-block-add-docs-for-gendisk-request_queue-refcount-he.patch: (bsc#1171295, git fixes (block drivers)). - 0008-block-revert-back-to-synchronous-request_queue-remov.patch: (bsc#1171295, git fixes (block drivers)). - 0009-blktrace-fix-debugfs-use-after-free.patch: (bsc#1171295, git fixes (block drivers)). - ACPI: bus: Constify is_acpi_node() and friends (part 2) (git-fixes). - ACPICA: Always create namespace nodes using acpi_ns_create_node() (git-fixes). - ACPICA: Enable sleep button on ACPI legacy wake (bsc#1181383). - ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling (git-fixes). - ACPI: scan: Rearrange memory allocation in acpi_device_add() (git-fixes). - ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807 (git-fixes). - ACPI: video: Add missing callback back for Sony VPCEH3U1E (git-fixes). - ALSA: aloop: Fix initialization of controls (git-fixes). - ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits (git-fixes). - ALSA: hda: Avoid spurious unsol event handling during S3/S4 (git-fixes). - ALSA: hda: Drop the BATCH workaround for AMD controllers (git-fixes). - ALSA: hda: generic: Fix the micmute led init state (git-fixes). - ALSA: hda/hdmi: Cancel pending works before suspend (git-fixes). - ALSA: hda/realtek: Add quirk for Clevo NH55RZQ (git-fixes). - ALSA: hda/realtek: Add quirk for Intel NUC 10 (git-fixes). - ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board (git-fixes). - ALSA: hda/realtek: Apply headset-mic quirks for Xiaomi Redmibook Air (git-fixes). - ALSA: hda/realtek: apply pin quirk for XiaomiNotebook Pro (git-fixes). - ALSA: hda/realtek: Enable headset mic of Acer SWIFT with ALC256 (git-fixes). - ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO (git-fixes). - ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1 (git-fixes). - ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk (bsc#1182552). - ALSA: usb-audio: Allow modifying parameters with succeeding hw_params calls (bsc#1182552). - ALSA: usb-audio: Apply sample rate quirk to Logitech Connect (git-fixes). - ALSA: usb-audio: Apply the control quirk to Plantronics headsets (bsc#1182552). - ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend() (bsc#1182552). - ALSA: usb-audio: Do not abort even if the clock rate differs (bsc#1182552). - ALSA: usb-audio: Drop bogus dB range in too low level (bsc#1182552). - ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar (bsc#1182552). - ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe (bsc#1182552). - ALSA: usb-audio: Fix "RANGE setting not yet supported" errors (git-fixes). - ALSA: usb-audio: fix use after free in usb_audio_disconnect (bsc#1182552). - ALSA: usb-audio: Skip the clock selector inquiry for single connections (git-fixes). - ALSA: usb: Use DIV_ROUND_UP() instead of open-coding it (git-fixes). - amd/amdgpu: Disable VCN DPG mode for Picasso (git-fixes). - apparmor: check/put label on apparmor_sk_clone_security() (git-fixes). - appletalk: Fix skb allocation size in loopback case (git-fixes). - arm64: make STACKPROTECTOR_PER_TASK configurable (bsc#1181862). - ASoC: ak4458: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: ak5558: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: cs42l42: Always wait at least 3ms after reset (git-fixes). - ASoC: cs42l42: Do not enable/disable regulator at Bias Level (git-fixes). - ASoC: cs42l42: Fix Bitclock polarity inversion (git-fixes). - ASoC: cs42l42: Fix channel width support (git-fixes). - ASoC: cs42l42: Fix mixer volume control (git-fixes). - ASoC: cygnus: fix for_each_child.cocci warnings (git-fixes). - ASoC: es8316: Simplify adc_pga_gain_tlv table (git-fixes). - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: fsl_ssi: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr() (git-fixes). - ASoC: intel: atom: Remove 44100 sample-rate from the media and deep-buffer DAI descriptions (git-fixes). - ASoC: intel: atom: Stop advertising non working S24LE support (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for ARCHOS Cesium 140 (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 10-p0XX OVCD current threshold (git-fixes). - ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet (git-fixes). - ASoC: max98373: Added 30ms turn on/off time delay (git-fixes). - ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5670: Add emulated 'DAC1 Playback Switch' control (git-fixes). - ASoC: rt5670: Remove ADC vol-ctrl mute bits poking from Sto1 ADC mixer settings (git-fixes). - ASoC: rt5670: Remove 'HP Playback Switch' control (git-fixes). - ASoC: rt5670: Remove 'OUT Channel Switch' control (git-fixes). - ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe (git-fixes). - ASoC: simple-card-utils: Do not handle device clock (git-fixes). - ASoC: sunxi: sun4i-codec: fill ASoC card owner (git-fixes). - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (git-fixes). - ath10k: fix wmi mgmt tx queue full due to race condition (git-fixes). - ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() (git-fixes). - ath9k: fix transmitting to stations in dynamic SMPS mode (git-fixes). - atl1c: fix error return code in atl1c_probe() (git-fixes). - atl1e: fix error return code in atl1e_probe() (git-fixes). - batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - blktrace-annotate-required-lock-on-do_blk_trace_setu.patch: (bsc#1171295). - blktrace-Avoid-sparse-warnings-when-assigning-q-blk_.patch: (bsc#1171295). - blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch: (bsc#1171295). - block-clarify-context-for-refcount-increment-helpers.patch: (bsc#1171295). - block: rsxx: fix error return code of rsxx_pci_probe() (git-fixes). - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (git-fixes). - Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl (git-fixes). - bnxt_en: reliably allocate IRQ table on reset to avoid crash (jsc#SLE-8371 bsc#1153274). - bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775). - bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args (bsc#1155518). - bpf: Declare __bpf_free_used_maps() unconditionally (bsc#1155518). - bpf: Do not do bpf_cgroup_storage_set() for kuprobe/tp programs (bsc#1155518). - bpf: Fix 32 bit src register truncation on div/mod (bsc#1184170). - bpf_lru_list: Read double-checked variable once without lock (bsc#1155518). - bpf: Remove MTU check in __bpf_skb_max_len (bsc#1155518). - bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775). - bpf,x64: Pad NOPs to make images converge more easily (bsc#1178163). - brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet (git-fixes). - brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet (git-fixes). - brcmfmac: clear EAP/association status bits on linkdown events (git-fixes). - btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root (bsc#1184217). - btrfs: always pin deleted leaves when there are active tree mod log users (bsc#1184224). - btrfs: fix exhaustion of the system chunk array due to concurrent allocations (bsc#1183386). - btrfs: fix extent buffer leak on failure to copy root (bsc#1184218). - btrfs: fix race when cloning extent buffer during rewind of an old root (bsc#1184193). - btrfs: fix stale data exposure after cloning a hole with NO_HOLES enabled (bsc#1184220). - btrfs: fix subvolume/snapshot deletion not triggered on mount (bsc#1184219). - bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (git-fixes). - bus: ti-sysc: Fix warning on unbind if reset is not deasserted (git-fixes). - can: c_can: move runtime PM enable/disable to c_can_platform (git-fixes). - can: c_can_pci: c_can_pci_remove(): fix use-after-free (git-fixes). - can: flexcan: assert FRZ bit in flexcan_chip_freeze() (git-fixes). - can: flexcan: enable RX FIFO after FRZ/HALT valid (git-fixes). - can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate (git-fixes). - can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode (git-fixes). - can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (git-fixes). - can: peak_usb: add forgotten supported devices (git-fixes). - can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" (git-fixes). - can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (git-fixes). - cdc-acm: fix BREAK rx code path adding necessary calls (git-fixes). - certs: Fix blacklist flag type confusion (git-fixes). - cifs: change noisy error message to FYI (bsc#1181507). - cifs: check pointer before freeing (bsc#1183534). - cifs_debug: use %pd instead of messing with ->d_name (bsc#1181507). - cifs: do not send close in compound create+close requests (bsc#1181507). - cifs: New optype for session operations (bsc#1181507). - cifs: print MIDs in decimal notation (bsc#1181507). - cifs: return proper error code in statfs(2) (bsc#1181507). - cifs: Tracepoints and logs for tracing credit changes (bsc#1181507). - clk: fix invalid usage of list cursor in register (git-fixes). - clk: fix invalid usage of list cursor in unregister (git-fixes). - clk: socfpga: fix iomem pointer cast on 64-bit (git-fixes). - completion: Drop init_completion define (git-fixes). - configfs: fix a use-after-free in __configfs_open_file (git-fixes). - config: net: freescale: change xgmac-mdio to built-in References: bsc#1183015,bsc#1182595 - crypto: aesni - prevent misaligned buffers on the stack (git-fixes). - crypto: arm64/sha - add missing module aliases (git-fixes). - crypto: bcm - Rename struct device_private to bcm_device_private (git-fixes). - crypto: Kconfig - CRYPTO_MANAGER_EXTRA_TESTS requires the manager (git-fixes). - crypto: tcrypt - avoid signed overflow in byte count (git-fixes). - Delete patches.suse/sched-Reenable-interrupts-in-do_sched_yield.patch (bsc#1183530) - drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue (git-fixes). - drivers: video: fbcon: fix NULL dereference in fbcon_cursor() (git-fixes). - drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails (git-fixes). - drm/amdgpu: Add check to prevent IH overflow (git-fixes). - drm/amdgpu: check alignment on CPU page for bo map (git-fixes). - drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() (git-fixes). - drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie (git-fixes). - drm/amdkfd: Put ACPI table after using it (bsc#1152489) Backporting notes: * context changes - drm/amd/powerplay: fix spelling mistake "smu_state_memroy_block" -> (bsc#1152489) Backporting notes: * rename amd/pm to amd/powerplay * context changes - drm/compat: Clear bounce structures (git-fixes). - drm/hisilicon: Fix use-after-free (git-fixes). - drm/i915: Fix invalid access to ACPI _DSM objects (bsc#1184074). - drm/i915: Reject 446-480MHz HDMI clock on GLK (git-fixes). - drm/mediatek: Fix aal size config (bsc#1152489) - drm: meson_drv add shutdown function (git-fixes). - drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (git-fixes). - drm/msm/adreno: a5xx_power: Do not apply A540 lm_setup to other GPUs (git-fixes). - drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) (git-fixes). - drm/msm: Fix races managing the OOB state for timestamp vs (bsc#1152489) - drm/msm: fix shutdown hook in case GPU components failed to bind (git-fixes). - drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1152489) - drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1152489) - drm/msm/gem: Add obj->lock wrappers (bsc#1152489) - drm/msm: Ratelimit invalid-fence message (git-fixes). - drm/msm: Set drvdata to NULL when msm_drm_init() fails (git-fixes). - drm/nouveau: bail out of nouveau_channel_new if channel init fails (bsc#1152489) - drm/nouveau/kms: handle mDP connectors (git-fixes). - drm/panfrost: Do not corrupt the queue mutex on open/close (bsc#1152472) - drm/panfrost: Fix job timeout handling (bsc#1152472) - drm/panfrost: Remove unused variables in panfrost_job_close() (bsc#1152472) - drm/radeon: fix AGP dependency (git-fixes). - drm: rcar-du: Fix crash when using LVDS1 clock for CRTC (bsc#1152489) - drm/sched: Cancel and flush all outstanding jobs before finish (git-fixes). - drm/sun4i: tcon: fix inverted DCLK polarity (bsc#1152489) - drm/tegra: sor: Grab runtime PM reference across reset (git-fixes). - drm/vc4: hdmi: Restore cec physical address on reconnect (bsc#1152472) - efi: use 32-bit alignment for efi_guid_t literals (git-fixes). - enetc: Fix reporting of h/w packet counters (git-fixes). - epoll: check for events when removing a timed out thread from the wait queue (git-fixes). - ethernet: alx: fix order of calls on resume (git-fixes). - exec: Move would_dump into flush_old_exec (git-fixes). - exfat: add missing MODULE_ALIAS_FS() (bsc#1182989). - exfat: add the dummy mount options to be backward compatible with staging/exfat (bsc#1182989). - extcon: Add stubs for extcon_register_notifier_all() functions (git-fixes). - extcon: Fix error handling in extcon_dev_register (git-fixes). - fbdev: aty: SPARC64 requires FB_ATY_CT (git-fixes). - firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (git-fixes). - flow_dissector: fix byteorder of dissected ICMP ID (bsc#1154353). - fsl/fman: check dereferencing null pointer (git-fixes). - fsl/fman: fix dereference null return value (git-fixes). - fsl/fman: fix eth hash table allocation (git-fixes). - fsl/fman: fix unreachable code (git-fixes). - fsl/fman: use 32-bit unsigned integer (git-fixes). - fuse: fix bad inode (bsc#1184211). - fuse: fix live lock in fuse_iget() (bsc#1184211). - fuse: verify write return (git-fixes). - gcc-plugins: drop support for GCC <= 4.7 (bcs#1181862). - gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again (bcs#1181862). - gcc-plugins: simplify GCC plugin-dev capability test (bsc#1181862). - gianfar: Account for Tx PTP timestamp in the skb headroom (git-fixes). - gianfar: Fix TX timestamping with a stacked DSA driver (git-fixes). - gianfar: Handle error code at MAC address change (git-fixes). - gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP (git-fixes). - Goodix Fingerprint device is not a modem (git-fixes). - gpiolib: acpi: Add missing IRQF_ONESHOT (git-fixes). - gpio: pca953x: Set IRQ type when handle Intel Galileo Gen 2 (git-fixes). - gpio: zynq: fix reference leak in zynq_gpio functions (git-fixes). - HID: i2c-hid: Add I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for ITE8568 EC on Voyo Winpad A15 (git-fixes). - HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter (git-fixes). - HSI: Fix PM usage counter unbalance in ssi_hw_init (git-fixes). - hwmon: (ina3221) Fix PM usage counter unbalance in ina3221_write_enable (git-fixes). - i2c: rcar: faster irq code to minimize HW race condition (git-fixes). - i2c: rcar: optimize cacheline to minimize HW race condition (git-fixes). - i40e: Fix parameters in aq_get_phy_register() (jsc#SLE-8025). - i40e: Fix sparse error: 'vsi->netdev' could be null (jsc#SLE-8025). - iavf: Fix incorrect adapter get in iavf_resume (git-fixes). - iavf: use generic power management (git-fixes). - ibmvnic: add comments for spinlock_t definitions (bsc#1183871 ltc#192139). - ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844). - ibmvnic: avoid multiple line dereference (bsc#1183871 ltc#192139). - ibmvnic: fix block comments (bsc#1183871 ltc#192139). - ibmvnic: fix braces (bsc#1183871 ltc#192139). - ibmvnic: fix miscellaneous checks (bsc#1183871 ltc#192139). - ibmvnic: Fix possibly uninitialized old_num_tx_queues variable warning (jsc#SLE-17268). - ibmvnic: merge do_change_param_reset into do_reset (bsc#1183871 ltc#192139). - ibmvnic: prefer strscpy over strlcpy (bsc#1183871 ltc#192139). - ibmvnic: prefer 'unsigned long' over 'unsigned long int' (bsc#1183871 ltc#192139). - ibmvnic: remove excessive irqsave (bsc#1182485 ltc#191591). - ibmvnic: remove unnecessary rmb() inside ibmvnic_poll (bsc#1183871 ltc#192139). - ibmvnic: remove unused spinlock_t stats_lock definition (bsc#1183871 ltc#192139). - ibmvnic: rework to ensure SCRQ entry reads are properly ordered (bsc#1183871 ltc#192139). - ibmvnic: simplify reset_long_term_buff function (bsc#1183023 ltc#191791). - ibmvnic: substitute mb() with dma_wmb() for send_*crq* functions (bsc#1183023 ltc#191791). - ice: fix memory leak if register_netdev_fails (git-fixes). - ice: fix memory leak in ice_vsi_setup (git-fixes). - ice: Fix state bits on LLDP mode switch (jsc#SLE-7926). - ice: remove DCBNL_DEVRESET bit from PF state (jsc#SLE-7926). - ice: renegotiate link after FW DCB on (jsc#SLE-8464). - ice: report correct max number of TCs (jsc#SLE-7926). - ice: update the number of available RSS queues (jsc#SLE-7926). - igc: Fix igc_ptp_rx_pktstamp() (bsc#1160634). - iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask (git-fixes). - iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (git-fixes). - iio: adis16400: Fix an error code in adis16400_initial_setup() (git-fixes). - iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (git-fixes). - iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (git-fixes). - iio: hid-sensor-prox: Fix scale not correct issue (git-fixes). - iio: hid-sensor-temperature: Fix issues of timestamp channel (git-fixes). - include/linux/sched/mm.h: use rcu_dereference in in_vfork() (git-fixes). - Input: applespi - do not wait for responses to commands indefinitely (git-fixes). - Input: elantech - fix protocol errors for some trackpoints in SMBus mode (git-fixes). - Input: i8042 - add ASUS Zenbook Flip to noselftest list (git-fixes). - Input: raydium_ts_i2c - do not send zero length (git-fixes). - Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S (git-fixes). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183277). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183278). - iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate() (bsc#1183637). - iommu/vt-d: Add get_domain_info() helper (bsc#1183279). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183280). - iommu/vt-d: Correctly check addr alignment in qi_flush_dev_iotlb_pasid() (bsc#1183281). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183282). - iommu/vt-d: Fix general protection fault in aux_detach_device() (bsc#1183283). - iommu/vt-d: Fix ineffective devTLB invalidation for subdevices (bsc#1183284). - iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev() (bsc#1183285). - iommu/vt-d: Move intel_iommu info from struct intel_svm to struct intel_svm_dev (bsc#1183286). - ionic: linearize tso skb with too many frags (bsc#1167773). - kABI: powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - kbuild: add dummy toolchains to enable all cc-option etc. in Kconfig (bcs#1181862). - kbuild: change *FLAGS_<basetarget>.o to take the path relative to $(obj) (bcs#1181862). - kbuild: dummy-tools, fix inverted tests for gcc (bcs#1181862). - kbuild: dummy-tools, support MPROFILE_KERNEL checks for ppc (bsc#1181862). - kbuild: Fail if gold linker is detected (bcs#1181862). - kbuild: improve cc-option to clean up all temporary files (bsc#1178330). - kbuild: include scripts/Makefile.* only when relevant CONFIG is enabled (bcs#1181862). - kbuild: simplify GCC_PLUGINS enablement in dummy-tools/gcc (bcs#1181862). - kbuild: stop filtering out $(GCC_PLUGINS_CFLAGS) from cc-option base (bcs#1181862). - kbuild: use -S instead of -E for precise cc-option test in Kconfig (bsc#1178330). - kconfig: introduce m32-flag and m64-flag (bcs#1181862). - KVM: nVMX: Properly handle userspace interrupt window request (bsc#1183427). - KVM: SVM: Clear the CR4 register on reset (bsc#1183252). - KVM: x86: Add helpers to perform CPUID-based guest vendor check (bsc#1183445). - KVM: x86: Add RIP to the kvm_entry, i.e. VM-Enter, tracepoint Needed as a dependency of 0b40723a827 ("kvm: tracing: Fix unmatched kvm_entry and kvm_exit events", bsc#1182770). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183287). - KVM: x86: do not reset microcode version on INIT or RESET (bsc#1183412). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1183447). - KVM: x86: list MSR_IA32_UCODE_REV as an emulated MSR (bsc#1183369). - KVM: x86: Return -E2BIG when KVM_GET_SUPPORTED_CPUID hits max entries (bsc#1183428). - KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU reset (bsc#1183288). - libbpf: Clear map_info before each bpf_obj_get_info_by_fd (bsc#1155518). - libbpf: Fix BTF dump of pointer-to-array-of-struct (bsc#1155518). - libbpf: Fix INSTALL flag order (bsc#1155518). - libbpf: Use SOCK_CLOEXEC when opening the netlink socket (bsc#1155518). - lib/syscall: fix syscall registers retrieval on 32-bit platforms (git-fixes). - locking/mutex: Fix non debug version of mutex_lock_io_nested() (git-fixes). - loop-be-paranoid-on-exit-and-prevent-new-additions-r.patch: (bsc#1171295). - mac80211: choose first enabled channel for monitor (git-fixes). - mac80211: fix double free in ibss_leave (git-fixes). - mac80211: fix rate mask reset (git-fixes). - mac80211: fix TXQ AC confusion (git-fixes). - mdio: fix mdio-thunder.c dependency & build error (git-fixes). - media: cros-ec-cec: do not bail on device_init_wakeup failure (git-fixes). - media: cx23885: add more quirks for reset DMA on some AMD IOMMU (git-fixes). - media: mceusb: Fix potential out-of-bounds shift (git-fixes). - media: mceusb: sanity check for prescaler value (git-fixes). - media: rc: compile rc-cec.c into rc-core (git-fixes). - media: usbtv: Fix deadlock on suspend (git-fixes). - media: uvcvideo: Allow entities with no pads (git-fixes). - media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate (git-fixes). - media: v4l: vsp1: Fix bru null pointer access (git-fixes). - media: v4l: vsp1: Fix uif null pointer access (git-fixes). - media: vicodec: add missing v4l2_ctrl_request_hdl_put() (git-fixes). - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (git-fixes). - misc: fastrpc: restrict user apps from sending kernel RPC messages (git-fixes). - misc/pvpanic: Export module FDT device table (git-fixes). - misc: rtsx: init of rts522a add OCP power off when no card is present (git-fixes). - mISDN: fix crash in fritzpci (git-fixes). - mmc: core: Fix partition switch time for eMMC (git-fixes). - mmc: cqhci: Fix random crash when remove mmc module/card (git-fixes). - mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()' (git-fixes). - mmc: sdhci-esdhc-imx: fix kernel panic when remove module (git-fixes). - mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes). - mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page (git-fixes). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1168777). - mount: fix mounting of detached mounts onto targets that reside on shared mounts (git-fixes). - mt76: dma: do not report truncated frames to mac80211 (git-fixes). - mwifiex: pcie: skip cancel_work_sync() on reset failure path (git-fixes). - net: arc_emac: Fix memleak in arc_mdio_probe (git-fixes). - net: atheros: switch from 'pci_' to 'dma_' API (git-fixes). - net: b44: fix error return code in b44_init_one() (git-fixes). - net: bonding: fix error return code of bond_neigh_init() (bsc#1154353). - net: cdc-phonet: fix data-interface release on probe failure (git-fixes). - net: core: introduce __netdev_notify_peers (bsc#1183871 ltc#192139). - netdevsim: init u64 stats for 32bit hardware (git-fixes). - net: dsa: rtl8366: Fix VLAN semantics (git-fixes). - net: dsa: rtl8366: Fix VLAN set-up (git-fixes). - net: dsa: rtl8366rb: Support all 4096 VLANs (git-fixes). - net: enic: Cure the enic api locking trainwreck (git-fixes). - net: ethernet: aquantia: Fix wrong return value (git-fixes). - net: ethernet: cavium: octeon_mgmt: use phy_start and phy_stop (git-fixes). - net: ethernet: ibm: ibmvnic: Fix some kernel-doc misdemeanours (bsc#1183871 ltc#192139). - net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host port (git-fixes). - net: ethernet: ti: cpsw: fix error return code in cpsw_probe() (git-fixes). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix reference count leak in fec series ops (git-fixes). - net: gemini: Fix another missing clk_disable_unprepare() in probe (git-fixes). - net: gemini: Fix missing free_netdev() in error path of gemini_ethernet_port_probe() (git-fixes). - net: gianfar: Add of_node_put() before goto statement (git-fixes). - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device (git-fixes). - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup (git-fixes). - net: hns3: Remove the left over redundant check & assignment (bsc#1154353). - net: korina: cast KSEG0 address to pointer in kfree (git-fixes). - net: korina: fix kfree of rx/tx descriptor array (git-fixes). - net: lantiq: Wait for the GPHY firmware to be ready (git-fixes). - net/mlx5: Disable devlink reload for lag devices (jsc#SLE-8464). - net/mlx5: Disable devlink reload for multi port slave device (jsc#SLE-8464). - net/mlx5: Disallow RoCE on lag device (jsc#SLE-8464). - net/mlx5: Disallow RoCE on multi port slave device (jsc#SLE-8464). - net/mlx5e: E-switch, Fix rate calculation division (jsc#SLE-8464). - net/mlx5e: E-switch, Fix rate calculation for overflow (jsc#SLE-8464). - net/mlx5: Fix PPLM register mapping (jsc#SLE-8464). - net: mvneta: fix double free of txq->buf (git-fixes). - net: mvneta: make tx buffer array agnostic (git-fixes). - net: pasemi: fix error return code in pasemi_mac_open() (git-fixes). - net: phy: broadcom: Only advertise EEE for supported modes (git-fixes). - net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init (git-fixes). - net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup (git-fixes). - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - netsec: restore phy power state after controller reset (bsc#1183757). - net: spider_net: Fix the size used in a 'dma_free_coherent()' call (git-fixes). - net: stmmac: Fix incorrect location to set real_num_rx|tx_queues (git-fixes). - net: stmmac: removed enabling eee in EEE set callback (git-fixes). - net: stmmac: use netif_tx_start|stop_all_queues() function (git-fixes). - net: stmmac: Use rtnl_lock/unlock on netif_set_real_num_rx_queues() call (git-fixes). - net: usb: ax88179_178a: fix missing stop entry in driver_info (git-fixes). - net: usb: qmi_wwan: allow qmimux add/del with master up (git-fixes). - net: usb: qmi_wwan: support ZTE P685M modem (git-fixes). - net: wan/lmc: unregister device when no matching device is found (git-fixes). - nfp: flower: fix pre_tun mask id allocation (bsc#1154353). - nvme: allocate the keep alive request using BLK_MQ_REQ_NOWAIT (bsc#1182077). - nvme-fabrics: fix kato initialization (bsc#1182591). - nvme-fabrics: only reserve a single tag (bsc#1182077). - nvme-fc: fix racing controller reset and create association (bsc#1183048). - nvme-hwmon: Return error code when registration fails (bsc#1177326). - nvme: merge nvme_keep_alive into nvme_keep_alive_work (bsc#1182077). - nvme: return an error if nvme_set_queue_count() fails (bsc#1180197). - nvmet-rdma: Fix list_del corruption on queue establishment failure (bsc#1183501). - objtool: Fix ".cold" section suffix check for newer versions of GCC (bsc#1169514). - objtool: Fix error handling for STD/CLD warnings (bsc#1169514). - objtool: Fix retpoline detection in asm code (bsc#1169514). - ovl: fix dentry leak in ovl_get_redirect (bsc#1184176). - ovl: fix out of date comment and unreachable code (bsc#1184176). - ovl: fix regression with re-formatted lower squashfs (bsc#1184176). - ovl: fix unneeded call to ovl_change_flags() (bsc#1184176). - ovl: fix value of i_ino for lower hardlink corner case (bsc#1184176). - ovl: initialize error in ovl_copy_xattr (bsc#1184176). - ovl: relax WARN_ON() when decoding lower directory file handle (bsc#1184176). - PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (git-fixes). - PCI: Align checking of syscall user config accessors (git-fixes). - PCI: Decline to resize resources if boot config must be preserved (git-fixes). - PCI: Fix pci_register_io_range() memory leak (git-fixes). - PCI: mediatek: Add missing of_node_put() to fix reference leak (git-fixes). - PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 (git-fixes). - PCI: xgene-msi: Fix race in installing chained irq handler (git-fixes). - pinctrl: rockchip: fix restore error in resume (git-fixes). - Platform: OLPC: Fix probe error handling (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire Switch 10E SW3-016 (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability flag (git-fixes). - platform/x86: acer-wmi: Add new force_caps module parameter (git-fixes). - platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices (git-fixes). - platform/x86: acer-wmi: Cleanup accelerometer device handling (git-fixes). - platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines (git-fixes). - platform/x86: intel-hid: Support Lenovo ThinkPad X1 Tablet Gen 2 (git-fixes). - platform/x86: intel-vbtn: Stop reporting SW_DOCK events (git-fixes). - platform/x86: thinkpad_acpi: Allow the FnLock LED to change state (git-fixes). - PM: EM: postpone creating the debugfs dir till fs_initcall (git-fixes). - PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter (bsc#1183366). - PM: runtime: Fix ordering in pm_runtime_get_suppliers() (git-fixes). - PM: runtime: Fix race getting/putting suppliers at probe (git-fixes). - post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388). - powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (bsc#1065729). - powerpc/book3s64/radix: Remove WARN_ON in destroy_context() (bsc#1183692 ltc#191963). - powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - powerpc/pseries/mobility: handle premature return from H_JOIN (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/mobility: use struct for shared state (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/ras: Remove unused variable 'status' (bsc#1065729). - powerpc/sstep: Check instruction validity against ISA version before emulation (bsc#1156395). - powerpc/sstep: Fix darn emulation (bsc#1156395). - powerpc/sstep: Fix incorrect return from analyze_instr() (bsc#1156395). - powerpc/sstep: Fix load-store and update emulation (bsc#1156395). - printk: fix deadlock when kernel panic (bsc#1183018). - proc: fix lookup in /proc/net subdirectories after setns(2) (git-fixes). - pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() (git-fixes). - qlcnic: fix error return code in qlcnic_83xx_restart_hw() (git-fixes). - qxl: Fix uninitialised struct field head.surface_id (git-fixes). - random: fix the RNDRESEEDCRNG ioctl (git-fixes). - RAS/CEC: Correct ce_add_elem()'s returned values (bsc#1152489). - RDMA/hns: Disable RQ inline by default (jsc#SLE-8449). - RDMA/hns: Fix type of sq_signal_bits (jsc#SLE-8449). - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - regulator: bd9571mwv: Fix AVS and DVFS voltage range (git-fixes). - Revert "net: bonding: fix error return code of bond_neigh_init()" (bsc#1154353). - rpadlpar: fix potential drc_name corruption in store functions (bsc#1183416 ltc#191079). - rpm/check-for-config-changes: add -mrecord-mcount ignore Added by 3b15cdc15956 (tracing: move function tracer options to Kconfig) upstream. - rpm/check-for-config-changes: Also ignore AS_VERSION added in 5.12. - rpm/check-for-config-changes: comment on the list To explain what it actually is. - rpm/check-for-config-changes: declare sed args as an array So that we can reuse it in both seds. This also introduces IGNORED_CONFIGS_RE array which can be easily extended. - rpm/check-for-config-changes: define ignores more strictly * search for whole words, so make wildcards explicit * use ' for quoting * prepend CONFIG_ dynamically, so it need not be in the list - rpm/check-for-config-changes: sort the ignores They are growing so to make them searchable by humans. - rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514) The devel package requires the kernel binary package itself for building modules externally. - rsi: Fix TX EAPOL packet handling against iwlwifi AP (git-fixes). - rsi: Move card interrupt handling to RX thread (git-fixes). - rsxx: Return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/crypto: return -EFAULT if copy_to_user() fails (git-fixes). - s390/dasd: fix hanging IO request during DASD driver unbind (git-fixes). - s390/qeth: fix memory leak after failed TX Buffer allocation (git-fixes). - s390/qeth: fix notification for pending buffers during teardown (git-fixes). - s390/qeth: improve completion of pending TX buffers (git-fixes). - s390/qeth: schedule TX NAPI on QAOB completion (git-fixes). - s390/vtime: fix increased steal time accounting (bsc#1183859). - samples, bpf: Add missing munmap in xdpsock (bsc#1155518). - scsi: ibmvfc: Fix invalid state machine BUG_ON() (bsc#1184647 ltc#191231). - scsi: lpfc: Change wording of invalid pci reset log message (bsc#1182574). - scsi: lpfc: Correct function header comments related to ndlp reference counting (bsc#1182574). - scsi: lpfc: Fix ADISC handling that never frees nodes (bsc#1182574). - scsi: lpfc: Fix crash caused by switch reboot (bsc#1182574). - scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (bsc#1182574). - scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1182574). - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe (bsc#1182574). - scsi: lpfc: Fix lpfc_els_retry() possible null pointer dereference (bsc#1182574). - scsi: lpfc: Fix nodeinfo debugfs output (bsc#1182574). - scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() (bsc#1182574). - scsi: lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN (bsc#1182574). - scsi: lpfc: Fix pt2pt connection does not recover after LOGO (bsc#1182574). - scsi: lpfc: Fix pt2pt state transition causing rmmod hang (bsc#1182574). - scsi: lpfc: Fix reftag generation sizing errors (bsc#1182574). - scsi: lpfc: Fix stale node accesses on stale RRQ request (bsc#1182574). - scsi: lpfc: Fix status returned in lpfc_els_retry() error exit path (bsc#1182574). - scsi: lpfc: Fix unnecessary null check in lpfc_release_scsi_buf (bsc#1182574). - scsi: lpfc: Fix use after free in lpfc_els_free_iocb (bsc#1182574). - scsi: lpfc: Fix vport indices in lpfc_find_vport_by_vpid() (bsc#1182574). - scsi: lpfc: Reduce LOG_TRACE_EVENT logging for vports (bsc#1182574). - scsi: lpfc: Update copyrights for 12.8.0.7 and 12.8.0.8 changes (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.8 (bsc#1182574). - scsi: target: pscsi: Avoid OOM in pscsi_map_sg() (bsc#1183843). - scsi: target: pscsi: Clean up after failure in pscsi_map_sg() (bsc#1183843). - selftests/bpf: Mask bpf_csum_diff() return value to 16 bits in test_verifier (bsc#1155518). - selftests/bpf: No need to drop the packet when there is no geneve opt (bsc#1155518). - selftests/bpf: Set gopt opt_class to 0 if get tunnel opt failed (bsc#1155518). - selinux: fix error initialization in inode_doinit_with_dentry() (git-fixes). - selinux: Fix error return code in sel_ib_pkey_sid_slow() (git-fixes). - selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling (git-fixes). - smb3: add dynamic trace point to trace when credits obtained (bsc#1181507). - smb3: fix crediting for compounding when only one request in flight (bsc#1181507). - smb3: Fix out-of-bounds bug in SMB2_negotiate() (bsc#1183540). - soc/fsl: qbman: fix conflicting alignment attributes (git-fixes). - software node: Fix node registration (git-fixes). - spi: stm32: make spurious and overrun interrupts visible (git-fixes). - squashfs: fix inode lookup sanity checks (bsc#1183750). - squashfs: fix xattr id and id lookup sanity checks (bsc#1183750). - stop_machine: mark helpers __always_inline (git-fixes). - thermal/core: Add NULL pointer check before using cooling device stats (git-fixes). - udlfb: Fix memory leak in dlfb_usb_probe (git-fixes). - Update bug reference for USB-audio fixes (bsc#1182552 bsc#1183598) - USB: cdc-acm: downgrade message to debug (git-fixes). - USB: cdc-acm: fix double free on probe failure (git-fixes). - USB: cdc-acm: fix use-after-free after probe failure (git-fixes). - USB: cdc-acm: untangle a circular dependency between callback and softint (git-fixes). - USB: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board (git-fixes). - USB: dwc2: Prevent core suspend when port connection flag is 0 (git-fixes). - USB: dwc3: gadget: Fix dep->interval for fullspeed interrupt (git-fixes). - USB: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 (git-fixes). - USB: dwc3: qcom: Add missing DWC3 OF node refcount decrement (git-fixes). - USB: dwc3: qcom: Honor wakeup enabled/disabled state (git-fixes). - USB: gadget: configfs: Fix KASAN use-after-free (git-fixes). - USB: gadget: f_uac1: stop playback on function disable (git-fixes). - USB: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (git-fixes). - USB: gadget: udc: amd5536udc_pci fix null-ptr-dereference (git-fixes). - USB: gadget: u_ether: Fix a configfs return code (git-fixes). - USBip: Fix incorrect double assignment to udc->ud.tcp_rx (git-fixes). - USBip: fix stub_dev to check for stream socket (git-fixes). - USBip: fix stub_dev usbip_sockfd_store() races leading to gpf (git-fixes). - USBip: fix vhci_hcd attach_store() races leading to gpf (git-fixes). - USBip: fix vhci_hcd to check for stream socket (git-fixes). - USBip: fix vudc to check for stream socket (git-fixes). - USBip: fix vudc usbip_sockfd_store races leading to gpf (git-fixes). - USBip: tools: fix build error for multiple definition (git-fixes). - USBip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() (git-fixes). - USB: musb: Fix suspend with devices connected for a64 (git-fixes). - USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem (git-fixes). - USB: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM (git-fixes). - USB: replace hardcode maximum usb string length by definition (git-fixes). - USB: serial: ch341: add new Product ID (git-fixes). - USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter (git-fixes). - USB: serial: cp210x: add some more GE USB IDs (git-fixes). - USB: serial: ftdi_sio: fix FTX sub-integer prescaler (git-fixes). - USB: serial: io_edgeport: fix memory leak in edge_startup (git-fixes). - USB-storage: Add quirk to defeat Kindle's automatic unload (git-fixes). - USB: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- (git-fixes). - USB: usblp: fix a hang in poll() if disconnected (git-fixes). - USB: xhci: do not perform Soft Retry for some xHCI hosts (git-fixes). - USB: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing (git-fixes). - USB: xhci-mtk: fix broken streams issue on 0.96 xHCI (git-fixes). - use __netdev_notify_peers in ibmvnic (bsc#1183871 ltc#192139). - video: fbdev: acornfb: remove free_unused_pages() (bsc#1152489) - video: hyperv_fb: Fix a double free in hvfb_probe (git-fixes). - VMCI: Use set_page_dirty_lock() when unregistering guest memory (git-fixes). - vt/consolemap: do font sum unsigned (git-fixes). - watchdog: mei_wdt: request stop on unregister (git-fixes). - wireguard: device: do not generate ICMP for non-IP packets (git-fixes). - wireguard: kconfig: use arm chacha even with no neon (git-fixes). - wireguard: selftests: test multiple parallel streams (git-fixes). - wlcore: Fix command execute failure 19 for wl12xx (git-fixes). - x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task (bsc#1152489). - x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() (bsc#1152489). - x86/ioapic: Ignore IRQ2 again (bsc#1152489). - x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() (bsc#1152489). - xen/events: avoid handling the same event on two cpus at the same time (git-fixes). - xen/events: do not unmask an event channel when an eoi is pending (git-fixes). - xen/events: fix setting irq affinity (bsc#1184583). - xen/events: reset affinity of 2-level event when tearing it down (git-fixes). - xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367). - xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367). - xfs: group quota should return EDQUOT when prj quota enabled (bsc#1180980). - xhci: Fix repeated xhci wake after suspend due to uncleared internal wake state (git-fixes). - xhci: Improve detection of device initiated wake signal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP2: zypper in -t patch SUSE-SLE-Module-RT-15-SP2-2021-1211=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP2 (x86_64): cluster-md-kmp-rt-5.3.18-33.1 cluster-md-kmp-rt-debuginfo-5.3.18-33.1 dlm-kmp-rt-5.3.18-33.1 dlm-kmp-rt-debuginfo-5.3.18-33.1 gfs2-kmp-rt-5.3.18-33.1 gfs2-kmp-rt-debuginfo-5.3.18-33.1 kernel-rt-5.3.18-33.1 kernel-rt-debuginfo-5.3.18-33.1 kernel-rt-debugsource-5.3.18-33.1 kernel-rt-devel-5.3.18-33.1 kernel-rt-devel-debuginfo-5.3.18-33.1 kernel-rt_debug-debuginfo-5.3.18-33.1 kernel-rt_debug-debugsource-5.3.18-33.1 kernel-rt_debug-devel-5.3.18-33.1 kernel-rt_debug-devel-debuginfo-5.3.18-33.1 kernel-syms-rt-5.3.18-33.1 ocfs2-kmp-rt-5.3.18-33.1 ocfs2-kmp-rt-debuginfo-5.3.18-33.1 - SUSE Linux Enterprise Module for Realtime 15-SP2 (noarch): kernel-devel-rt-5.3.18-33.1 kernel-source-rt-5.3.18-33.1 References: https://www.suse.com/security/cve/CVE-2019-18814.html https://www.suse.com/security/cve/CVE-2019-19769.html https://www.suse.com/security/cve/CVE-2020-25670.html https://www.suse.com/security/cve/CVE-2020-25671.html https://www.suse.com/security/cve/CVE-2020-25672.html https://www.suse.com/security/cve/CVE-2020-25673.html https://www.suse.com/security/cve/CVE-2020-27170.html https://www.suse.com/security/cve/CVE-2020-27171.html https://www.suse.com/security/cve/CVE-2020-27815.html https://www.suse.com/security/cve/CVE-2020-35519.html https://www.suse.com/security/cve/CVE-2020-36310.html https://www.suse.com/security/cve/CVE-2020-36311.html https://www.suse.com/security/cve/CVE-2020-36312.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://www.suse.com/security/cve/CVE-2021-28038.html https://www.suse.com/security/cve/CVE-2021-28375.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-28950.html https://www.suse.com/security/cve/CVE-2021-28964.html https://www.suse.com/security/cve/CVE-2021-28971.html https://www.suse.com/security/cve/CVE-2021-28972.html https://www.suse.com/security/cve/CVE-2021-29154.html https://www.suse.com/security/cve/CVE-2021-29264.html https://www.suse.com/security/cve/CVE-2021-29265.html https://www.suse.com/security/cve/CVE-2021-29647.html https://www.suse.com/security/cve/CVE-2021-30002.html https://www.suse.com/security/cve/CVE-2021-3428.html https://www.suse.com/security/cve/CVE-2021-3444.html https://www.suse.com/security/cve/CVE-2021-3483.html https://bugzilla.suse.com/1047233 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1113295 https://bugzilla.suse.com/1152472 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1153274 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156256 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1159280 https://bugzilla.suse.com/1160634 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1168777 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169709 https://bugzilla.suse.com/1171295 https://bugzilla.suse.com/1173485 https://bugzilla.suse.com/1177326 https://bugzilla.suse.com/1178163 https://bugzilla.suse.com/1178181 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1179454 https://bugzilla.suse.com/1180197 https://bugzilla.suse.com/1180980 https://bugzilla.suse.com/1181383 https://bugzilla.suse.com/1181507 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181862 https://bugzilla.suse.com/1182011 https://bugzilla.suse.com/1182077 https://bugzilla.suse.com/1182485 https://bugzilla.suse.com/1182552 https://bugzilla.suse.com/1182574 https://bugzilla.suse.com/1182591 https://bugzilla.suse.com/1182595 https://bugzilla.suse.com/1182712 https://bugzilla.suse.com/1182713 https://bugzilla.suse.com/1182715 https://bugzilla.suse.com/1182716 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1182770 https://bugzilla.suse.com/1182989 https://bugzilla.suse.com/1183015 https://bugzilla.suse.com/1183018 https://bugzilla.suse.com/1183022 https://bugzilla.suse.com/1183023 https://bugzilla.suse.com/1183048 https://bugzilla.suse.com/1183252 https://bugzilla.suse.com/1183277 https://bugzilla.suse.com/1183278 https://bugzilla.suse.com/1183279 https://bugzilla.suse.com/1183280 https://bugzilla.suse.com/1183281 https://bugzilla.suse.com/1183282 https://bugzilla.suse.com/1183283 https://bugzilla.suse.com/1183284 https://bugzilla.suse.com/1183285 https://bugzilla.suse.com/1183286 https://bugzilla.suse.com/1183287 https://bugzilla.suse.com/1183288 https://bugzilla.suse.com/1183366 https://bugzilla.suse.com/1183369 https://bugzilla.suse.com/1183386 https://bugzilla.suse.com/1183405 https://bugzilla.suse.com/1183412 https://bugzilla.suse.com/1183416 https://bugzilla.suse.com/1183427 https://bugzilla.suse.com/1183428 https://bugzilla.suse.com/1183445 https://bugzilla.suse.com/1183447 https://bugzilla.suse.com/1183501 https://bugzilla.suse.com/1183509 https://bugzilla.suse.com/1183530 https://bugzilla.suse.com/1183534 https://bugzilla.suse.com/1183540 https://bugzilla.suse.com/1183593 https://bugzilla.suse.com/1183596 https://bugzilla.suse.com/1183598 https://bugzilla.suse.com/1183637 https://bugzilla.suse.com/1183646 https://bugzilla.suse.com/1183662 https://bugzilla.suse.com/1183686 https://bugzilla.suse.com/1183692 https://bugzilla.suse.com/1183696 https://bugzilla.suse.com/1183750 https://bugzilla.suse.com/1183757 https://bugzilla.suse.com/1183775 https://bugzilla.suse.com/1183843 https://bugzilla.suse.com/1183859 https://bugzilla.suse.com/1183871 https://bugzilla.suse.com/1184074 https://bugzilla.suse.com/1184120 https://bugzilla.suse.com/1184167 https://bugzilla.suse.com/1184168 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184176 https://bugzilla.suse.com/1184192 https://bugzilla.suse.com/1184193 https://bugzilla.suse.com/1184194 https://bugzilla.suse.com/1184196 https://bugzilla.suse.com/1184198 https://bugzilla.suse.com/1184211 https://bugzilla.suse.com/1184217 https://bugzilla.suse.com/1184218 https://bugzilla.suse.com/1184219 https://bugzilla.suse.com/1184220 https://bugzilla.suse.com/1184224 https://bugzilla.suse.com/1184388 https://bugzilla.suse.com/1184391 https://bugzilla.suse.com/1184393 https://bugzilla.suse.com/1184509 https://bugzilla.suse.com/1184511 https://bugzilla.suse.com/1184512 https://bugzilla.suse.com/1184514 https://bugzilla.suse.com/1184583 https://bugzilla.suse.com/1184647 From sle-security-updates at lists.suse.com Thu Apr 15 19:51:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 15 Apr 2021 21:51:26 +0200 (CEST) Subject: SUSE-SU-2021:1233-1: moderate: Security update for grafana and system-user-grafana Message-ID: <20210415195126.CBAB2FCF8@maintenance.suse.de> SUSE Security Update: Security update for grafana and system-user-grafana ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1233-1 Rating: moderate References: #1148383 #1170557 #1170657 #1172409 #1172450 #1175951 #1178243 Cross-References: CVE-2018-18623 CVE-2019-15043 CVE-2019-19499 CVE-2020-12052 CVE-2020-12245 CVE-2020-13379 CVE-2020-24303 CVSS scores: CVE-2018-18623 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-18623 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-15043 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15043 (SUSE): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2019-19499 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2019-19499 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-12052 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-12052 (SUSE): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-12245 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-12245 (SUSE): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-13379 (NVD) : 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-13379 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-24303 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-24303 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Affected Products: SUSE Manager Tools 15 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for grafana and system-user-grafana fixes the following issues: - Updated grafana to upstream version 7.3.1 * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana * CVE-2020-12245: Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip (bsc#1170557) * CVE-2020-13379: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault (bsc#1172409) * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana (bsc#1148383) * CVE-2020-12052: Grafana version below 6.7.3 is vulnerable for annotation popup XSS (bsc#1170657) * CVE-2020-24303: Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. (bsc#1178243) * CVE-2018-18623: Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen (bsc#1172450) * CVE-2019-19499: Grafana versions below or equal to 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations (bsc#1175951) * Please refer to this package's changelog to get a full list of all changes (including bug fixes etc.) - Initial shipment of system-user-grafana to SES 6 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 15: zypper in -t patch SUSE-SLE-Manager-Tools-15-2021-1233=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1233=1 Package List: - SUSE Manager Tools 15 (noarch): system-user-grafana-1.0.0-3.9.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): grafana-7.3.1-3.6.1 - SUSE Enterprise Storage 6 (noarch): system-user-grafana-1.0.0-3.9.1 References: https://www.suse.com/security/cve/CVE-2018-18623.html https://www.suse.com/security/cve/CVE-2019-15043.html https://www.suse.com/security/cve/CVE-2019-19499.html https://www.suse.com/security/cve/CVE-2020-12052.html https://www.suse.com/security/cve/CVE-2020-12245.html https://www.suse.com/security/cve/CVE-2020-13379.html https://www.suse.com/security/cve/CVE-2020-24303.html https://bugzilla.suse.com/1148383 https://bugzilla.suse.com/1170557 https://bugzilla.suse.com/1170657 https://bugzilla.suse.com/1172409 https://bugzilla.suse.com/1172450 https://bugzilla.suse.com/1175951 https://bugzilla.suse.com/1178243 From sle-security-updates at lists.suse.com Fri Apr 16 13:16:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Apr 2021 15:16:02 +0200 (CEST) Subject: SUSE-SU-2021:14700-1: important: Security update for openldap2 Message-ID: <20210416131602.0CEC0FD20@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14700-1 Rating: important References: #1182279 #1182408 #1182411 #1182412 #1182413 #1182415 #1182416 #1182417 #1182418 #1182419 #1182420 #1184020 Cross-References: CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-27212 CVSS scores: CVE-2020-36221 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36221 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36222 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36222 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36223 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36223 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36224 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36224 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36225 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36225 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36226 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36226 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36227 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36227 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36228 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36228 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36229 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36229 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36230 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36230 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27212 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27212 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Server 11-SECURITY SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has one errata is now available. Description: This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. - resynchronise changelogs with subpackages (bsc#1184020). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-openldap2-14700=1 - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-openldap2-14700=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-openldap2-14700=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-openldap2-14700=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-openldap2-14700=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): compat-libldap-2_3-0-2.3.37-2.74.26.1 libldap-2_4-2-2.4.26-0.74.26.1 openldap2-2.4.26-0.74.26.1 openldap2-back-meta-2.4.26-0.74.26.1 openldap2-client-2.4.26-0.74.26.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libldap-2_4-2-32bit-2.4.26-0.74.26.1 - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): libldap-openssl1-2_4-2-2.4.26-0.74.26.1 openldap2-client-openssl1-2.4.26-0.74.26.1 openldap2-openssl1-2.4.26-0.74.26.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libldap-openssl1-2_4-2-32bit-2.4.26-0.74.26.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libldap-openssl1-2_4-2-x86-2.4.26-0.74.26.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): compat-libldap-2_3-0-2.3.37-2.74.26.1 libldap-2_4-2-2.4.26-0.74.26.1 openldap2-2.4.26-0.74.26.1 openldap2-back-meta-2.4.26-0.74.26.1 openldap2-client-2.4.26-0.74.26.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): openldap2-client-debuginfo-2.4.26-0.74.26.1 openldap2-client-debugsource-2.4.26-0.74.26.1 openldap2-debuginfo-2.4.26-0.74.26.1 openldap2-debugsource-2.4.26-0.74.26.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): openldap2-client-debuginfo-2.4.26-0.74.26.1 openldap2-client-debugsource-2.4.26-0.74.26.1 openldap2-client-openssl1-debuginfo-2.4.26-0.74.26.1 openldap2-client-openssl1-debugsource-2.4.26-0.74.26.1 openldap2-debuginfo-2.4.26-0.74.26.1 openldap2-debugsource-2.4.26-0.74.26.1 References: https://www.suse.com/security/cve/CVE-2020-36221.html https://www.suse.com/security/cve/CVE-2020-36222.html https://www.suse.com/security/cve/CVE-2020-36223.html https://www.suse.com/security/cve/CVE-2020-36224.html https://www.suse.com/security/cve/CVE-2020-36225.html https://www.suse.com/security/cve/CVE-2020-36226.html https://www.suse.com/security/cve/CVE-2020-36227.html https://www.suse.com/security/cve/CVE-2020-36228.html https://www.suse.com/security/cve/CVE-2020-36229.html https://www.suse.com/security/cve/CVE-2020-36230.html https://www.suse.com/security/cve/CVE-2021-27212.html https://bugzilla.suse.com/1182279 https://bugzilla.suse.com/1182408 https://bugzilla.suse.com/1182411 https://bugzilla.suse.com/1182412 https://bugzilla.suse.com/1182413 https://bugzilla.suse.com/1182415 https://bugzilla.suse.com/1182416 https://bugzilla.suse.com/1182417 https://bugzilla.suse.com/1182418 https://bugzilla.suse.com/1182419 https://bugzilla.suse.com/1182420 https://bugzilla.suse.com/1184020 From sle-security-updates at lists.suse.com Fri Apr 16 13:18:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Apr 2021 15:18:25 +0200 (CEST) Subject: SUSE-SU-2021:1238-1: important: Security update for the Linux Kernel Message-ID: <20210416131825.750E8FD20@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1238-1 Rating: important References: #1047233 #1065729 #1113295 #1152472 #1152489 #1153274 #1154353 #1155518 #1156256 #1156395 #1159280 #1160634 #1167574 #1167773 #1168777 #1169514 #1169709 #1171295 #1173485 #1175995 #1177326 #1178163 #1178181 #1178330 #1179454 #1180197 #1180980 #1181383 #1181507 #1181674 #1181862 #1182011 #1182077 #1182485 #1182552 #1182574 #1182591 #1182595 #1182715 #1182716 #1182717 #1182770 #1182989 #1183015 #1183018 #1183022 #1183023 #1183048 #1183252 #1183277 #1183278 #1183279 #1183280 #1183281 #1183282 #1183283 #1183284 #1183285 #1183286 #1183287 #1183288 #1183366 #1183369 #1183386 #1183405 #1183412 #1183416 #1183427 #1183428 #1183445 #1183447 #1183501 #1183509 #1183530 #1183534 #1183540 #1183593 #1183596 #1183598 #1183637 #1183646 #1183662 #1183686 #1183692 #1183696 #1183750 #1183757 #1183775 #1183843 #1183859 #1183871 #1184074 #1184120 #1184167 #1184168 #1184170 #1184176 #1184192 #1184193 #1184194 #1184196 #1184198 #1184211 #1184217 #1184218 #1184219 #1184220 #1184224 #1184388 #1184391 #1184393 #1184485 #1184509 #1184511 #1184512 #1184514 #1184583 #1184585 #1184647 Cross-References: CVE-2019-18814 CVE-2019-19769 CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-27170 CVE-2020-27171 CVE-2020-27815 CVE-2020-35519 CVE-2020-36310 CVE-2020-36311 CVE-2020-36312 CVE-2020-36322 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28375 CVE-2021-28660 CVE-2021-28688 CVE-2021-28950 CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29154 CVE-2021-29264 CVE-2021-29265 CVE-2021-29647 CVE-2021-30002 CVE-2021-3428 CVE-2021-3444 CVE-2021-3483 CVSS scores: CVE-2019-18814 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-18814 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-19769 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2019-19769 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H CVE-2020-25670 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25671 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2020-27170 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27171 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27815 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-35519 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-36310 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36311 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36312 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28038 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28375 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28950 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28964 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28971 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28972 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28972 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29264 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-30002 (NVD) : 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3428 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that solves 33 vulnerabilities and has 86 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170). - CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485). - CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ). - CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167). - CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168). - CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198). - CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ). - CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ). - CVE-2021-28375: Fixed an issue in fastrpc_internal_invoke which did not prevent user applications from sending kernel RPC messages (bsc#1183596). - CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022). - CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715). - CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716). - CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696). - CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454). - CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775). - CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686). - CVE-2019-19769: Fixed a use-after-free in the perf_trace_lock_acquire function (bsc#1159280 ). - CVE-2019-18814: Fixed a use-after-free when aa_label_parse() fails in aa_audit_rule_init() (bsc#1156256). - CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393). - CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120). - CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391). - CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h due to a retry loop continually was finding the same bad inode (bsc#1184194). - CVE-2020-36312: Fixed a memory leak upon a kmalloc failure (bsc#1184509 ). - CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511). - CVE-2020-36310: Fixed infinite loop for certain nested page faults (bsc#1184512). - CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181). - CVE-2020-36322: Fixed an issue was discovered in FUSE filesystem implementation which could have caused a system crash (bsc#1184211). The following non-security bugs were fixed: - 0007-block-add-docs-for-gendisk-request_queue-refcount-he.patch: (bsc#1171295, git fixes (block drivers)). - 0008-block-revert-back-to-synchronous-request_queue-remov.patch: (bsc#1171295, git fixes (block drivers)). - 0009-blktrace-fix-debugfs-use-after-free.patch: (bsc#1171295, git fixes (block drivers)). - ACPI: bus: Constify is_acpi_node() and friends (part 2) (git-fixes). - ACPICA: Always create namespace nodes using acpi_ns_create_node() (git-fixes). - ACPICA: Enable sleep button on ACPI legacy wake (bsc#1181383). - ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling (git-fixes). - ACPI: scan: Rearrange memory allocation in acpi_device_add() (git-fixes). - ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807 (git-fixes). - ACPI: video: Add missing callback back for Sony VPCEH3U1E (git-fixes). - ALSA: aloop: Fix initialization of controls (git-fixes). - ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits (git-fixes). - ALSA: hda: Avoid spurious unsol event handling during S3/S4 (git-fixes). - ALSA: hda: Drop the BATCH workaround for AMD controllers (git-fixes). - ALSA: hda: generic: Fix the micmute led init state (git-fixes). - ALSA: hda/hdmi: Cancel pending works before suspend (git-fixes). - ALSA: hda/realtek: Add quirk for Clevo NH55RZQ (git-fixes). - ALSA: hda/realtek: Add quirk for Intel NUC 10 (git-fixes). - ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board (git-fixes). - ALSA: hda/realtek: Apply headset-mic quirks for Xiaomi Redmibook Air (git-fixes). - ALSA: hda/realtek: apply pin quirk for XiaomiNotebook Pro (git-fixes). - ALSA: hda/realtek: Enable headset mic of Acer SWIFT with ALC256 (git-fixes). - ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO (git-fixes). - ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1 (git-fixes). - ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk (bsc#1182552). - ALSA: usb-audio: Allow modifying parameters with succeeding hw_params calls (bsc#1182552). - ALSA: usb-audio: Apply sample rate quirk to Logitech Connect (git-fixes). - ALSA: usb-audio: Apply the control quirk to Plantronics headsets (bsc#1182552). - ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend() (bsc#1182552). - ALSA: usb-audio: Do not abort even if the clock rate differs (bsc#1182552). - ALSA: usb-audio: Drop bogus dB range in too low level (bsc#1182552). - ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar (bsc#1182552). - ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe (bsc#1182552). - ALSA: usb-audio: Fix "RANGE setting not yet supported" errors (git-fixes). - ALSA: usb-audio: fix use after free in usb_audio_disconnect (bsc#1182552). - ALSA: usb-audio: Skip the clock selector inquiry for single connections (git-fixes). - ALSA: usb: Use DIV_ROUND_UP() instead of open-coding it (git-fixes). - amd/amdgpu: Disable VCN DPG mode for Picasso (git-fixes). - apparmor: check/put label on apparmor_sk_clone_security() (git-fixes). - appletalk: Fix skb allocation size in loopback case (git-fixes). - arm64: make STACKPROTECTOR_PER_TASK configurable (bsc#1181862). - ASoC: ak4458: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: ak5558: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: cs42l42: Always wait at least 3ms after reset (git-fixes). - ASoC: cs42l42: Do not enable/disable regulator at Bias Level (git-fixes). - ASoC: cs42l42: Fix Bitclock polarity inversion (git-fixes). - ASoC: cs42l42: Fix channel width support (git-fixes). - ASoC: cs42l42: Fix mixer volume control (git-fixes). - ASoC: cygnus: fix for_each_child.cocci warnings (git-fixes). - ASoC: es8316: Simplify adc_pga_gain_tlv table (git-fixes). - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: fsl_ssi: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr() (git-fixes). - ASoC: intel: atom: Remove 44100 sample-rate from the media and deep-buffer DAI descriptions (git-fixes). - ASoC: intel: atom: Stop advertising non working S24LE support (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for ARCHOS Cesium 140 (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 10-p0XX OVCD current threshold (git-fixes). - ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet (git-fixes). - ASoC: max98373: Added 30ms turn on/off time delay (git-fixes). - ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5670: Add emulated 'DAC1 Playback Switch' control (git-fixes). - ASoC: rt5670: Remove ADC vol-ctrl mute bits poking from Sto1 ADC mixer settings (git-fixes). - ASoC: rt5670: Remove 'HP Playback Switch' control (git-fixes). - ASoC: rt5670: Remove 'OUT Channel Switch' control (git-fixes). - ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe (git-fixes). - ASoC: simple-card-utils: Do not handle device clock (git-fixes). - ASoC: sunxi: sun4i-codec: fill ASoC card owner (git-fixes). - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (git-fixes). - ath10k: fix wmi mgmt tx queue full due to race condition (git-fixes). - ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() (git-fixes). - ath9k: fix transmitting to stations in dynamic SMPS mode (git-fixes). - atl1c: fix error return code in atl1c_probe() (git-fixes). - atl1e: fix error return code in atl1e_probe() (git-fixes). - batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - blktrace-annotate-required-lock-on-do_blk_trace_setu.patch: (bsc#1171295). - blktrace-Avoid-sparse-warnings-when-assigning-q-blk_.patch: (bsc#1171295). - blktrace-break-out-of-blktrace-setup-on-concurrent-c.patch: (bsc#1171295). - block-clarify-context-for-refcount-increment-helpers.patch: (bsc#1171295). - block: rsxx: fix error return code of rsxx_pci_probe() (git-fixes). - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (git-fixes). - Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl (git-fixes). - bnxt_en: reliably allocate IRQ table on reset to avoid crash (jsc#SLE-8371 bsc#1153274). - bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775). - bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args (bsc#1155518). - bpf: Declare __bpf_free_used_maps() unconditionally (bsc#1155518). - bpf: Do not do bpf_cgroup_storage_set() for kuprobe/tp programs (bsc#1155518). - bpf: Fix 32 bit src register truncation on div/mod (bsc#1184170). - bpf: Fix verifier jsgt branch analysis on max bound (bsc#1155518). - bpf_lru_list: Read double-checked variable once without lock (bsc#1155518). - bpf: Remove MTU check in __bpf_skb_max_len (bsc#1155518). - bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775). - bpf, sockmap: Fix sk->prot unhash op reset (bsc#1155518). - bpf,x64: Pad NOPs to make images converge more easily (bsc#1178163). - brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet (git-fixes). - brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet (git-fixes). - brcmfmac: clear EAP/association status bits on linkdown events (git-fixes). - btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root (bsc#1184217). - btrfs: always pin deleted leaves when there are active tree mod log users (bsc#1184224). - btrfs: fix exhaustion of the system chunk array due to concurrent allocations (bsc#1183386). - btrfs: fix extent buffer leak on failure to copy root (bsc#1184218). - btrfs: fix race when cloning extent buffer during rewind of an old root (bsc#1184193). - btrfs: fix stale data exposure after cloning a hole with NO_HOLES enabled (bsc#1184220). - btrfs: fix subvolume/snapshot deletion not triggered on mount (bsc#1184219). - bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (git-fixes). - bus: ti-sysc: Fix warning on unbind if reset is not deasserted (git-fixes). - can: c_can: move runtime PM enable/disable to c_can_platform (git-fixes). - can: c_can_pci: c_can_pci_remove(): fix use-after-free (git-fixes). - can: flexcan: assert FRZ bit in flexcan_chip_freeze() (git-fixes). - can: flexcan: enable RX FIFO after FRZ/HALT valid (git-fixes). - can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate (git-fixes). - can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode (git-fixes). - can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (git-fixes). - can: peak_usb: add forgotten supported devices (git-fixes). - can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" (git-fixes). - can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (git-fixes). - cdc-acm: fix BREAK rx code path adding necessary calls (git-fixes). - cifs: change noisy error message to FYI (bsc#1181507). - cifs: check pointer before freeing (bsc#1183534). - cifs_debug: use %pd instead of messing with ->d_name (bsc#1181507). - cifs: do not send close in compound create+close requests (bsc#1181507). - cifs: New optype for session operations (bsc#1181507). - cifs: print MIDs in decimal notation (bsc#1181507). - cifs: return proper error code in statfs(2) (bsc#1181507). - cifs: Tracepoints and logs for tracing credit changes (bsc#1181507). - clk: fix invalid usage of list cursor in register (git-fixes). - clk: fix invalid usage of list cursor in unregister (git-fixes). - clk: socfpga: fix iomem pointer cast on 64-bit (git-fixes). - completion: Drop init_completion define (git-fixes). - configfs: fix a use-after-free in __configfs_open_file (git-fixes). - config: net: freescale: change xgmac-mdio to built-in References: bsc#1183015,bsc#1182595 - crypto: aesni - prevent misaligned buffers on the stack (git-fixes). - crypto: arm64/sha - add missing module aliases (git-fixes). - crypto: bcm - Rename struct device_private to bcm_device_private (git-fixes). - crypto: Kconfig - CRYPTO_MANAGER_EXTRA_TESTS requires the manager (git-fixes). - crypto: tcrypt - avoid signed overflow in byte count (git-fixes). - Delete patches.suse/sched-Reenable-interrupts-in-do_sched_yield.patch (bsc#1183530) - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574, bsc#1175995, bsc#1184485). - drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue (git-fixes). - drivers: video: fbcon: fix NULL dereference in fbcon_cursor() (git-fixes). - drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails (git-fixes). - drm/amdgpu: Add check to prevent IH overflow (git-fixes). - drm/amdgpu: check alignment on CPU page for bo map (git-fixes). - drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() (git-fixes). - drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie (git-fixes). - drm/amdkfd: Put ACPI table after using it (bsc#1152489) - drm/amd/powerplay: fix spelling mistake "smu_state_memroy_block" -> (bsc#1152489) - drm/compat: Clear bounce structures (git-fixes). - drm/hisilicon: Fix use-after-free (git-fixes). - drm/i915: Fix invalid access to ACPI _DSM objects (bsc#1184074). - drm/i915: Reject 446-480MHz HDMI clock on GLK (git-fixes). - drm/mediatek: Fix aal size config (bsc#1152489) - drm: meson_drv add shutdown function (git-fixes). - drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (git-fixes). - drm/msm/adreno: a5xx_power: Do not apply A540 lm_setup to other GPUs (git-fixes). - drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) (git-fixes). - drm/msm: Fix races managing the OOB state for timestamp vs (bsc#1152489) - drm/msm: fix shutdown hook in case GPU components failed to bind (git-fixes). - drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1152489) - drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1152489) - drm/msm/gem: Add obj->lock wrappers (bsc#1152489) - drm/msm: Ratelimit invalid-fence message (git-fixes). - drm/msm: Set drvdata to NULL when msm_drm_init() fails (git-fixes). - drm/nouveau: bail out of nouveau_channel_new if channel init fails (bsc#1152489) - drm/nouveau/kms: handle mDP connectors (git-fixes). - drm/panfrost: Do not corrupt the queue mutex on open/close (bsc#1152472) - drm/panfrost: Fix job timeout handling (bsc#1152472) - drm/panfrost: Remove unused variables in panfrost_job_close() (bsc#1152472) - drm/radeon: fix AGP dependency (git-fixes). - drm: rcar-du: Fix crash when using LVDS1 clock for CRTC (bsc#1152489) - drm/sched: Cancel and flush all outstanding jobs before finish (git-fixes). - drm/sun4i: tcon: fix inverted DCLK polarity (bsc#1152489) - drm/tegra: sor: Grab runtime PM reference across reset (git-fixes). - drm/vc4: hdmi: Restore cec physical address on reconnect (bsc#1152472) - efi: use 32-bit alignment for efi_guid_t literals (git-fixes). - enetc: Fix reporting of h/w packet counters (git-fixes). - epoll: check for events when removing a timed out thread from the wait queue (git-fixes). - ethernet: alx: fix order of calls on resume (git-fixes). - exec: Move would_dump into flush_old_exec (git-fixes). - exfat: add missing MODULE_ALIAS_FS() (bsc#1182989). - exfat: add the dummy mount options to be backward compatible with staging/exfat (bsc#1182989). - extcon: Add stubs for extcon_register_notifier_all() functions (git-fixes). - extcon: Fix error handling in extcon_dev_register (git-fixes). - fbdev: aty: SPARC64 requires FB_ATY_CT (git-fixes). - firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (git-fixes). - flow_dissector: fix byteorder of dissected ICMP ID (bsc#1154353). - fsl/fman: check dereferencing null pointer (git-fixes). - fsl/fman: fix dereference null return value (git-fixes). - fsl/fman: fix eth hash table allocation (git-fixes). - fsl/fman: fix unreachable code (git-fixes). - fsl/fman: use 32-bit unsigned integer (git-fixes). - fuse: fix bad inode (bsc#1184211). - fuse: fix live lock in fuse_iget() (bsc#1184211). - fuse: verify write return (git-fixes). - gcc-plugins: drop support for GCC <= 4.7 (bcs#1181862). - gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again (bcs#1181862). - gcc-plugins: simplify GCC plugin-dev capability test (bsc#1181862). - gianfar: Account for Tx PTP timestamp in the skb headroom (git-fixes). - gianfar: Fix TX timestamping with a stacked DSA driver (git-fixes). - gianfar: Handle error code at MAC address change (git-fixes). - gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP (git-fixes). - Goodix Fingerprint device is not a modem (git-fixes). - gpiolib: acpi: Add missing IRQF_ONESHOT (git-fixes). - gpio: pca953x: Set IRQ type when handle Intel Galileo Gen 2 (git-fixes). - gpio: zynq: fix reference leak in zynq_gpio functions (git-fixes). - HID: i2c-hid: Add I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for ITE8568 EC on Voyo Winpad A15 (git-fixes). - HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter (git-fixes). - HSI: Fix PM usage counter unbalance in ssi_hw_init (git-fixes). - hwmon: (ina3221) Fix PM usage counter unbalance in ina3221_write_enable (git-fixes). - i2c: rcar: faster irq code to minimize HW race condition (git-fixes). - i2c: rcar: optimize cacheline to minimize HW race condition (git-fixes). - i40e: Fix parameters in aq_get_phy_register() (jsc#SLE-8025). - i40e: Fix sparse error: 'vsi->netdev' could be null (jsc#SLE-8025). - iavf: Fix incorrect adapter get in iavf_resume (git-fixes). - iavf: use generic power management (git-fixes). - ibmvnic: add comments for spinlock_t definitions (bsc#1183871 ltc#192139). - ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844). - ibmvnic: avoid multiple line dereference (bsc#1183871 ltc#192139). - ibmvnic: fix block comments (bsc#1183871 ltc#192139). - ibmvnic: fix braces (bsc#1183871 ltc#192139). - ibmvnic: fix miscellaneous checks (bsc#1183871 ltc#192139). - ibmvnic: Fix possibly uninitialized old_num_tx_queues variable warning (jsc#SLE-17268). - ibmvnic: merge do_change_param_reset into do_reset (bsc#1183871 ltc#192139). - ibmvnic: prefer strscpy over strlcpy (bsc#1183871 ltc#192139). - ibmvnic: prefer 'unsigned long' over 'unsigned long int' (bsc#1183871 ltc#192139). - ibmvnic: remove excessive irqsave (bsc#1182485 ltc#191591). - ibmvnic: remove unnecessary rmb() inside ibmvnic_poll (bsc#1183871 ltc#192139). - ibmvnic: remove unused spinlock_t stats_lock definition (bsc#1183871 ltc#192139). - ibmvnic: rework to ensure SCRQ entry reads are properly ordered (bsc#1183871 ltc#192139). - ibmvnic: simplify reset_long_term_buff function (bsc#1183023 ltc#191791). - ibmvnic: substitute mb() with dma_wmb() for send_*crq* functions (bsc#1183023 ltc#191791). - ice: fix memory leak if register_netdev_fails (git-fixes). - ice: fix memory leak in ice_vsi_setup (git-fixes). - ice: Fix state bits on LLDP mode switch (jsc#SLE-7926). - ice: remove DCBNL_DEVRESET bit from PF state (jsc#SLE-7926). - ice: renegotiate link after FW DCB on (jsc#SLE-8464). - ice: report correct max number of TCs (jsc#SLE-7926). - ice: update the number of available RSS queues (jsc#SLE-7926). - igc: Fix igc_ptp_rx_pktstamp() (bsc#1160634). - iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask (git-fixes). - iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (git-fixes). - iio: adis16400: Fix an error code in adis16400_initial_setup() (git-fixes). - iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (git-fixes). - iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (git-fixes). - iio: hid-sensor-prox: Fix scale not correct issue (git-fixes). - iio: hid-sensor-temperature: Fix issues of timestamp channel (git-fixes). - include/linux/sched/mm.h: use rcu_dereference in in_vfork() (git-fixes). - Input: applespi - do not wait for responses to commands indefinitely (git-fixes). - Input: elantech - fix protocol errors for some trackpoints in SMBus mode (git-fixes). - Input: i8042 - add ASUS Zenbook Flip to noselftest list (git-fixes). - Input: raydium_ts_i2c - do not send zero length (git-fixes). - Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S (git-fixes). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183277). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183278). - iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate() (bsc#1183637). - iommu/vt-d: Add get_domain_info() helper (bsc#1183279). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183280). - iommu/vt-d: Correctly check addr alignment in qi_flush_dev_iotlb_pasid() (bsc#1183281). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183282). - iommu/vt-d: Fix general protection fault in aux_detach_device() (bsc#1183283). - iommu/vt-d: Fix ineffective devTLB invalidation for subdevices (bsc#1183284). - iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev() (bsc#1183285). - iommu/vt-d: Move intel_iommu info from struct intel_svm to struct intel_svm_dev (bsc#1183286). - iommu/vt-d: Use device numa domain if RHSA is missing (bsc#1184585). - ionic: linearize tso skb with too many frags (bsc#1167773). - kABI: powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - kbuild: add dummy toolchains to enable all cc-option etc. in Kconfig (bcs#1181862). - kbuild: change *FLAGS_.o to take the path relative to $(obj) (bcs#1181862). - kbuild: dummy-tools, fix inverted tests for gcc (bcs#1181862). - kbuild: dummy-tools, support MPROFILE_KERNEL checks for ppc (bsc#1181862). - kbuild: Fail if gold linker is detected (bcs#1181862). - kbuild: improve cc-option to clean up all temporary files (bsc#1178330). - kbuild: include scripts/Makefile.* only when relevant CONFIG is enabled (bcs#1181862). - kbuild: simplify GCC_PLUGINS enablement in dummy-tools/gcc (bcs#1181862). - kbuild: stop filtering out $(GCC_PLUGINS_CFLAGS) from cc-option base (bcs#1181862). - kbuild: use -S instead of -E for precise cc-option test in Kconfig (bsc#1178330). - kconfig: introduce m32-flag and m64-flag (bcs#1181862). - KVM: nVMX: Properly handle userspace interrupt window request (bsc#1183427). - KVM: SVM: Clear the CR4 register on reset (bsc#1183252). - KVM: x86: Add helpers to perform CPUID-based guest vendor check (bsc#1183445). - KVM: x86: Add RIP to the kvm_entry, i.e. VM-Enter, tracepoint Needed as a dependency of 0b40723a827 ("kvm: tracing: Fix unmatched kvm_entry and kvm_exit events", bsc#1182770). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183287). - KVM: x86: do not reset microcode version on INIT or RESET (bsc#1183412). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1183447). - KVM: x86: list MSR_IA32_UCODE_REV as an emulated MSR (bsc#1183369). - KVM: x86: Return -E2BIG when KVM_GET_SUPPORTED_CPUID hits max entries (bsc#1183428). - KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU reset (bsc#1183288). - libbpf: Clear map_info before each bpf_obj_get_info_by_fd (bsc#1155518). - libbpf: Fix BTF dump of pointer-to-array-of-struct (bsc#1155518). - libbpf: Fix INSTALL flag order (bsc#1155518). - libbpf: Only create rx and tx XDP rings when necessary (bsc#1155518). - libbpf: Use SOCK_CLOEXEC when opening the netlink socket (bsc#1155518). - lib/syscall: fix syscall registers retrieval on 32-bit platforms (git-fixes). - locking/mutex: Fix non debug version of mutex_lock_io_nested() (git-fixes). - loop-be-paranoid-on-exit-and-prevent-new-additions-r.patch: (bsc#1171295). - mac80211: choose first enabled channel for monitor (git-fixes). - mac80211: fix double free in ibss_leave (git-fixes). - mac80211: fix rate mask reset (git-fixes). - mac80211: fix TXQ AC confusion (git-fixes). - mdio: fix mdio-thunder.c dependency & build error (git-fixes). - media: cros-ec-cec: do not bail on device_init_wakeup failure (git-fixes). - media: cx23885: add more quirks for reset DMA on some AMD IOMMU (git-fixes). - media: mceusb: Fix potential out-of-bounds shift (git-fixes). - media: mceusb: sanity check for prescaler value (git-fixes). - media: rc: compile rc-cec.c into rc-core (git-fixes). - media: usbtv: Fix deadlock on suspend (git-fixes). - media: uvcvideo: Allow entities with no pads (git-fixes). - media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate (git-fixes). - media: v4l: vsp1: Fix bru null pointer access (git-fixes). - media: v4l: vsp1: Fix uif null pointer access (git-fixes). - media: vicodec: add missing v4l2_ctrl_request_hdl_put() (git-fixes). - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (git-fixes). - misc: fastrpc: restrict user apps from sending kernel RPC messages (git-fixes). - misc/pvpanic: Export module FDT device table (git-fixes). - misc: rtsx: init of rts522a add OCP power off when no card is present (git-fixes). - mISDN: fix crash in fritzpci (git-fixes). - mmc: core: Fix partition switch time for eMMC (git-fixes). - mmc: cqhci: Fix random crash when remove mmc module/card (git-fixes). - mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()' (git-fixes). - mmc: sdhci-esdhc-imx: fix kernel panic when remove module (git-fixes). - mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes). - mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page (git-fixes). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1168777). - mount: fix mounting of detached mounts onto targets that reside on shared mounts (git-fixes). - mt76: dma: do not report truncated frames to mac80211 (git-fixes). - mwifiex: pcie: skip cancel_work_sync() on reset failure path (git-fixes). - net: arc_emac: Fix memleak in arc_mdio_probe (git-fixes). - net: atheros: switch from 'pci_' to 'dma_' API (git-fixes). - net: b44: fix error return code in b44_init_one() (git-fixes). - net: bonding: fix error return code of bond_neigh_init() (bsc#1154353). - net: cdc-phonet: fix data-interface release on probe failure (git-fixes). - net: core: introduce __netdev_notify_peers (bsc#1183871 ltc#192139). - netdevsim: init u64 stats for 32bit hardware (git-fixes). - net: dsa: rtl8366: Fix VLAN semantics (git-fixes). - net: dsa: rtl8366: Fix VLAN set-up (git-fixes). - net: dsa: rtl8366rb: Support all 4096 VLANs (git-fixes). - net: enic: Cure the enic api locking trainwreck (git-fixes). - net: ethernet: aquantia: Fix wrong return value (git-fixes). - net: ethernet: cavium: octeon_mgmt: use phy_start and phy_stop (git-fixes). - net: ethernet: ibm: ibmvnic: Fix some kernel-doc misdemeanours (bsc#1183871 ltc#192139). - net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host port (git-fixes). - net: ethernet: ti: cpsw: fix error return code in cpsw_probe() (git-fixes). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix reference count leak in fec series ops (git-fixes). - net: gemini: Fix another missing clk_disable_unprepare() in probe (git-fixes). - net: gemini: Fix missing free_netdev() in error path of gemini_ethernet_port_probe() (git-fixes). - net: gianfar: Add of_node_put() before goto statement (git-fixes). - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device (git-fixes). - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup (git-fixes). - net: hns3: Remove the left over redundant check & assignment (bsc#1154353). - net: korina: cast KSEG0 address to pointer in kfree (git-fixes). - net: korina: fix kfree of rx/tx descriptor array (git-fixes). - net: lantiq: Wait for the GPHY firmware to be ready (git-fixes). - net/mlx5: Disable devlink reload for lag devices (jsc#SLE-8464). - net/mlx5: Disable devlink reload for multi port slave device (jsc#SLE-8464). - net/mlx5: Disallow RoCE on lag device (jsc#SLE-8464). - net/mlx5: Disallow RoCE on multi port slave device (jsc#SLE-8464). - net/mlx5e: E-switch, Fix rate calculation division (jsc#SLE-8464). - net/mlx5e: E-switch, Fix rate calculation for overflow (jsc#SLE-8464). - net/mlx5: Fix PPLM register mapping (jsc#SLE-8464). - net: mvneta: fix double free of txq->buf (git-fixes). - net: mvneta: make tx buffer array agnostic (git-fixes). - net: pasemi: fix error return code in pasemi_mac_open() (git-fixes). - net: phy: broadcom: Only advertise EEE for supported modes (git-fixes). - net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init (git-fixes). - net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup (git-fixes). - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - netsec: restore phy power state after controller reset (bsc#1183757). - net: spider_net: Fix the size used in a 'dma_free_coherent()' call (git-fixes). - net: stmmac: Fix incorrect location to set real_num_rx|tx_queues (git-fixes). - net: stmmac: removed enabling eee in EEE set callback (git-fixes). - net: stmmac: use netif_tx_start|stop_all_queues() function (git-fixes). - net: stmmac: Use rtnl_lock/unlock on netif_set_real_num_rx_queues() call (git-fixes). - net: usb: ax88179_178a: fix missing stop entry in driver_info (git-fixes). - net: usb: qmi_wwan: allow qmimux add/del with master up (git-fixes). - net: usb: qmi_wwan: support ZTE P685M modem (git-fixes). - net: wan/lmc: unregister device when no matching device is found (git-fixes). - nfp: flower: fix pre_tun mask id allocation (bsc#1154353). - nvme: allocate the keep alive request using BLK_MQ_REQ_NOWAIT (bsc#1182077). - nvme-fabrics: fix kato initialization (bsc#1182591). - nvme-fabrics: only reserve a single tag (bsc#1182077). - nvme-fc: fix racing controller reset and create association (bsc#1183048). - nvme-hwmon: Return error code when registration fails (bsc#1177326). - nvme: merge nvme_keep_alive into nvme_keep_alive_work (bsc#1182077). - nvme: return an error if nvme_set_queue_count() fails (bsc#1180197). - nvmet-rdma: Fix list_del corruption on queue establishment failure (bsc#1183501). - objtool: Fix ".cold" section suffix check for newer versions of GCC (bsc#1169514). - objtool: Fix error handling for STD/CLD warnings (bsc#1169514). - objtool: Fix retpoline detection in asm code (bsc#1169514). - ovl: fix dentry leak in ovl_get_redirect (bsc#1184176). - ovl: fix out of date comment and unreachable code (bsc#1184176). - ovl: fix regression with re-formatted lower squashfs (bsc#1184176). - ovl: fix unneeded call to ovl_change_flags() (bsc#1184176). - ovl: fix value of i_ino for lower hardlink corner case (bsc#1184176). - ovl: initialize error in ovl_copy_xattr (bsc#1184176). - ovl: relax WARN_ON() when decoding lower directory file handle (bsc#1184176). - PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (git-fixes). - PCI: Align checking of syscall user config accessors (git-fixes). - PCI: Decline to resize resources if boot config must be preserved (git-fixes). - PCI: Fix pci_register_io_range() memory leak (git-fixes). - PCI: mediatek: Add missing of_node_put() to fix reference leak (git-fixes). - PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 (git-fixes). - PCI: xgene-msi: Fix race in installing chained irq handler (git-fixes). - pinctrl: rockchip: fix restore error in resume (git-fixes). - Platform: OLPC: Fix probe error handling (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire Switch 10E SW3-016 (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability flag (git-fixes). - platform/x86: acer-wmi: Add new force_caps module parameter (git-fixes). - platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices (git-fixes). - platform/x86: acer-wmi: Cleanup accelerometer device handling (git-fixes). - platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines (git-fixes). - platform/x86: intel-hid: Support Lenovo ThinkPad X1 Tablet Gen 2 (git-fixes). - platform/x86: intel-vbtn: Stop reporting SW_DOCK events (git-fixes). - platform/x86: thinkpad_acpi: Allow the FnLock LED to change state (git-fixes). - PM: EM: postpone creating the debugfs dir till fs_initcall (git-fixes). - PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter (bsc#1183366). - PM: runtime: Fix ordering in pm_runtime_get_suppliers() (git-fixes). - PM: runtime: Fix race getting/putting suppliers at probe (git-fixes). - post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388). - powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (bsc#1065729). - powerpc/book3s64/radix: Remove WARN_ON in destroy_context() (bsc#1183692 ltc#191963). - powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - powerpc/pseries/mobility: handle premature return from H_JOIN (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/mobility: use struct for shared state (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/ras: Remove unused variable 'status' (bsc#1065729). - powerpc/sstep: Check instruction validity against ISA version before emulation (bsc#1156395). - powerpc/sstep: Fix darn emulation (bsc#1156395). - powerpc/sstep: Fix incorrect return from analyze_instr() (bsc#1156395). - powerpc/sstep: Fix load-store and update emulation (bsc#1156395). - printk: fix deadlock when kernel panic (bsc#1183018). - proc: fix lookup in /proc/net subdirectories after setns(2) (git-fixes). - pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() (git-fixes). - qlcnic: fix error return code in qlcnic_83xx_restart_hw() (git-fixes). - qxl: Fix uninitialised struct field head.surface_id (git-fixes). - random: fix the RNDRESEEDCRNG ioctl (git-fixes). - RAS/CEC: Correct ce_add_elem()'s returned values (bsc#1152489). - RDMA/hns: Disable RQ inline by default (jsc#SLE-8449). - RDMA/hns: Fix type of sq_signal_bits (jsc#SLE-8449). - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - regulator: bd9571mwv: Fix AVS and DVFS voltage range (git-fixes). - Revert "net: bonding: fix error return code of bond_neigh_init()" (bsc#1154353). - rpadlpar: fix potential drc_name corruption in store functions (bsc#1183416 ltc#191079). - rpm/check-for-config-changes: add -mrecord-mcount ignore Added by 3b15cdc15956 (tracing: move function tracer options to Kconfig) upstream. - rpm/check-for-config-changes: Also ignore AS_VERSION added in 5.12. - rpm/check-for-config-changes: comment on the list To explain what it actually is. - rpm/check-for-config-changes: declare sed args as an array So that we can reuse it in both seds. This also introduces IGNORED_CONFIGS_RE array which can be easily extended. - rpm/check-for-config-changes: define ignores more strictly * search for whole words, so make wildcards explicit * use ' for quoting * prepend CONFIG_ dynamically, so it need not be in the list - rpm/check-for-config-changes: sort the ignores They are growing so to make them searchable by humans. - rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514) The devel package requires the kernel binary package itself for building modules externally. - rsi: Fix TX EAPOL packet handling against iwlwifi AP (git-fixes). - rsi: Move card interrupt handling to RX thread (git-fixes). - rsxx: Return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/crypto: return -EFAULT if copy_to_user() fails (git-fixes). - s390/dasd: fix hanging IO request during DASD driver unbind (git-fixes). - s390/qeth: fix memory leak after failed TX Buffer allocation (git-fixes). - s390/qeth: fix notification for pending buffers during teardown (git-fixes). - s390/qeth: improve completion of pending TX buffers (git-fixes). - s390/qeth: schedule TX NAPI on QAOB completion (git-fixes). - s390/vtime: fix increased steal time accounting (bsc#1183859). - samples, bpf: Add missing munmap in xdpsock (bsc#1155518). - samples/bpf: Fix possible hang in xdpsock with multiple threads (bsc#1155518). - scsi: ibmvfc: Fix invalid state machine BUG_ON() (bsc#1184647 ltc#191231). - scsi: lpfc: Change wording of invalid pci reset log message (bsc#1182574). - scsi: lpfc: Correct function header comments related to ndlp reference counting (bsc#1182574). - scsi: lpfc: Fix ADISC handling that never frees nodes (bsc#1182574). - scsi: lpfc: Fix crash caused by switch reboot (bsc#1182574). - scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (bsc#1182574). - scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1182574). - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe (bsc#1182574). - scsi: lpfc: Fix lpfc_els_retry() possible null pointer dereference (bsc#1182574). - scsi: lpfc: Fix nodeinfo debugfs output (bsc#1182574). - scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() (bsc#1182574). - scsi: lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN (bsc#1182574). - scsi: lpfc: Fix pt2pt connection does not recover after LOGO (bsc#1182574). - scsi: lpfc: Fix pt2pt state transition causing rmmod hang (bsc#1182574). - scsi: lpfc: Fix reftag generation sizing errors (bsc#1182574). - scsi: lpfc: Fix stale node accesses on stale RRQ request (bsc#1182574). - scsi: lpfc: Fix status returned in lpfc_els_retry() error exit path (bsc#1182574). - scsi: lpfc: Fix unnecessary null check in lpfc_release_scsi_buf (bsc#1182574). - scsi: lpfc: Fix use after free in lpfc_els_free_iocb (bsc#1182574). - scsi: lpfc: Fix vport indices in lpfc_find_vport_by_vpid() (bsc#1182574). - scsi: lpfc: Reduce LOG_TRACE_EVENT logging for vports (bsc#1182574). - scsi: lpfc: Update copyrights for 12.8.0.7 and 12.8.0.8 changes (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.8 (bsc#1182574). - scsi: target: pscsi: Avoid OOM in pscsi_map_sg() (bsc#1183843). - scsi: target: pscsi: Clean up after failure in pscsi_map_sg() (bsc#1183843). - selftests/bpf: Mask bpf_csum_diff() return value to 16 bits in test_verifier (bsc#1155518). - selftests/bpf: No need to drop the packet when there is no geneve opt (bsc#1155518). - selftests/bpf: Set gopt opt_class to 0 if get tunnel opt failed (bsc#1155518). - selinux: fix error initialization in inode_doinit_with_dentry() (git-fixes). - selinux: Fix error return code in sel_ib_pkey_sid_slow() (git-fixes). - selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling (git-fixes). - smb3: add dynamic trace point to trace when credits obtained (bsc#1181507). - smb3: fix crediting for compounding when only one request in flight (bsc#1181507). - smb3: Fix out-of-bounds bug in SMB2_negotiate() (bsc#1183540). - soc/fsl: qbman: fix conflicting alignment attributes (git-fixes). - software node: Fix node registration (git-fixes). - spi: stm32: make spurious and overrun interrupts visible (git-fixes). - squashfs: fix inode lookup sanity checks (bsc#1183750). - squashfs: fix xattr id and id lookup sanity checks (bsc#1183750). - stop_machine: mark helpers __always_inline (git-fixes). - thermal/core: Add NULL pointer check before using cooling device stats (git-fixes). - udlfb: Fix memory leak in dlfb_usb_probe (git-fixes). - Update bug reference for USB-audio fixes (bsc#1182552 bsc#1183598) - USB: cdc-acm: downgrade message to debug (git-fixes). - USB: cdc-acm: fix double free on probe failure (git-fixes). - USB: cdc-acm: fix use-after-free after probe failure (git-fixes). - USB: cdc-acm: untangle a circular dependency between callback and softint (git-fixes). - USB: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board (git-fixes). - USB: dwc2: Prevent core suspend when port connection flag is 0 (git-fixes). - USB: dwc3: gadget: Fix dep->interval for fullspeed interrupt (git-fixes). - USB: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 (git-fixes). - USB: dwc3: qcom: Add missing DWC3 OF node refcount decrement (git-fixes). - USB: dwc3: qcom: Honor wakeup enabled/disabled state (git-fixes). - USB: gadget: configfs: Fix KASAN use-after-free (git-fixes). - USB: gadget: f_uac1: stop playback on function disable (git-fixes). - USB: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (git-fixes). - USB: gadget: udc: amd5536udc_pci fix null-ptr-dereference (git-fixes). - USB: gadget: u_ether: Fix a configfs return code (git-fixes). - USBip: Fix incorrect double assignment to udc->ud.tcp_rx (git-fixes). - USBip: fix stub_dev to check for stream socket (git-fixes). - USBip: fix stub_dev usbip_sockfd_store() races leading to gpf (git-fixes). - USBip: fix vhci_hcd attach_store() races leading to gpf (git-fixes). - USBip: fix vhci_hcd to check for stream socket (git-fixes). - USBip: fix vudc to check for stream socket (git-fixes). - USBip: fix vudc usbip_sockfd_store races leading to gpf (git-fixes). - USBip: tools: fix build error for multiple definition (git-fixes). - USBip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() (git-fixes). - USB: musb: Fix suspend with devices connected for a64 (git-fixes). - USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem (git-fixes). - USB: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM (git-fixes). - USB: replace hardcode maximum usb string length by definition (git-fixes). - USB: serial: ch341: add new Product ID (git-fixes). - USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter (git-fixes). - USB: serial: cp210x: add some more GE USB IDs (git-fixes). - USB: serial: ftdi_sio: fix FTX sub-integer prescaler (git-fixes). - USB: serial: io_edgeport: fix memory leak in edge_startup (git-fixes). - USB-storage: Add quirk to defeat Kindle's automatic unload (git-fixes). - USB: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- (git-fixes). - USB: usblp: fix a hang in poll() if disconnected (git-fixes). - USB: xhci: do not perform Soft Retry for some xHCI hosts (git-fixes). - USB: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing (git-fixes). - USB: xhci-mtk: fix broken streams issue on 0.96 xHCI (git-fixes). - use __netdev_notify_peers in ibmvnic (bsc#1183871 ltc#192139). - video: fbdev: acornfb: remove free_unused_pages() (bsc#1152489) - video: hyperv_fb: Fix a double free in hvfb_probe (git-fixes). - VMCI: Use set_page_dirty_lock() when unregistering guest memory (git-fixes). - vt/consolemap: do font sum unsigned (git-fixes). - watchdog: mei_wdt: request stop on unregister (git-fixes). - wireguard: device: do not generate ICMP for non-IP packets (git-fixes). - wireguard: kconfig: use arm chacha even with no neon (git-fixes). - wireguard: selftests: test multiple parallel streams (git-fixes). - wlcore: Fix command execute failure 19 for wl12xx (git-fixes). - x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task (bsc#1152489). - x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() (bsc#1152489). - x86/ioapic: Ignore IRQ2 again (bsc#1152489). - x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() (bsc#1152489). - xen/events: avoid handling the same event on two cpus at the same time (git-fixes). - xen/events: do not unmask an event channel when an eoi is pending (git-fixes). - xen/events: fix setting irq affinity (bsc#1184583). - xen/events: reset affinity of 2-level event when tearing it down (git-fixes). - Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367). - xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367). - xfs: group quota should return EDQUOT when prj quota enabled (bsc#1180980). - xhci: Fix repeated xhci wake after suspend due to uncleared internal wake state (git-fixes). - xhci: Improve detection of device initiated wake signal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1238=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1238=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-1238=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-1238=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1238=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1238=1 - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-1238=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): kernel-default-5.3.18-24.61.1 kernel-default-base-5.3.18-24.61.1.9.26.4 kernel-default-debuginfo-5.3.18-24.61.1 kernel-default-debugsource-5.3.18-24.61.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): kernel-default-debuginfo-5.3.18-24.61.1 kernel-default-debugsource-5.3.18-24.61.1 kernel-default-extra-5.3.18-24.61.1 kernel-default-extra-debuginfo-5.3.18-24.61.1 kernel-preempt-extra-5.3.18-24.61.1 kernel-preempt-extra-debuginfo-5.3.18-24.61.1 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.61.1 kernel-default-debugsource-5.3.18-24.61.1 kernel-default-livepatch-5.3.18-24.61.1 kernel-default-livepatch-devel-5.3.18-24.61.1 kernel-livepatch-5_3_18-24_61-default-1-5.3.4 kernel-livepatch-5_3_18-24_61-default-debuginfo-1-5.3.4 kernel-livepatch-SLE15-SP2_Update_12-debugsource-1-5.3.4 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.61.1 kernel-default-debugsource-5.3.18-24.61.1 reiserfs-kmp-default-5.3.18-24.61.1 reiserfs-kmp-default-debuginfo-5.3.18-24.61.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-24.61.1 kernel-obs-build-debugsource-5.3.18-24.61.1 kernel-syms-5.3.18-24.61.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-24.61.1 kernel-preempt-debugsource-5.3.18-24.61.1 kernel-preempt-devel-5.3.18-24.61.1 kernel-preempt-devel-debuginfo-5.3.18-24.61.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): kernel-docs-5.3.18-24.61.1 kernel-source-5.3.18-24.61.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-24.61.1 kernel-default-base-5.3.18-24.61.1.9.26.4 kernel-default-debuginfo-5.3.18-24.61.1 kernel-default-debugsource-5.3.18-24.61.1 kernel-default-devel-5.3.18-24.61.1 kernel-default-devel-debuginfo-5.3.18-24.61.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 x86_64): kernel-preempt-5.3.18-24.61.1 kernel-preempt-debuginfo-5.3.18-24.61.1 kernel-preempt-debugsource-5.3.18-24.61.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): kernel-devel-5.3.18-24.61.1 kernel-macros-5.3.18-24.61.1 - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-24.61.1 cluster-md-kmp-default-debuginfo-5.3.18-24.61.1 dlm-kmp-default-5.3.18-24.61.1 dlm-kmp-default-debuginfo-5.3.18-24.61.1 gfs2-kmp-default-5.3.18-24.61.1 gfs2-kmp-default-debuginfo-5.3.18-24.61.1 kernel-default-debuginfo-5.3.18-24.61.1 kernel-default-debugsource-5.3.18-24.61.1 ocfs2-kmp-default-5.3.18-24.61.1 ocfs2-kmp-default-debuginfo-5.3.18-24.61.1 References: https://www.suse.com/security/cve/CVE-2019-18814.html https://www.suse.com/security/cve/CVE-2019-19769.html https://www.suse.com/security/cve/CVE-2020-25670.html https://www.suse.com/security/cve/CVE-2020-25671.html https://www.suse.com/security/cve/CVE-2020-25672.html https://www.suse.com/security/cve/CVE-2020-25673.html https://www.suse.com/security/cve/CVE-2020-27170.html https://www.suse.com/security/cve/CVE-2020-27171.html https://www.suse.com/security/cve/CVE-2020-27815.html https://www.suse.com/security/cve/CVE-2020-35519.html https://www.suse.com/security/cve/CVE-2020-36310.html https://www.suse.com/security/cve/CVE-2020-36311.html https://www.suse.com/security/cve/CVE-2020-36312.html https://www.suse.com/security/cve/CVE-2020-36322.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://www.suse.com/security/cve/CVE-2021-28038.html https://www.suse.com/security/cve/CVE-2021-28375.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-28950.html https://www.suse.com/security/cve/CVE-2021-28964.html https://www.suse.com/security/cve/CVE-2021-28971.html https://www.suse.com/security/cve/CVE-2021-28972.html https://www.suse.com/security/cve/CVE-2021-29154.html https://www.suse.com/security/cve/CVE-2021-29264.html https://www.suse.com/security/cve/CVE-2021-29265.html https://www.suse.com/security/cve/CVE-2021-29647.html https://www.suse.com/security/cve/CVE-2021-30002.html https://www.suse.com/security/cve/CVE-2021-3428.html https://www.suse.com/security/cve/CVE-2021-3444.html https://www.suse.com/security/cve/CVE-2021-3483.html https://bugzilla.suse.com/1047233 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1113295 https://bugzilla.suse.com/1152472 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1153274 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156256 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1159280 https://bugzilla.suse.com/1160634 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1168777 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169709 https://bugzilla.suse.com/1171295 https://bugzilla.suse.com/1173485 https://bugzilla.suse.com/1175995 https://bugzilla.suse.com/1177326 https://bugzilla.suse.com/1178163 https://bugzilla.suse.com/1178181 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1179454 https://bugzilla.suse.com/1180197 https://bugzilla.suse.com/1180980 https://bugzilla.suse.com/1181383 https://bugzilla.suse.com/1181507 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181862 https://bugzilla.suse.com/1182011 https://bugzilla.suse.com/1182077 https://bugzilla.suse.com/1182485 https://bugzilla.suse.com/1182552 https://bugzilla.suse.com/1182574 https://bugzilla.suse.com/1182591 https://bugzilla.suse.com/1182595 https://bugzilla.suse.com/1182715 https://bugzilla.suse.com/1182716 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1182770 https://bugzilla.suse.com/1182989 https://bugzilla.suse.com/1183015 https://bugzilla.suse.com/1183018 https://bugzilla.suse.com/1183022 https://bugzilla.suse.com/1183023 https://bugzilla.suse.com/1183048 https://bugzilla.suse.com/1183252 https://bugzilla.suse.com/1183277 https://bugzilla.suse.com/1183278 https://bugzilla.suse.com/1183279 https://bugzilla.suse.com/1183280 https://bugzilla.suse.com/1183281 https://bugzilla.suse.com/1183282 https://bugzilla.suse.com/1183283 https://bugzilla.suse.com/1183284 https://bugzilla.suse.com/1183285 https://bugzilla.suse.com/1183286 https://bugzilla.suse.com/1183287 https://bugzilla.suse.com/1183288 https://bugzilla.suse.com/1183366 https://bugzilla.suse.com/1183369 https://bugzilla.suse.com/1183386 https://bugzilla.suse.com/1183405 https://bugzilla.suse.com/1183412 https://bugzilla.suse.com/1183416 https://bugzilla.suse.com/1183427 https://bugzilla.suse.com/1183428 https://bugzilla.suse.com/1183445 https://bugzilla.suse.com/1183447 https://bugzilla.suse.com/1183501 https://bugzilla.suse.com/1183509 https://bugzilla.suse.com/1183530 https://bugzilla.suse.com/1183534 https://bugzilla.suse.com/1183540 https://bugzilla.suse.com/1183593 https://bugzilla.suse.com/1183596 https://bugzilla.suse.com/1183598 https://bugzilla.suse.com/1183637 https://bugzilla.suse.com/1183646 https://bugzilla.suse.com/1183662 https://bugzilla.suse.com/1183686 https://bugzilla.suse.com/1183692 https://bugzilla.suse.com/1183696 https://bugzilla.suse.com/1183750 https://bugzilla.suse.com/1183757 https://bugzilla.suse.com/1183775 https://bugzilla.suse.com/1183843 https://bugzilla.suse.com/1183859 https://bugzilla.suse.com/1183871 https://bugzilla.suse.com/1184074 https://bugzilla.suse.com/1184120 https://bugzilla.suse.com/1184167 https://bugzilla.suse.com/1184168 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184176 https://bugzilla.suse.com/1184192 https://bugzilla.suse.com/1184193 https://bugzilla.suse.com/1184194 https://bugzilla.suse.com/1184196 https://bugzilla.suse.com/1184198 https://bugzilla.suse.com/1184211 https://bugzilla.suse.com/1184217 https://bugzilla.suse.com/1184218 https://bugzilla.suse.com/1184219 https://bugzilla.suse.com/1184220 https://bugzilla.suse.com/1184224 https://bugzilla.suse.com/1184388 https://bugzilla.suse.com/1184391 https://bugzilla.suse.com/1184393 https://bugzilla.suse.com/1184485 https://bugzilla.suse.com/1184509 https://bugzilla.suse.com/1184511 https://bugzilla.suse.com/1184512 https://bugzilla.suse.com/1184514 https://bugzilla.suse.com/1184583 https://bugzilla.suse.com/1184585 https://bugzilla.suse.com/1184647 From sle-security-updates at lists.suse.com Fri Apr 16 16:15:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Apr 2021 18:15:43 +0200 (CEST) Subject: SUSE-SU-2021:1243-1: important: Security update for qemu Message-ID: <20210416161543.A8FB8FD20@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1243-1 Rating: important References: #1172385 #1173612 #1176673 #1176682 #1176684 #1178174 #1178400 #1178934 #1179466 #1179467 #1179468 #1179686 #1181108 #1182425 #1182577 #1182968 #1184064 Cross-References: CVE-2020-12829 CVE-2020-15469 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27616 CVE-2020-27617 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129 CVE-2020-29130 CVE-2020-29443 CVE-2021-20257 CVE-2021-3416 CVSS scores: CVE-2020-12829 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12829 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-15469 (NVD) : 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-15469 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25084 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25625 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25625 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-27616 (SUSE): 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-27617 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27617 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-27821 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-27821 (SUSE): 5.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-28916 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-28916 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29443 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-29443 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3416 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-3416 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves 15 vulnerabilities and has two fixes is now available. Description: This update for qemu fixes the following issues: - CVE-2020-12829: Fix OOB access in sm501 device emulation (bsc#1172385) - CVE-2020-25723: Fix use-after-free in usb xhci packet handling (bsc#1178934) - CVE-2020-25084: Fix use-after-free in usb ehci packet handling (bsc#1176673) - CVE-2020-25625: Fix infinite loop (DoS) in usb hcd-ohci emulation (bsc#1176684) - CVE-2020-25624: Fix OOB access in usb hcd-ohci emulation (bsc#1176682) - CVE-2020-27617: Fix guest triggerable assert in shared network handling code (bsc#1178174) - CVE-2020-28916: Fix infinite loop (DoS) in e1000e device emulation (bsc#1179468) - CVE-2020-29443: Fix OOB access in atapi emulation (bsc#1181108) - CVE-2020-27821: Fix heap overflow in MSIx emulation (bsc#1179686) - CVE-2020-15469: Fix null pointer deref. (DoS) in mmio ops (bsc#1173612) - CVE-2021-20257: Fix infinite loop (DoS) in e1000 device emulation (bsc#1182577) - CVE-2021-3416: Fix OOB access (stack overflow) in rtl8139 NIC emulation (bsc#1182968) - CVE-2021-3416: Fix OOB access (stack overflow) in other NIC emulations (bsc#1182968) - CVE-2020-27616: Fix OOB access in ati-vga emulation (bsc#1178400) - CVE-2020-29129: Fix OOB access in SLIRP ARP/NCSI packet processing (bsc#1179466, CVE-2020-29130, bsc#1179467) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Add split-provides through forsplits/13 to cover updates of SLE15-SP2 to SLE15-SP3, and openSUSE equivalents (bsc#1184064) - Added a few more usability improvements for our git packaging workflow Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1243=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1243=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1243=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): qemu-4.2.1-11.16.3 qemu-debuginfo-4.2.1-11.16.3 qemu-debugsource-4.2.1-11.16.3 qemu-tools-4.2.1-11.16.3 qemu-tools-debuginfo-4.2.1-11.16.3 - SUSE MicroOS 5.0 (aarch64): qemu-arm-4.2.1-11.16.3 qemu-arm-debuginfo-4.2.1-11.16.3 - SUSE MicroOS 5.0 (x86_64): qemu-x86-4.2.1-11.16.3 qemu-x86-debuginfo-4.2.1-11.16.3 - SUSE MicroOS 5.0 (noarch): qemu-ipxe-1.0.0+-11.16.3 qemu-seabios-1.12.1+-11.16.3 qemu-sgabios-8-11.16.3 qemu-vgabios-1.12.1+-11.16.3 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): qemu-4.2.1-11.16.3 qemu-block-curl-4.2.1-11.16.3 qemu-block-curl-debuginfo-4.2.1-11.16.3 qemu-block-iscsi-4.2.1-11.16.3 qemu-block-iscsi-debuginfo-4.2.1-11.16.3 qemu-block-rbd-4.2.1-11.16.3 qemu-block-rbd-debuginfo-4.2.1-11.16.3 qemu-block-ssh-4.2.1-11.16.3 qemu-block-ssh-debuginfo-4.2.1-11.16.3 qemu-debuginfo-4.2.1-11.16.3 qemu-debugsource-4.2.1-11.16.3 qemu-guest-agent-4.2.1-11.16.3 qemu-guest-agent-debuginfo-4.2.1-11.16.3 qemu-lang-4.2.1-11.16.3 qemu-ui-spice-app-4.2.1-11.16.3 qemu-ui-spice-app-debuginfo-4.2.1-11.16.3 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (s390x x86_64): qemu-kvm-4.2.1-11.16.3 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (ppc64le): qemu-ppc-4.2.1-11.16.3 qemu-ppc-debuginfo-4.2.1-11.16.3 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64): qemu-arm-4.2.1-11.16.3 qemu-arm-debuginfo-4.2.1-11.16.3 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (x86_64): qemu-audio-alsa-4.2.1-11.16.3 qemu-audio-alsa-debuginfo-4.2.1-11.16.3 qemu-audio-pa-4.2.1-11.16.3 qemu-audio-pa-debuginfo-4.2.1-11.16.3 qemu-ui-curses-4.2.1-11.16.3 qemu-ui-curses-debuginfo-4.2.1-11.16.3 qemu-ui-gtk-4.2.1-11.16.3 qemu-ui-gtk-debuginfo-4.2.1-11.16.3 qemu-x86-4.2.1-11.16.3 qemu-x86-debuginfo-4.2.1-11.16.3 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): qemu-ipxe-1.0.0+-11.16.3 qemu-microvm-4.2.1-11.16.3 qemu-seabios-1.12.1+-11.16.3 qemu-sgabios-8-11.16.3 qemu-vgabios-1.12.1+-11.16.3 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (s390x): qemu-s390-4.2.1-11.16.3 qemu-s390-debuginfo-4.2.1-11.16.3 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-4.2.1-11.16.3 qemu-debugsource-4.2.1-11.16.3 qemu-tools-4.2.1-11.16.3 qemu-tools-debuginfo-4.2.1-11.16.3 References: https://www.suse.com/security/cve/CVE-2020-12829.html https://www.suse.com/security/cve/CVE-2020-15469.html https://www.suse.com/security/cve/CVE-2020-25084.html https://www.suse.com/security/cve/CVE-2020-25624.html https://www.suse.com/security/cve/CVE-2020-25625.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-27616.html https://www.suse.com/security/cve/CVE-2020-27617.html https://www.suse.com/security/cve/CVE-2020-27821.html https://www.suse.com/security/cve/CVE-2020-28916.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-29443.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3416.html https://bugzilla.suse.com/1172385 https://bugzilla.suse.com/1173612 https://bugzilla.suse.com/1176673 https://bugzilla.suse.com/1176682 https://bugzilla.suse.com/1176684 https://bugzilla.suse.com/1178174 https://bugzilla.suse.com/1178400 https://bugzilla.suse.com/1178934 https://bugzilla.suse.com/1179466 https://bugzilla.suse.com/1179467 https://bugzilla.suse.com/1179468 https://bugzilla.suse.com/1179686 https://bugzilla.suse.com/1181108 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182577 https://bugzilla.suse.com/1182968 https://bugzilla.suse.com/1184064 From sle-security-updates at lists.suse.com Fri Apr 16 16:18:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Apr 2021 18:18:20 +0200 (CEST) Subject: SUSE-SU-2021:1245-1: important: Security update for qemu Message-ID: <20210416161820.57697FD20@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1245-1 Rating: important References: #1172383 #1172384 #1172385 #1172386 #1172478 #1173612 #1174386 #1174641 #1175441 #1176673 #1176682 #1176684 #1178049 #1178174 #1178565 #1178934 #1179466 #1179467 #1179468 #1179686 #1180523 #1181108 #1181639 #1181933 #1182137 #1182425 #1182577 #1182968 #1183979 Cross-References: CVE-2020-11947 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362 CVE-2020-13659 CVE-2020-13765 CVE-2020-14364 CVE-2020-15469 CVE-2020-15863 CVE-2020-16092 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20203 CVE-2021-20221 CVE-2021-20257 CVE-2021-3416 CVSS scores: CVE-2020-11947 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-11947 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-12829 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12829 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-13361 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13361 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13362 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13362 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (NVD) : 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (SUSE): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-13765 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-13765 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-15469 (NVD) : 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-15469 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-15863 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2020-15863 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-16092 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-16092 (SUSE): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25625 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25625 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-27617 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27617 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-27821 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-27821 (SUSE): 5.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-28916 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-28916 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29443 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-29443 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2021-20181 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20203 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20203 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20221 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3416 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-3416 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves 25 vulnerabilities and has four fixes is now available. Description: This update for qemu fixes the following issues: - Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174) - Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686) - Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612) - Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577) - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) - Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416) - Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467) - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386) - Fix issue where s390 guest fails to find zipl boot menu index (bsc#1183979) - Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523) - Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. (bsc#1178049) - Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933) - Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478) - Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441) - Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641) - Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386) - Use '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid "Failed to try-restart qemu-ga at .service" error while updating the qemu-guest-agent. (bsc#1178565) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1245=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1245=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1245=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1245=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1245=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1245=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1245=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1245=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1245=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): qemu-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 - SUSE Manager Server 4.0 (s390x x86_64): qemu-kvm-3.1.1.1-9.24.3 - SUSE Manager Server 4.0 (ppc64le): qemu-ppc-3.1.1.1-9.24.3 qemu-ppc-debuginfo-3.1.1.1-9.24.3 - SUSE Manager Server 4.0 (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE Manager Server 4.0 (x86_64): qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 - SUSE Manager Server 4.0 (s390x): qemu-s390-3.1.1.1-9.24.3 qemu-s390-debuginfo-3.1.1.1-9.24.3 - SUSE Manager Retail Branch Server 4.0 (x86_64): qemu-3.1.1.1-9.24.3 qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-kvm-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 - SUSE Manager Retail Branch Server 4.0 (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE Manager Proxy 4.0 (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE Manager Proxy 4.0 (x86_64): qemu-3.1.1.1-9.24.3 qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-kvm-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): qemu-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le): qemu-ppc-3.1.1.1-9.24.3 qemu-ppc-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-kvm-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server 15-SP1-LTSS (s390x x86_64): qemu-kvm-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64): qemu-arm-3.1.1.1-9.24.3 qemu-arm-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server 15-SP1-LTSS (ppc64le): qemu-ppc-3.1.1.1-9.24.3 qemu-ppc-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE Linux Enterprise Server 15-SP1-LTSS (s390x): qemu-s390-3.1.1.1-9.24.3 qemu-s390-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): qemu-3.1.1.1-9.24.3 qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-kvm-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): qemu-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64): qemu-arm-3.1.1.1-9.24.3 qemu-arm-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-kvm-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): qemu-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64): qemu-arm-3.1.1.1-9.24.3 qemu-arm-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-kvm-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE Enterprise Storage 6 (aarch64 x86_64): qemu-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 - SUSE Enterprise Storage 6 (aarch64): qemu-arm-3.1.1.1-9.24.3 qemu-arm-debuginfo-3.1.1.1-9.24.3 - SUSE Enterprise Storage 6 (x86_64): qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-kvm-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 - SUSE Enterprise Storage 6 (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE CaaS Platform 4.0 (noarch): qemu-ipxe-1.0.0+-9.24.3 qemu-seabios-1.12.0_0_ga698c89-9.24.3 qemu-sgabios-8-9.24.3 qemu-vgabios-1.12.0_0_ga698c89-9.24.3 - SUSE CaaS Platform 4.0 (x86_64): qemu-3.1.1.1-9.24.3 qemu-audio-alsa-3.1.1.1-9.24.3 qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3 qemu-audio-oss-3.1.1.1-9.24.3 qemu-audio-oss-debuginfo-3.1.1.1-9.24.3 qemu-audio-pa-3.1.1.1-9.24.3 qemu-audio-pa-debuginfo-3.1.1.1-9.24.3 qemu-block-curl-3.1.1.1-9.24.3 qemu-block-curl-debuginfo-3.1.1.1-9.24.3 qemu-block-iscsi-3.1.1.1-9.24.3 qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3 qemu-block-rbd-3.1.1.1-9.24.3 qemu-block-rbd-debuginfo-3.1.1.1-9.24.3 qemu-block-ssh-3.1.1.1-9.24.3 qemu-block-ssh-debuginfo-3.1.1.1-9.24.3 qemu-debuginfo-3.1.1.1-9.24.3 qemu-debugsource-3.1.1.1-9.24.3 qemu-guest-agent-3.1.1.1-9.24.3 qemu-guest-agent-debuginfo-3.1.1.1-9.24.3 qemu-kvm-3.1.1.1-9.24.3 qemu-lang-3.1.1.1-9.24.3 qemu-tools-3.1.1.1-9.24.3 qemu-tools-debuginfo-3.1.1.1-9.24.3 qemu-ui-curses-3.1.1.1-9.24.3 qemu-ui-curses-debuginfo-3.1.1.1-9.24.3 qemu-ui-gtk-3.1.1.1-9.24.3 qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3 qemu-x86-3.1.1.1-9.24.3 qemu-x86-debuginfo-3.1.1.1-9.24.3 References: https://www.suse.com/security/cve/CVE-2020-11947.html https://www.suse.com/security/cve/CVE-2020-12829.html https://www.suse.com/security/cve/CVE-2020-13361.html https://www.suse.com/security/cve/CVE-2020-13362.html https://www.suse.com/security/cve/CVE-2020-13659.html https://www.suse.com/security/cve/CVE-2020-13765.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-15469.html https://www.suse.com/security/cve/CVE-2020-15863.html https://www.suse.com/security/cve/CVE-2020-16092.html https://www.suse.com/security/cve/CVE-2020-25084.html https://www.suse.com/security/cve/CVE-2020-25624.html https://www.suse.com/security/cve/CVE-2020-25625.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-27617.html https://www.suse.com/security/cve/CVE-2020-27821.html https://www.suse.com/security/cve/CVE-2020-28916.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-29443.html https://www.suse.com/security/cve/CVE-2021-20181.html https://www.suse.com/security/cve/CVE-2021-20203.html https://www.suse.com/security/cve/CVE-2021-20221.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3416.html https://bugzilla.suse.com/1172383 https://bugzilla.suse.com/1172384 https://bugzilla.suse.com/1172385 https://bugzilla.suse.com/1172386 https://bugzilla.suse.com/1172478 https://bugzilla.suse.com/1173612 https://bugzilla.suse.com/1174386 https://bugzilla.suse.com/1174641 https://bugzilla.suse.com/1175441 https://bugzilla.suse.com/1176673 https://bugzilla.suse.com/1176682 https://bugzilla.suse.com/1176684 https://bugzilla.suse.com/1178049 https://bugzilla.suse.com/1178174 https://bugzilla.suse.com/1178565 https://bugzilla.suse.com/1178934 https://bugzilla.suse.com/1179466 https://bugzilla.suse.com/1179467 https://bugzilla.suse.com/1179468 https://bugzilla.suse.com/1179686 https://bugzilla.suse.com/1180523 https://bugzilla.suse.com/1181108 https://bugzilla.suse.com/1181639 https://bugzilla.suse.com/1181933 https://bugzilla.suse.com/1182137 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182577 https://bugzilla.suse.com/1182968 https://bugzilla.suse.com/1183979 From sle-security-updates at lists.suse.com Fri Apr 16 16:21:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Apr 2021 18:21:59 +0200 (CEST) Subject: SUSE-SU-2021:1240-1: important: Security update for qemu Message-ID: <20210416162159.4C1E3FD20@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1240-1 Rating: important References: #1172383 #1172384 #1172385 #1172386 #1172478 #1173612 #1174386 #1174641 #1175441 #1176673 #1176682 #1176684 #1178174 #1178934 #1179467 #1179468 #1180523 #1181108 #1181639 #1182137 #1182425 #1182577 #1182968 Cross-References: CVE-2020-11947 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362 CVE-2020-13659 CVE-2020-13765 CVE-2020-14364 CVE-2020-15469 CVE-2020-15863 CVE-2020-16092 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617 CVE-2020-28916 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20203 CVE-2021-20257 CVE-2021-3416 CVSS scores: CVE-2020-11947 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-11947 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-12829 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12829 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-13361 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13361 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13362 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13362 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (NVD) : 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (SUSE): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-13765 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-13765 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-15469 (NVD) : 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-15469 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-15863 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2020-15863 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-16092 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-16092 (SUSE): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25625 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25625 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-27617 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27617 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-28916 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-28916 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29443 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-29443 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2021-20181 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20203 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20203 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3416 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-3416 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 22 vulnerabilities and has one errata is now available. Description: This update for qemu fixes the following issues: - Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174) - Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612) - Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577) - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) - Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416) - Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467) - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386 - Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523) - Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) - Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386) - Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641) - Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1240=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1240=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1240=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1240=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1240=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1240=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): qemu-ipxe-1.0.0+-6.47.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.47.1 qemu-sgabios-8-6.47.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.47.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): qemu-2.9.1-6.47.1 qemu-block-curl-2.9.1-6.47.1 qemu-block-curl-debuginfo-2.9.1-6.47.1 qemu-block-iscsi-2.9.1-6.47.1 qemu-block-iscsi-debuginfo-2.9.1-6.47.1 qemu-block-rbd-2.9.1-6.47.1 qemu-block-rbd-debuginfo-2.9.1-6.47.1 qemu-block-ssh-2.9.1-6.47.1 qemu-block-ssh-debuginfo-2.9.1-6.47.1 qemu-debugsource-2.9.1-6.47.1 qemu-guest-agent-2.9.1-6.47.1 qemu-guest-agent-debuginfo-2.9.1-6.47.1 qemu-kvm-2.9.1-6.47.1 qemu-lang-2.9.1-6.47.1 qemu-tools-2.9.1-6.47.1 qemu-tools-debuginfo-2.9.1-6.47.1 qemu-x86-2.9.1-6.47.1 qemu-x86-debuginfo-2.9.1-6.47.1 - SUSE OpenStack Cloud 8 (noarch): qemu-ipxe-1.0.0+-6.47.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.47.1 qemu-sgabios-8-6.47.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.47.1 - SUSE OpenStack Cloud 8 (x86_64): qemu-2.9.1-6.47.1 qemu-block-curl-2.9.1-6.47.1 qemu-block-curl-debuginfo-2.9.1-6.47.1 qemu-block-iscsi-2.9.1-6.47.1 qemu-block-iscsi-debuginfo-2.9.1-6.47.1 qemu-block-rbd-2.9.1-6.47.1 qemu-block-rbd-debuginfo-2.9.1-6.47.1 qemu-block-ssh-2.9.1-6.47.1 qemu-block-ssh-debuginfo-2.9.1-6.47.1 qemu-debugsource-2.9.1-6.47.1 qemu-guest-agent-2.9.1-6.47.1 qemu-guest-agent-debuginfo-2.9.1-6.47.1 qemu-kvm-2.9.1-6.47.1 qemu-lang-2.9.1-6.47.1 qemu-tools-2.9.1-6.47.1 qemu-tools-debuginfo-2.9.1-6.47.1 qemu-x86-2.9.1-6.47.1 qemu-x86-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): qemu-2.9.1-6.47.1 qemu-block-curl-2.9.1-6.47.1 qemu-block-curl-debuginfo-2.9.1-6.47.1 qemu-block-iscsi-2.9.1-6.47.1 qemu-block-iscsi-debuginfo-2.9.1-6.47.1 qemu-block-ssh-2.9.1-6.47.1 qemu-block-ssh-debuginfo-2.9.1-6.47.1 qemu-debugsource-2.9.1-6.47.1 qemu-guest-agent-2.9.1-6.47.1 qemu-guest-agent-debuginfo-2.9.1-6.47.1 qemu-lang-2.9.1-6.47.1 qemu-tools-2.9.1-6.47.1 qemu-tools-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le): qemu-ppc-2.9.1-6.47.1 qemu-ppc-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): qemu-block-rbd-2.9.1-6.47.1 qemu-block-rbd-debuginfo-2.9.1-6.47.1 qemu-kvm-2.9.1-6.47.1 qemu-x86-2.9.1-6.47.1 qemu-x86-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): qemu-ipxe-1.0.0+-6.47.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.47.1 qemu-sgabios-8-6.47.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): qemu-2.9.1-6.47.1 qemu-block-curl-2.9.1-6.47.1 qemu-block-curl-debuginfo-2.9.1-6.47.1 qemu-block-iscsi-2.9.1-6.47.1 qemu-block-iscsi-debuginfo-2.9.1-6.47.1 qemu-block-ssh-2.9.1-6.47.1 qemu-block-ssh-debuginfo-2.9.1-6.47.1 qemu-debugsource-2.9.1-6.47.1 qemu-guest-agent-2.9.1-6.47.1 qemu-guest-agent-debuginfo-2.9.1-6.47.1 qemu-lang-2.9.1-6.47.1 qemu-tools-2.9.1-6.47.1 qemu-tools-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 x86_64): qemu-block-rbd-2.9.1-6.47.1 qemu-block-rbd-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): qemu-kvm-2.9.1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le): qemu-ppc-2.9.1-6.47.1 qemu-ppc-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64): qemu-arm-2.9.1-6.47.1 qemu-arm-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): qemu-x86-2.9.1-6.47.1 qemu-x86-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): qemu-ipxe-1.0.0+-6.47.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.47.1 qemu-sgabios-8-6.47.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): qemu-s390-2.9.1-6.47.1 qemu-s390-debuginfo-2.9.1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): qemu-ipxe-1.0.0+-6.47.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.47.1 qemu-sgabios-8-6.47.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.47.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): qemu-2.9.1-6.47.1 qemu-block-curl-2.9.1-6.47.1 qemu-block-curl-debuginfo-2.9.1-6.47.1 qemu-block-iscsi-2.9.1-6.47.1 qemu-block-iscsi-debuginfo-2.9.1-6.47.1 qemu-block-rbd-2.9.1-6.47.1 qemu-block-rbd-debuginfo-2.9.1-6.47.1 qemu-block-ssh-2.9.1-6.47.1 qemu-block-ssh-debuginfo-2.9.1-6.47.1 qemu-debugsource-2.9.1-6.47.1 qemu-guest-agent-2.9.1-6.47.1 qemu-guest-agent-debuginfo-2.9.1-6.47.1 qemu-kvm-2.9.1-6.47.1 qemu-lang-2.9.1-6.47.1 qemu-tools-2.9.1-6.47.1 qemu-tools-debuginfo-2.9.1-6.47.1 qemu-x86-2.9.1-6.47.1 qemu-x86-debuginfo-2.9.1-6.47.1 - HPE Helion Openstack 8 (x86_64): qemu-2.9.1-6.47.1 qemu-block-curl-2.9.1-6.47.1 qemu-block-curl-debuginfo-2.9.1-6.47.1 qemu-block-iscsi-2.9.1-6.47.1 qemu-block-iscsi-debuginfo-2.9.1-6.47.1 qemu-block-rbd-2.9.1-6.47.1 qemu-block-rbd-debuginfo-2.9.1-6.47.1 qemu-block-ssh-2.9.1-6.47.1 qemu-block-ssh-debuginfo-2.9.1-6.47.1 qemu-debugsource-2.9.1-6.47.1 qemu-guest-agent-2.9.1-6.47.1 qemu-guest-agent-debuginfo-2.9.1-6.47.1 qemu-kvm-2.9.1-6.47.1 qemu-lang-2.9.1-6.47.1 qemu-tools-2.9.1-6.47.1 qemu-tools-debuginfo-2.9.1-6.47.1 qemu-x86-2.9.1-6.47.1 qemu-x86-debuginfo-2.9.1-6.47.1 - HPE Helion Openstack 8 (noarch): qemu-ipxe-1.0.0+-6.47.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.47.1 qemu-sgabios-8-6.47.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.47.1 References: https://www.suse.com/security/cve/CVE-2020-11947.html https://www.suse.com/security/cve/CVE-2020-12829.html https://www.suse.com/security/cve/CVE-2020-13361.html https://www.suse.com/security/cve/CVE-2020-13362.html https://www.suse.com/security/cve/CVE-2020-13659.html https://www.suse.com/security/cve/CVE-2020-13765.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-15469.html https://www.suse.com/security/cve/CVE-2020-15863.html https://www.suse.com/security/cve/CVE-2020-16092.html https://www.suse.com/security/cve/CVE-2020-25084.html https://www.suse.com/security/cve/CVE-2020-25624.html https://www.suse.com/security/cve/CVE-2020-25625.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-27617.html https://www.suse.com/security/cve/CVE-2020-28916.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-29443.html https://www.suse.com/security/cve/CVE-2021-20181.html https://www.suse.com/security/cve/CVE-2021-20203.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3416.html https://bugzilla.suse.com/1172383 https://bugzilla.suse.com/1172384 https://bugzilla.suse.com/1172385 https://bugzilla.suse.com/1172386 https://bugzilla.suse.com/1172478 https://bugzilla.suse.com/1173612 https://bugzilla.suse.com/1174386 https://bugzilla.suse.com/1174641 https://bugzilla.suse.com/1175441 https://bugzilla.suse.com/1176673 https://bugzilla.suse.com/1176682 https://bugzilla.suse.com/1176684 https://bugzilla.suse.com/1178174 https://bugzilla.suse.com/1178934 https://bugzilla.suse.com/1179467 https://bugzilla.suse.com/1179468 https://bugzilla.suse.com/1180523 https://bugzilla.suse.com/1181108 https://bugzilla.suse.com/1181639 https://bugzilla.suse.com/1182137 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182577 https://bugzilla.suse.com/1182968 From sle-security-updates at lists.suse.com Fri Apr 16 16:25:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Apr 2021 18:25:04 +0200 (CEST) Subject: SUSE-SU-2021:1241-1: important: Security update for qemu Message-ID: <20210416162504.0D854FD20@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1241-1 Rating: important References: #1112499 #1119115 #1172383 #1172384 #1172385 #1172386 #1172478 #1173612 #1174386 #1174641 #1175441 #1176673 #1176682 #1176684 #1178174 #1178934 #1179466 #1179467 #1179468 #1180523 #1181108 #1181639 #1181933 #1182137 #1182425 #1182577 #1182968 Cross-References: CVE-2020-11947 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362 CVE-2020-13659 CVE-2020-13765 CVE-2020-14364 CVE-2020-15469 CVE-2020-15863 CVE-2020-16092 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617 CVE-2020-28916 CVE-2020-29129 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20203 CVE-2021-20221 CVE-2021-20257 CVE-2021-3416 CVSS scores: CVE-2020-11947 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-11947 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-12829 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12829 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-13361 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13361 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13362 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13362 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (NVD) : 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (SUSE): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-13765 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-13765 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-15469 (NVD) : 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-15469 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-15863 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2020-15863 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-16092 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-16092 (SUSE): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25625 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25625 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-27617 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27617 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-28916 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-28916 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29443 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-29443 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2021-20181 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20203 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20203 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20221 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3416 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-3416 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that solves 24 vulnerabilities and has three fixes is now available. Description: This update for qemu fixes the following issues: - Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362, bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174) - Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612) - Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577) - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) - Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416) - Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467) - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659, bsc#1172386) - Fix OOB access in iscsi (CVE-2020-11947, bsc#1180523) - Fix OOB access in vmxnet3 emulation (CVE-2021-20203, bsc#1181639) - Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386) - Fix DoS in packet processing of various emulated NICs (CVE-2020-16092, bsc#1174641) - Fix OOB access while processing USB packets (CVE-2020-14364, bsc#1175441) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix potential privilege escalation in virtfs (CVE-2021-20181, bsc#1182137) - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361, bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765, bsc#1172478) - Fix qemu-testsuite failure - Fix vm migration is failing with input/output error when nfs server is disconnected (bsc#1119115) - Fix OOB access in ARM interrupt handling (CVE-2021-20221, bsc#1181933) - Fix slowness in arm32 emulation (bsc#1112499) - Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362, bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174) - Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612) - Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577) - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) - Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416) - Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467) - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659, bsc#1172386) - Fix OOB access in iscsi (CVE-2020-11947, bsc#1180523) - Fix OOB access in vmxnet3 emulation (CVE-2021-20203, bsc#1181639) - Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386) - Fix DoS in packet processing of various emulated NICs (CVE-2020-16092, bsc#1174641) - Fix OOB access while processing USB packets (CVE-2020-14364, bsc#1175441) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix potential privilege escalation in virtfs (CVE-2021-20181, bsc#1182137) - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361, bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765, bsc#1172478) - Fix qemu-testsuite failure - Fix vm migration is failing with input/output error when nfs server is disconnected (bsc#1119115) - Fix OOB access in ARM interrupt handling (CVE-2021-20221, bsc#1181933) - Fix slowness in arm32 emulation (bsc#1112499) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1241=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1241=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1241=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1241=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): qemu-ipxe-1.0.0+-5.29.1 qemu-seabios-1.11.0_0_g63451fc-5.29.1 qemu-sgabios-8-5.29.1 qemu-vgabios-1.11.0_0_g63451fc-5.29.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): qemu-2.11.2-5.29.1 qemu-block-curl-2.11.2-5.29.1 qemu-block-curl-debuginfo-2.11.2-5.29.1 qemu-block-iscsi-2.11.2-5.29.1 qemu-block-iscsi-debuginfo-2.11.2-5.29.1 qemu-block-rbd-2.11.2-5.29.1 qemu-block-rbd-debuginfo-2.11.2-5.29.1 qemu-block-ssh-2.11.2-5.29.1 qemu-block-ssh-debuginfo-2.11.2-5.29.1 qemu-debugsource-2.11.2-5.29.1 qemu-guest-agent-2.11.2-5.29.1 qemu-guest-agent-debuginfo-2.11.2-5.29.1 qemu-kvm-2.11.2-5.29.1 qemu-lang-2.11.2-5.29.1 qemu-tools-2.11.2-5.29.1 qemu-tools-debuginfo-2.11.2-5.29.1 qemu-x86-2.11.2-5.29.1 - SUSE OpenStack Cloud 9 (x86_64): qemu-2.11.2-5.29.1 qemu-block-curl-2.11.2-5.29.1 qemu-block-curl-debuginfo-2.11.2-5.29.1 qemu-block-iscsi-2.11.2-5.29.1 qemu-block-iscsi-debuginfo-2.11.2-5.29.1 qemu-block-rbd-2.11.2-5.29.1 qemu-block-rbd-debuginfo-2.11.2-5.29.1 qemu-block-ssh-2.11.2-5.29.1 qemu-block-ssh-debuginfo-2.11.2-5.29.1 qemu-debugsource-2.11.2-5.29.1 qemu-guest-agent-2.11.2-5.29.1 qemu-guest-agent-debuginfo-2.11.2-5.29.1 qemu-kvm-2.11.2-5.29.1 qemu-lang-2.11.2-5.29.1 qemu-tools-2.11.2-5.29.1 qemu-tools-debuginfo-2.11.2-5.29.1 qemu-x86-2.11.2-5.29.1 - SUSE OpenStack Cloud 9 (noarch): qemu-ipxe-1.0.0+-5.29.1 qemu-seabios-1.11.0_0_g63451fc-5.29.1 qemu-sgabios-8-5.29.1 qemu-vgabios-1.11.0_0_g63451fc-5.29.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): qemu-2.11.2-5.29.1 qemu-block-curl-2.11.2-5.29.1 qemu-block-curl-debuginfo-2.11.2-5.29.1 qemu-block-iscsi-2.11.2-5.29.1 qemu-block-iscsi-debuginfo-2.11.2-5.29.1 qemu-block-ssh-2.11.2-5.29.1 qemu-block-ssh-debuginfo-2.11.2-5.29.1 qemu-debugsource-2.11.2-5.29.1 qemu-guest-agent-2.11.2-5.29.1 qemu-guest-agent-debuginfo-2.11.2-5.29.1 qemu-lang-2.11.2-5.29.1 qemu-tools-2.11.2-5.29.1 qemu-tools-debuginfo-2.11.2-5.29.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le): qemu-ppc-2.11.2-5.29.1 qemu-ppc-debuginfo-2.11.2-5.29.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): qemu-ipxe-1.0.0+-5.29.1 qemu-seabios-1.11.0_0_g63451fc-5.29.1 qemu-sgabios-8-5.29.1 qemu-vgabios-1.11.0_0_g63451fc-5.29.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): qemu-block-rbd-2.11.2-5.29.1 qemu-block-rbd-debuginfo-2.11.2-5.29.1 qemu-kvm-2.11.2-5.29.1 qemu-x86-2.11.2-5.29.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): qemu-2.11.2-5.29.1 qemu-block-curl-2.11.2-5.29.1 qemu-block-curl-debuginfo-2.11.2-5.29.1 qemu-block-iscsi-2.11.2-5.29.1 qemu-block-iscsi-debuginfo-2.11.2-5.29.1 qemu-block-ssh-2.11.2-5.29.1 qemu-block-ssh-debuginfo-2.11.2-5.29.1 qemu-debugsource-2.11.2-5.29.1 qemu-guest-agent-2.11.2-5.29.1 qemu-guest-agent-debuginfo-2.11.2-5.29.1 qemu-lang-2.11.2-5.29.1 qemu-tools-2.11.2-5.29.1 qemu-tools-debuginfo-2.11.2-5.29.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 x86_64): qemu-block-rbd-2.11.2-5.29.1 qemu-block-rbd-debuginfo-2.11.2-5.29.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): qemu-kvm-2.11.2-5.29.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (ppc64le): qemu-ppc-2.11.2-5.29.1 qemu-ppc-debuginfo-2.11.2-5.29.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64): qemu-arm-2.11.2-5.29.1 qemu-arm-debuginfo-2.11.2-5.29.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): qemu-ipxe-1.0.0+-5.29.1 qemu-seabios-1.11.0_0_g63451fc-5.29.1 qemu-sgabios-8-5.29.1 qemu-vgabios-1.11.0_0_g63451fc-5.29.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): qemu-x86-2.11.2-5.29.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x): qemu-s390-2.11.2-5.29.1 qemu-s390-debuginfo-2.11.2-5.29.1 References: https://www.suse.com/security/cve/CVE-2020-11947.html https://www.suse.com/security/cve/CVE-2020-12829.html https://www.suse.com/security/cve/CVE-2020-13361.html https://www.suse.com/security/cve/CVE-2020-13362.html https://www.suse.com/security/cve/CVE-2020-13659.html https://www.suse.com/security/cve/CVE-2020-13765.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-15469.html https://www.suse.com/security/cve/CVE-2020-15863.html https://www.suse.com/security/cve/CVE-2020-16092.html https://www.suse.com/security/cve/CVE-2020-25084.html https://www.suse.com/security/cve/CVE-2020-25624.html https://www.suse.com/security/cve/CVE-2020-25625.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-27617.html https://www.suse.com/security/cve/CVE-2020-28916.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-29443.html https://www.suse.com/security/cve/CVE-2021-20181.html https://www.suse.com/security/cve/CVE-2021-20203.html https://www.suse.com/security/cve/CVE-2021-20221.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3416.html https://bugzilla.suse.com/1112499 https://bugzilla.suse.com/1119115 https://bugzilla.suse.com/1172383 https://bugzilla.suse.com/1172384 https://bugzilla.suse.com/1172385 https://bugzilla.suse.com/1172386 https://bugzilla.suse.com/1172478 https://bugzilla.suse.com/1173612 https://bugzilla.suse.com/1174386 https://bugzilla.suse.com/1174641 https://bugzilla.suse.com/1175441 https://bugzilla.suse.com/1176673 https://bugzilla.suse.com/1176682 https://bugzilla.suse.com/1176684 https://bugzilla.suse.com/1178174 https://bugzilla.suse.com/1178934 https://bugzilla.suse.com/1179466 https://bugzilla.suse.com/1179467 https://bugzilla.suse.com/1179468 https://bugzilla.suse.com/1180523 https://bugzilla.suse.com/1181108 https://bugzilla.suse.com/1181639 https://bugzilla.suse.com/1181933 https://bugzilla.suse.com/1182137 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182577 https://bugzilla.suse.com/1182968 From sle-security-updates at lists.suse.com Fri Apr 16 16:28:31 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Apr 2021 18:28:31 +0200 (CEST) Subject: SUSE-SU-2021:1244-1: important: Security update for qemu Message-ID: <20210416162831.67C36FD20@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1244-1 Rating: important References: #1129962 #1154790 #1172383 #1172384 #1172385 #1172386 #1172478 #1173612 #1174386 #1174641 #1175441 #1176673 #1176682 #1176684 #1178174 #1178565 #1178934 #1179466 #1179467 #1179468 #1180523 #1181108 #1181639 #1181933 #1182137 #1182425 #1182577 #1182968 Cross-References: CVE-2020-11947 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362 CVE-2020-13659 CVE-2020-13765 CVE-2020-14364 CVE-2020-15469 CVE-2020-15863 CVE-2020-16092 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617 CVE-2020-28916 CVE-2020-29129 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20203 CVE-2021-20221 CVE-2021-20257 CVE-2021-3416 CVSS scores: CVE-2020-11947 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-11947 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-12829 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12829 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-13361 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13361 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13362 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13362 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (NVD) : 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (SUSE): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-13765 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-13765 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-15469 (NVD) : 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-15469 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-15863 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2020-15863 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-16092 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-16092 (SUSE): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25625 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25625 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-27617 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27617 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-28916 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-28916 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29443 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-29443 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2021-20181 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20203 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20203 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20221 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3416 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-3416 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves 24 vulnerabilities and has four fixes is now available. Description: This update for qemu fixes the following issues: - Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174) - Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612) - Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577) - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) - Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416) - Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467) - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386 - Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523) - Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) - Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386) - Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641) - Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Drop the 'ampersand 0x25 shift altgr' line in pt-br keymap file (bsc#1129962) - Fix migration failure with error message: "error while loading state section id 3(ram) (bsc#1154790) - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478) - Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933) - Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel - Use '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid "Failed to try-restart qemu-ga at .service" error while updating the qemu-guest-agent. (bsc#1178565) - Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1244=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1244=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1244=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1244=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): qemu-2.11.2-9.43.1 qemu-block-curl-2.11.2-9.43.1 qemu-block-curl-debuginfo-2.11.2-9.43.1 qemu-block-iscsi-2.11.2-9.43.1 qemu-block-iscsi-debuginfo-2.11.2-9.43.1 qemu-block-rbd-2.11.2-9.43.1 qemu-block-rbd-debuginfo-2.11.2-9.43.1 qemu-block-ssh-2.11.2-9.43.1 qemu-block-ssh-debuginfo-2.11.2-9.43.1 qemu-debuginfo-2.11.2-9.43.1 qemu-debugsource-2.11.2-9.43.1 qemu-guest-agent-2.11.2-9.43.1 qemu-guest-agent-debuginfo-2.11.2-9.43.1 qemu-lang-2.11.2-9.43.1 qemu-tools-2.11.2-9.43.1 qemu-tools-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le): qemu-ppc-2.11.2-9.43.1 qemu-ppc-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): qemu-kvm-2.11.2-9.43.1 qemu-x86-2.11.2-9.43.1 qemu-x86-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): qemu-ipxe-1.0.0+-9.43.1 qemu-seabios-1.11.0_0_g63451fc-9.43.1 qemu-sgabios-8-9.43.1 qemu-vgabios-1.11.0_0_g63451fc-9.43.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): qemu-2.11.2-9.43.1 qemu-block-curl-2.11.2-9.43.1 qemu-block-curl-debuginfo-2.11.2-9.43.1 qemu-block-iscsi-2.11.2-9.43.1 qemu-block-iscsi-debuginfo-2.11.2-9.43.1 qemu-block-rbd-2.11.2-9.43.1 qemu-block-rbd-debuginfo-2.11.2-9.43.1 qemu-block-ssh-2.11.2-9.43.1 qemu-block-ssh-debuginfo-2.11.2-9.43.1 qemu-debuginfo-2.11.2-9.43.1 qemu-debugsource-2.11.2-9.43.1 qemu-guest-agent-2.11.2-9.43.1 qemu-guest-agent-debuginfo-2.11.2-9.43.1 qemu-lang-2.11.2-9.43.1 qemu-tools-2.11.2-9.43.1 qemu-tools-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64): qemu-arm-2.11.2-9.43.1 qemu-arm-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): qemu-ipxe-1.0.0+-9.43.1 qemu-vgabios-1.11.0_0_g63451fc-9.43.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): qemu-kvm-2.11.2-9.43.1 qemu-s390-2.11.2-9.43.1 qemu-s390-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): qemu-2.11.2-9.43.1 qemu-block-curl-2.11.2-9.43.1 qemu-block-curl-debuginfo-2.11.2-9.43.1 qemu-block-iscsi-2.11.2-9.43.1 qemu-block-iscsi-debuginfo-2.11.2-9.43.1 qemu-block-rbd-2.11.2-9.43.1 qemu-block-rbd-debuginfo-2.11.2-9.43.1 qemu-block-ssh-2.11.2-9.43.1 qemu-block-ssh-debuginfo-2.11.2-9.43.1 qemu-debuginfo-2.11.2-9.43.1 qemu-debugsource-2.11.2-9.43.1 qemu-guest-agent-2.11.2-9.43.1 qemu-guest-agent-debuginfo-2.11.2-9.43.1 qemu-lang-2.11.2-9.43.1 qemu-tools-2.11.2-9.43.1 qemu-tools-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64): qemu-arm-2.11.2-9.43.1 qemu-arm-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): qemu-ipxe-1.0.0+-9.43.1 qemu-seabios-1.11.0_0_g63451fc-9.43.1 qemu-sgabios-8-9.43.1 qemu-vgabios-1.11.0_0_g63451fc-9.43.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): qemu-kvm-2.11.2-9.43.1 qemu-x86-2.11.2-9.43.1 qemu-x86-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): qemu-2.11.2-9.43.1 qemu-block-curl-2.11.2-9.43.1 qemu-block-curl-debuginfo-2.11.2-9.43.1 qemu-block-iscsi-2.11.2-9.43.1 qemu-block-iscsi-debuginfo-2.11.2-9.43.1 qemu-block-rbd-2.11.2-9.43.1 qemu-block-rbd-debuginfo-2.11.2-9.43.1 qemu-block-ssh-2.11.2-9.43.1 qemu-block-ssh-debuginfo-2.11.2-9.43.1 qemu-debuginfo-2.11.2-9.43.1 qemu-debugsource-2.11.2-9.43.1 qemu-guest-agent-2.11.2-9.43.1 qemu-guest-agent-debuginfo-2.11.2-9.43.1 qemu-lang-2.11.2-9.43.1 qemu-tools-2.11.2-9.43.1 qemu-tools-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64): qemu-arm-2.11.2-9.43.1 qemu-arm-debuginfo-2.11.2-9.43.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): qemu-ipxe-1.0.0+-9.43.1 qemu-seabios-1.11.0_0_g63451fc-9.43.1 qemu-sgabios-8-9.43.1 qemu-vgabios-1.11.0_0_g63451fc-9.43.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): qemu-kvm-2.11.2-9.43.1 qemu-x86-2.11.2-9.43.1 qemu-x86-debuginfo-2.11.2-9.43.1 References: https://www.suse.com/security/cve/CVE-2020-11947.html https://www.suse.com/security/cve/CVE-2020-12829.html https://www.suse.com/security/cve/CVE-2020-13361.html https://www.suse.com/security/cve/CVE-2020-13362.html https://www.suse.com/security/cve/CVE-2020-13659.html https://www.suse.com/security/cve/CVE-2020-13765.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-15469.html https://www.suse.com/security/cve/CVE-2020-15863.html https://www.suse.com/security/cve/CVE-2020-16092.html https://www.suse.com/security/cve/CVE-2020-25084.html https://www.suse.com/security/cve/CVE-2020-25624.html https://www.suse.com/security/cve/CVE-2020-25625.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-27617.html https://www.suse.com/security/cve/CVE-2020-28916.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-29443.html https://www.suse.com/security/cve/CVE-2021-20181.html https://www.suse.com/security/cve/CVE-2021-20203.html https://www.suse.com/security/cve/CVE-2021-20221.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3416.html https://bugzilla.suse.com/1129962 https://bugzilla.suse.com/1154790 https://bugzilla.suse.com/1172383 https://bugzilla.suse.com/1172384 https://bugzilla.suse.com/1172385 https://bugzilla.suse.com/1172386 https://bugzilla.suse.com/1172478 https://bugzilla.suse.com/1173612 https://bugzilla.suse.com/1174386 https://bugzilla.suse.com/1174641 https://bugzilla.suse.com/1175441 https://bugzilla.suse.com/1176673 https://bugzilla.suse.com/1176682 https://bugzilla.suse.com/1176684 https://bugzilla.suse.com/1178174 https://bugzilla.suse.com/1178565 https://bugzilla.suse.com/1178934 https://bugzilla.suse.com/1179466 https://bugzilla.suse.com/1179467 https://bugzilla.suse.com/1179468 https://bugzilla.suse.com/1180523 https://bugzilla.suse.com/1181108 https://bugzilla.suse.com/1181639 https://bugzilla.suse.com/1181933 https://bugzilla.suse.com/1182137 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182577 https://bugzilla.suse.com/1182968 From sle-security-updates at lists.suse.com Fri Apr 16 16:31:49 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Apr 2021 18:31:49 +0200 (CEST) Subject: SUSE-SU-2021:1248-1: important: Security update for the Linux Kernel Message-ID: <20210416163149.8C402FD20@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1248-1 Rating: important References: #1065729 #1113295 #1178181 #1181507 #1183405 #1183755 #1184120 #1184170 #1184391 #1184393 #1184397 #1184494 #1184511 #1184583 Cross-References: CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-36311 CVE-2021-20219 CVE-2021-29154 CVE-2021-30002 CVE-2021-3483 CVSS scores: CVE-2020-25670 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25671 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2020-36311 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-20219 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-30002 (NVD) : 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 5 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181). - CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511). - CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391). - CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120). - CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393). - CVE-2021-20219: Fixed a denial of service in n_tty_receive_char_special (bsc#1184397). The following non-security bugs were fixed: - cifs: do not send close in compound create+close requests (bsc#1181507). - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (bsc#1065729). - powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - powerpc/pseries/ras: Remove unused variable 'status' (bsc#1065729). - s390/pci: Fix s390_mmio_read/write with MIO (LTC#192079 bsc#1183755). - vsprintf: Do not have bprintf dereference pointers (bsc#1184494). - vsprintf: Do not preprocess non-dereferenced pointers for bprintf (%px and %pK) (bsc#1184494). - vsprintf: Fix off-by-one bug in bstr_printf() processing dereferenced pointers (bsc#1184494). - x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() (12sp5). - xen/events: fix setting irq affinity (bsc#1184583). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1248=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.53.1 kernel-azure-base-4.12.14-16.53.1 kernel-azure-base-debuginfo-4.12.14-16.53.1 kernel-azure-debuginfo-4.12.14-16.53.1 kernel-azure-debugsource-4.12.14-16.53.1 kernel-azure-devel-4.12.14-16.53.1 kernel-syms-azure-4.12.14-16.53.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.53.1 kernel-source-azure-4.12.14-16.53.1 References: https://www.suse.com/security/cve/CVE-2020-25670.html https://www.suse.com/security/cve/CVE-2020-25671.html https://www.suse.com/security/cve/CVE-2020-25672.html https://www.suse.com/security/cve/CVE-2020-25673.html https://www.suse.com/security/cve/CVE-2020-36311.html https://www.suse.com/security/cve/CVE-2021-20219.html https://www.suse.com/security/cve/CVE-2021-29154.html https://www.suse.com/security/cve/CVE-2021-30002.html https://www.suse.com/security/cve/CVE-2021-3483.html https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1113295 https://bugzilla.suse.com/1178181 https://bugzilla.suse.com/1181507 https://bugzilla.suse.com/1183405 https://bugzilla.suse.com/1183755 https://bugzilla.suse.com/1184120 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184391 https://bugzilla.suse.com/1184393 https://bugzilla.suse.com/1184397 https://bugzilla.suse.com/1184494 https://bugzilla.suse.com/1184511 https://bugzilla.suse.com/1184583 From sle-security-updates at lists.suse.com Fri Apr 16 16:35:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 16 Apr 2021 18:35:34 +0200 (CEST) Subject: SUSE-SU-2021:1242-1: important: Security update for qemu Message-ID: <20210416163534.D5122FD20@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1242-1 Rating: important References: #1172383 #1172385 #1172386 #1172478 #1173612 #1176673 #1176682 #1176684 #1178049 #1178174 #1178934 #1179466 #1179467 #1179468 #1179686 #1179725 #1179726 #1180523 #1181108 #1181639 #1181933 #1182137 #1182425 #1182577 #1182968 #1183979 Cross-References: CVE-2020-11947 CVE-2020-12829 CVE-2020-13362 CVE-2020-13659 CVE-2020-13765 CVE-2020-15469 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20203 CVE-2021-20221 CVE-2021-20257 CVE-2021-3416 CVSS scores: CVE-2020-11947 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-11947 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-12829 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12829 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-13362 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13362 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (NVD) : 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (SUSE): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-13765 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-13765 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15469 (NVD) : 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-15469 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25084 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25625 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25625 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-27617 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27617 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-27821 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-27821 (SUSE): 5.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-28916 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-28916 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29443 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-29443 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2021-20181 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20203 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20203 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20221 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3416 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-3416 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 21 vulnerabilities and has 5 fixes is now available. Description: This update for qemu fixes the following issues: - Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb iehci packet handling (CVE-2020-25084, bsc#1176673) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174) - Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686) - Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612) - Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577) - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) - Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416) - Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467) - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386) - Fix issue where s390 guest fails to find zipl boot menu index (bsc#1183979) - Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523) - Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. (bsc#1178049) - Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933) - Make note that this patch previously included addresses (CVE-2020-13765 bsc#1172478) - Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel - Fix vfio-pci device on s390 enters error state (bsc#1179725) - Fix PCI devices are unavailable after a subsystem reset. (bsc#1179726) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1242=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-48.2 qemu-audio-alsa-3.1.1.1-48.2 qemu-audio-alsa-debuginfo-3.1.1.1-48.2 qemu-audio-oss-3.1.1.1-48.2 qemu-audio-oss-debuginfo-3.1.1.1-48.2 qemu-audio-pa-3.1.1.1-48.2 qemu-audio-pa-debuginfo-3.1.1.1-48.2 qemu-audio-sdl-3.1.1.1-48.2 qemu-audio-sdl-debuginfo-3.1.1.1-48.2 qemu-block-curl-3.1.1.1-48.2 qemu-block-curl-debuginfo-3.1.1.1-48.2 qemu-block-iscsi-3.1.1.1-48.2 qemu-block-iscsi-debuginfo-3.1.1.1-48.2 qemu-block-ssh-3.1.1.1-48.2 qemu-block-ssh-debuginfo-3.1.1.1-48.2 qemu-debugsource-3.1.1.1-48.2 qemu-guest-agent-3.1.1.1-48.2 qemu-guest-agent-debuginfo-3.1.1.1-48.2 qemu-lang-3.1.1.1-48.2 qemu-tools-3.1.1.1-48.2 qemu-tools-debuginfo-3.1.1.1-48.2 qemu-ui-curses-3.1.1.1-48.2 qemu-ui-curses-debuginfo-3.1.1.1-48.2 qemu-ui-gtk-3.1.1.1-48.2 qemu-ui-gtk-debuginfo-3.1.1.1-48.2 qemu-ui-sdl-3.1.1.1-48.2 qemu-ui-sdl-debuginfo-3.1.1.1-48.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): qemu-block-rbd-3.1.1.1-48.2 qemu-block-rbd-debuginfo-3.1.1.1-48.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): qemu-kvm-3.1.1.1-48.2 - SUSE Linux Enterprise Server 12-SP5 (ppc64le): qemu-ppc-3.1.1.1-48.2 qemu-ppc-debuginfo-3.1.1.1-48.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64): qemu-arm-3.1.1.1-48.2 qemu-arm-debuginfo-3.1.1.1-48.2 - SUSE Linux Enterprise Server 12-SP5 (x86_64): qemu-x86-3.1.1.1-48.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ipxe-1.0.0+-48.2 qemu-seabios-1.12.0_0_ga698c89-48.2 qemu-sgabios-8-48.2 qemu-vgabios-1.12.0_0_ga698c89-48.2 - SUSE Linux Enterprise Server 12-SP5 (s390x): qemu-s390-3.1.1.1-48.2 qemu-s390-debuginfo-3.1.1.1-48.2 References: https://www.suse.com/security/cve/CVE-2020-11947.html https://www.suse.com/security/cve/CVE-2020-12829.html https://www.suse.com/security/cve/CVE-2020-13362.html https://www.suse.com/security/cve/CVE-2020-13659.html https://www.suse.com/security/cve/CVE-2020-13765.html https://www.suse.com/security/cve/CVE-2020-15469.html https://www.suse.com/security/cve/CVE-2020-25084.html https://www.suse.com/security/cve/CVE-2020-25624.html https://www.suse.com/security/cve/CVE-2020-25625.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-27617.html https://www.suse.com/security/cve/CVE-2020-27821.html https://www.suse.com/security/cve/CVE-2020-28916.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-29443.html https://www.suse.com/security/cve/CVE-2021-20181.html https://www.suse.com/security/cve/CVE-2021-20203.html https://www.suse.com/security/cve/CVE-2021-20221.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3416.html https://bugzilla.suse.com/1172383 https://bugzilla.suse.com/1172385 https://bugzilla.suse.com/1172386 https://bugzilla.suse.com/1172478 https://bugzilla.suse.com/1173612 https://bugzilla.suse.com/1176673 https://bugzilla.suse.com/1176682 https://bugzilla.suse.com/1176684 https://bugzilla.suse.com/1178049 https://bugzilla.suse.com/1178174 https://bugzilla.suse.com/1178934 https://bugzilla.suse.com/1179466 https://bugzilla.suse.com/1179467 https://bugzilla.suse.com/1179468 https://bugzilla.suse.com/1179686 https://bugzilla.suse.com/1179725 https://bugzilla.suse.com/1179726 https://bugzilla.suse.com/1180523 https://bugzilla.suse.com/1181108 https://bugzilla.suse.com/1181639 https://bugzilla.suse.com/1181933 https://bugzilla.suse.com/1182137 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182577 https://bugzilla.suse.com/1182968 https://bugzilla.suse.com/1183979 From sle-security-updates at lists.suse.com Mon Apr 19 10:15:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 19 Apr 2021 12:15:24 +0200 (CEST) Subject: SUSE-SU-2021:1250-1: important: Security update for xen Message-ID: <20210419101524.78ADDFF1B@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1250-1 Rating: important References: #1178591 #1182431 Cross-References: CVE-2021-27379 CVSS scores: CVE-2021-27379 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27379 (SUSE): 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for xen fixes the following issues: - CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1250=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1250=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1250=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): xen-4.10.4_24-3.56.1 xen-debugsource-4.10.4_24-3.56.1 xen-devel-4.10.4_24-3.56.1 xen-libs-4.10.4_24-3.56.1 xen-libs-debuginfo-4.10.4_24-3.56.1 xen-tools-4.10.4_24-3.56.1 xen-tools-debuginfo-4.10.4_24-3.56.1 xen-tools-domU-4.10.4_24-3.56.1 xen-tools-domU-debuginfo-4.10.4_24-3.56.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): xen-4.10.4_24-3.56.1 xen-debugsource-4.10.4_24-3.56.1 xen-devel-4.10.4_24-3.56.1 xen-libs-4.10.4_24-3.56.1 xen-libs-debuginfo-4.10.4_24-3.56.1 xen-tools-4.10.4_24-3.56.1 xen-tools-debuginfo-4.10.4_24-3.56.1 xen-tools-domU-4.10.4_24-3.56.1 xen-tools-domU-debuginfo-4.10.4_24-3.56.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): xen-4.10.4_24-3.56.1 xen-debugsource-4.10.4_24-3.56.1 xen-devel-4.10.4_24-3.56.1 xen-libs-4.10.4_24-3.56.1 xen-libs-debuginfo-4.10.4_24-3.56.1 xen-tools-4.10.4_24-3.56.1 xen-tools-debuginfo-4.10.4_24-3.56.1 xen-tools-domU-4.10.4_24-3.56.1 xen-tools-domU-debuginfo-4.10.4_24-3.56.1 References: https://www.suse.com/security/cve/CVE-2021-27379.html https://bugzilla.suse.com/1178591 https://bugzilla.suse.com/1182431 From sle-security-updates at lists.suse.com Mon Apr 19 10:16:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 19 Apr 2021 12:16:34 +0200 (CEST) Subject: SUSE-SU-2021:1252-1: important: Security update for xen Message-ID: <20210419101634.6BBE5FF1B@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1252-1 Rating: important References: #1182431 #1182846 Cross-References: CVE-2021-20257 CVE-2021-27379 CVSS scores: CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-27379 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27379 (SUSE): 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for xen fixes the following issues: - CVE-2021-20257: xen: infinite loop issue in the e1000 NIC emulator (bsc#1182846). - CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1252=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1252=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1252=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1252=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1252=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1252=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): xen-4.9.4_16-3.83.1 xen-debugsource-4.9.4_16-3.83.1 xen-doc-html-4.9.4_16-3.83.1 xen-libs-32bit-4.9.4_16-3.83.1 xen-libs-4.9.4_16-3.83.1 xen-libs-debuginfo-32bit-4.9.4_16-3.83.1 xen-libs-debuginfo-4.9.4_16-3.83.1 xen-tools-4.9.4_16-3.83.1 xen-tools-debuginfo-4.9.4_16-3.83.1 xen-tools-domU-4.9.4_16-3.83.1 xen-tools-domU-debuginfo-4.9.4_16-3.83.1 - SUSE OpenStack Cloud 8 (x86_64): xen-4.9.4_16-3.83.1 xen-debugsource-4.9.4_16-3.83.1 xen-doc-html-4.9.4_16-3.83.1 xen-libs-32bit-4.9.4_16-3.83.1 xen-libs-4.9.4_16-3.83.1 xen-libs-debuginfo-32bit-4.9.4_16-3.83.1 xen-libs-debuginfo-4.9.4_16-3.83.1 xen-tools-4.9.4_16-3.83.1 xen-tools-debuginfo-4.9.4_16-3.83.1 xen-tools-domU-4.9.4_16-3.83.1 xen-tools-domU-debuginfo-4.9.4_16-3.83.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): xen-4.9.4_16-3.83.1 xen-debugsource-4.9.4_16-3.83.1 xen-doc-html-4.9.4_16-3.83.1 xen-libs-32bit-4.9.4_16-3.83.1 xen-libs-4.9.4_16-3.83.1 xen-libs-debuginfo-32bit-4.9.4_16-3.83.1 xen-libs-debuginfo-4.9.4_16-3.83.1 xen-tools-4.9.4_16-3.83.1 xen-tools-debuginfo-4.9.4_16-3.83.1 xen-tools-domU-4.9.4_16-3.83.1 xen-tools-domU-debuginfo-4.9.4_16-3.83.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): xen-4.9.4_16-3.83.1 xen-debugsource-4.9.4_16-3.83.1 xen-doc-html-4.9.4_16-3.83.1 xen-libs-32bit-4.9.4_16-3.83.1 xen-libs-4.9.4_16-3.83.1 xen-libs-debuginfo-32bit-4.9.4_16-3.83.1 xen-libs-debuginfo-4.9.4_16-3.83.1 xen-tools-4.9.4_16-3.83.1 xen-tools-debuginfo-4.9.4_16-3.83.1 xen-tools-domU-4.9.4_16-3.83.1 xen-tools-domU-debuginfo-4.9.4_16-3.83.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): xen-4.9.4_16-3.83.1 xen-debugsource-4.9.4_16-3.83.1 xen-doc-html-4.9.4_16-3.83.1 xen-libs-32bit-4.9.4_16-3.83.1 xen-libs-4.9.4_16-3.83.1 xen-libs-debuginfo-32bit-4.9.4_16-3.83.1 xen-libs-debuginfo-4.9.4_16-3.83.1 xen-tools-4.9.4_16-3.83.1 xen-tools-debuginfo-4.9.4_16-3.83.1 xen-tools-domU-4.9.4_16-3.83.1 xen-tools-domU-debuginfo-4.9.4_16-3.83.1 - HPE Helion Openstack 8 (x86_64): xen-4.9.4_16-3.83.1 xen-debugsource-4.9.4_16-3.83.1 xen-doc-html-4.9.4_16-3.83.1 xen-libs-32bit-4.9.4_16-3.83.1 xen-libs-4.9.4_16-3.83.1 xen-libs-debuginfo-32bit-4.9.4_16-3.83.1 xen-libs-debuginfo-4.9.4_16-3.83.1 xen-tools-4.9.4_16-3.83.1 xen-tools-debuginfo-4.9.4_16-3.83.1 xen-tools-domU-4.9.4_16-3.83.1 xen-tools-domU-debuginfo-4.9.4_16-3.83.1 References: https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-27379.html https://bugzilla.suse.com/1182431 https://bugzilla.suse.com/1182846 From sle-security-updates at lists.suse.com Mon Apr 19 10:17:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 19 Apr 2021 12:17:44 +0200 (CEST) Subject: SUSE-SU-2021:1251-1: important: Security update for xen Message-ID: <20210419101744.D7826FF1B@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1251-1 Rating: important References: #1178591 #1182431 #1182846 Cross-References: CVE-2021-20257 CVE-2021-27379 CVSS scores: CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-27379 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27379 (SUSE): 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for xen fixes the following issues: - CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431) - CVE-2021-20257: Fixed an infinite loop in the e1000 NIC emulator (bsc#1182846) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1251=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1251=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1251=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1251=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): xen-4.11.4_16-2.51.1 xen-debugsource-4.11.4_16-2.51.1 xen-doc-html-4.11.4_16-2.51.1 xen-libs-32bit-4.11.4_16-2.51.1 xen-libs-4.11.4_16-2.51.1 xen-libs-debuginfo-32bit-4.11.4_16-2.51.1 xen-libs-debuginfo-4.11.4_16-2.51.1 xen-tools-4.11.4_16-2.51.1 xen-tools-debuginfo-4.11.4_16-2.51.1 xen-tools-domU-4.11.4_16-2.51.1 xen-tools-domU-debuginfo-4.11.4_16-2.51.1 - SUSE OpenStack Cloud 9 (x86_64): xen-4.11.4_16-2.51.1 xen-debugsource-4.11.4_16-2.51.1 xen-doc-html-4.11.4_16-2.51.1 xen-libs-32bit-4.11.4_16-2.51.1 xen-libs-4.11.4_16-2.51.1 xen-libs-debuginfo-32bit-4.11.4_16-2.51.1 xen-libs-debuginfo-4.11.4_16-2.51.1 xen-tools-4.11.4_16-2.51.1 xen-tools-debuginfo-4.11.4_16-2.51.1 xen-tools-domU-4.11.4_16-2.51.1 xen-tools-domU-debuginfo-4.11.4_16-2.51.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): xen-4.11.4_16-2.51.1 xen-debugsource-4.11.4_16-2.51.1 xen-doc-html-4.11.4_16-2.51.1 xen-libs-32bit-4.11.4_16-2.51.1 xen-libs-4.11.4_16-2.51.1 xen-libs-debuginfo-32bit-4.11.4_16-2.51.1 xen-libs-debuginfo-4.11.4_16-2.51.1 xen-tools-4.11.4_16-2.51.1 xen-tools-debuginfo-4.11.4_16-2.51.1 xen-tools-domU-4.11.4_16-2.51.1 xen-tools-domU-debuginfo-4.11.4_16-2.51.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): xen-4.11.4_16-2.51.1 xen-debugsource-4.11.4_16-2.51.1 xen-doc-html-4.11.4_16-2.51.1 xen-libs-32bit-4.11.4_16-2.51.1 xen-libs-4.11.4_16-2.51.1 xen-libs-debuginfo-32bit-4.11.4_16-2.51.1 xen-libs-debuginfo-4.11.4_16-2.51.1 xen-tools-4.11.4_16-2.51.1 xen-tools-debuginfo-4.11.4_16-2.51.1 xen-tools-domU-4.11.4_16-2.51.1 xen-tools-domU-debuginfo-4.11.4_16-2.51.1 References: https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-27379.html https://bugzilla.suse.com/1178591 https://bugzilla.suse.com/1182431 https://bugzilla.suse.com/1182846 From sle-security-updates at lists.suse.com Mon Apr 19 19:26:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 19 Apr 2021 21:26:57 +0200 (CEST) Subject: SUSE-SU-2021:14702-1: important: Security update for xen Message-ID: <20210419192657.55FC8FF1B@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14702-1 Rating: important References: #1182155 #1182846 #1182975 Cross-References: CVE-2021-20257 CVE-2021-3419 CVSS scores: CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3419 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for xen fixes the following issues: - CVE-2021-3419: Fixed a stack overflow induced by infinite recursion issue (bsc#1182975). - CVE-2021-20257: Fixed an infinite loop in the e1000 NIC emulator (bsc#1182846) - xenstored crashing with segfault (bsc#1182155). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-xen-14702=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xen-14702=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): xen-kmp-default-4.4.4_48_3.0.101_108.123-61.64.1 xen-libs-4.4.4_48-61.64.1 xen-tools-domU-4.4.4_48-61.64.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): xen-4.4.4_48-61.64.1 xen-doc-html-4.4.4_48-61.64.1 xen-libs-32bit-4.4.4_48-61.64.1 xen-tools-4.4.4_48-61.64.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586): xen-kmp-pae-4.4.4_48_3.0.101_108.123-61.64.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): xen-debuginfo-4.4.4_48-61.64.1 xen-debugsource-4.4.4_48-61.64.1 References: https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3419.html https://bugzilla.suse.com/1182155 https://bugzilla.suse.com/1182846 https://bugzilla.suse.com/1182975 From sle-security-updates at lists.suse.com Tue Apr 20 10:15:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 12:15:17 +0200 (CEST) Subject: SUSE-SU-2021:1266-1: important: Security update for the Linux Kernel Message-ID: <20210420101517.78C26FF1B@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1266-1 Rating: important References: #1065729 #1113295 #1178181 #1181507 #1181674 #1183405 #1183662 #1183755 #1184114 #1184120 #1184170 #1184391 #1184393 #1184397 #1184494 #1184511 #1184583 Cross-References: CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-36311 CVE-2021-20219 CVE-2021-29154 CVE-2021-30002 CVE-2021-3483 CVSS scores: CVE-2020-25670 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25671 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2020-36311 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-20219 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-30002 (NVD) : 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP5 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 8 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel RT was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391). - CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181). - CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511). - CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393). - CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120). - CVE-2021-20219: Fixed a denial of service in n_tty_receive_char_special (bsc#1184397). The following non-security bugs were fixed: - cifs: change noisy error message to FYI (bsc#1181507). - cifs_debug: use %pd instead of messing with ->d_name (bsc#1181507). - cifs: do not send close in compound create+close requests (bsc#1181507). - cifs: New optype for session operations (bsc#1181507). - cifs: print MIDs in decimal notation (bsc#1181507). - cifs: return proper error code in statfs(2) (bsc#1181507). - cifs: Tracepoints and logs for tracing credit changes (bsc#1181507). - fix setting irq affinity (bsc#1184583) - ibmvnic: Use 'skb_frag_address()' instead of hand coding it (bsc#1184114 ltc#192237). - locking/mutex: Fix non debug version of mutex_lock_io_nested() (git-fixes). - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (bsc#1065729). - powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - powerpc/pseries/mobility: handle premature return from H_JOIN (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/mobility: use struct for shared state (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/ras: Remove unused variable 'status' (bsc#1065729). - s390/pci: Fix s390_mmio_read/write with MIO (LTC#192079 bsc#1183755). - smb3: add dynamic trace point to trace when credits obtained (bsc#1181507). - smb3: fix crediting for compounding when only one request in flight (bsc#1181507). - usbip: fix stub_dev to check for stream socket (git-fixes). - usbip: fix vhci_hcd to check for stream socket (git-fixes). - virsh: list is showing less guests then "xl list" (bsc#1184513). - vsprintf: Do not have bprintf dereference pointers (bsc#1184494). - vsprintf: Do not preprocess non-dereferenced pointers for bprintf (%px and %pK) (bsc#1184494). - vsprintf: Fix off-by-one bug in bstr_printf() processing dereferenced pointers (bsc#1184494). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP5: zypper in -t patch SUSE-SLE-RT-12-SP5-2021-1266=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64): cluster-md-kmp-rt-4.12.14-10.40.1 cluster-md-kmp-rt-debuginfo-4.12.14-10.40.1 dlm-kmp-rt-4.12.14-10.40.1 dlm-kmp-rt-debuginfo-4.12.14-10.40.1 gfs2-kmp-rt-4.12.14-10.40.1 gfs2-kmp-rt-debuginfo-4.12.14-10.40.1 kernel-rt-4.12.14-10.40.1 kernel-rt-base-4.12.14-10.40.1 kernel-rt-base-debuginfo-4.12.14-10.40.1 kernel-rt-debuginfo-4.12.14-10.40.1 kernel-rt-debugsource-4.12.14-10.40.1 kernel-rt-devel-4.12.14-10.40.1 kernel-rt-devel-debuginfo-4.12.14-10.40.1 kernel-rt_debug-4.12.14-10.40.1 kernel-rt_debug-debuginfo-4.12.14-10.40.1 kernel-rt_debug-debugsource-4.12.14-10.40.1 kernel-rt_debug-devel-4.12.14-10.40.1 kernel-rt_debug-devel-debuginfo-4.12.14-10.40.1 kernel-syms-rt-4.12.14-10.40.1 ocfs2-kmp-rt-4.12.14-10.40.1 ocfs2-kmp-rt-debuginfo-4.12.14-10.40.1 - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch): kernel-devel-rt-4.12.14-10.40.1 kernel-source-rt-4.12.14-10.40.1 References: https://www.suse.com/security/cve/CVE-2020-25670.html https://www.suse.com/security/cve/CVE-2020-25671.html https://www.suse.com/security/cve/CVE-2020-25672.html https://www.suse.com/security/cve/CVE-2020-25673.html https://www.suse.com/security/cve/CVE-2020-36311.html https://www.suse.com/security/cve/CVE-2021-20219.html https://www.suse.com/security/cve/CVE-2021-29154.html https://www.suse.com/security/cve/CVE-2021-30002.html https://www.suse.com/security/cve/CVE-2021-3483.html https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1113295 https://bugzilla.suse.com/1178181 https://bugzilla.suse.com/1181507 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1183405 https://bugzilla.suse.com/1183662 https://bugzilla.suse.com/1183755 https://bugzilla.suse.com/1184114 https://bugzilla.suse.com/1184120 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184391 https://bugzilla.suse.com/1184393 https://bugzilla.suse.com/1184397 https://bugzilla.suse.com/1184494 https://bugzilla.suse.com/1184511 https://bugzilla.suse.com/1184583 From sle-security-updates at lists.suse.com Tue Apr 20 13:16:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 15:16:17 +0200 (CEST) Subject: SUSE-SU-2021:1268-1: important: Security update for xen Message-ID: <20210420131617.1F92AFF1B@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1268-1 Rating: important References: #1182155 #1182431 Cross-References: CVE-2021-27379 CVSS scores: CVE-2021-27379 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27379 (SUSE): 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for xen fixes the following issues: - CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431) - Fixed an issue where xenstored was crashing with segfault (bsc#1182155). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1268=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1268=1 Package List: - SUSE OpenStack Cloud 7 (x86_64): xen-4.7.6_14-43.76.1 xen-debugsource-4.7.6_14-43.76.1 xen-doc-html-4.7.6_14-43.76.1 xen-libs-32bit-4.7.6_14-43.76.1 xen-libs-4.7.6_14-43.76.1 xen-libs-debuginfo-32bit-4.7.6_14-43.76.1 xen-libs-debuginfo-4.7.6_14-43.76.1 xen-tools-4.7.6_14-43.76.1 xen-tools-debuginfo-4.7.6_14-43.76.1 xen-tools-domU-4.7.6_14-43.76.1 xen-tools-domU-debuginfo-4.7.6_14-43.76.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): xen-4.7.6_14-43.76.1 xen-debugsource-4.7.6_14-43.76.1 xen-doc-html-4.7.6_14-43.76.1 xen-libs-32bit-4.7.6_14-43.76.1 xen-libs-4.7.6_14-43.76.1 xen-libs-debuginfo-32bit-4.7.6_14-43.76.1 xen-libs-debuginfo-4.7.6_14-43.76.1 xen-tools-4.7.6_14-43.76.1 xen-tools-debuginfo-4.7.6_14-43.76.1 xen-tools-domU-4.7.6_14-43.76.1 xen-tools-domU-debuginfo-4.7.6_14-43.76.1 References: https://www.suse.com/security/cve/CVE-2021-27379.html https://bugzilla.suse.com/1182155 https://bugzilla.suse.com/1182431 From sle-security-updates at lists.suse.com Tue Apr 20 13:17:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 15:17:17 +0200 (CEST) Subject: SUSE-SU-2021:1267-1: important: Security update for sudo Message-ID: <20210420131717.582CBFF1B@maintenance.suse.de> SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1267-1 Rating: important References: #1183936 Cross-References: CVE-2021-3156 CVSS scores: CVE-2021-3156 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3156 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sudo fixes the following issues: - L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1267=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1267=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1267=1 Package List: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): sudo-1.8.10p3-10.35.1 sudo-debuginfo-1.8.10p3-10.35.1 sudo-debugsource-1.8.10p3-10.35.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): sudo-1.8.10p3-10.35.1 sudo-debuginfo-1.8.10p3-10.35.1 sudo-debugsource-1.8.10p3-10.35.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): sudo-1.8.10p3-10.35.1 sudo-debuginfo-1.8.10p3-10.35.1 sudo-debugsource-1.8.10p3-10.35.1 References: https://www.suse.com/security/cve/CVE-2021-3156.html https://bugzilla.suse.com/1183936 From sle-security-updates at lists.suse.com Tue Apr 20 16:17:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 18:17:05 +0200 (CEST) Subject: SUSE-SU-2021:14704-1: important: Security update for kvm Message-ID: <20210420161705.9E8A0FF1B@maintenance.suse.de> SUSE Security Update: Security update for kvm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14704-1 Rating: important References: #1172383 #1172384 #1172385 #1172478 #1175441 #1176673 #1176682 #1176684 #1178934 #1179467 #1181108 #1182137 #1182425 #1182577 Cross-References: CVE-2014-3689 CVE-2015-1779 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362 CVE-2020-13765 CVE-2020-14364 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20257 CVSS scores: CVE-2015-1779 (NVD) : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2020-12829 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12829 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-13361 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13361 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13362 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13362 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13765 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-13765 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25084 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25625 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25625 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29443 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-29443 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2021-20181 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes 15 vulnerabilities is now available. Description: This update for kvm fixes the following issues: - Fix OOB read and write due to integer overflow in sm501_2d_operation() in hw/display/sm501.c (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577) - Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467) - Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441) - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-kvm-14704=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 s390x x86_64): kvm-1.4.2-60.34.1 References: https://www.suse.com/security/cve/CVE-2014-3689.html https://www.suse.com/security/cve/CVE-2015-1779.html https://www.suse.com/security/cve/CVE-2020-12829.html https://www.suse.com/security/cve/CVE-2020-13361.html https://www.suse.com/security/cve/CVE-2020-13362.html https://www.suse.com/security/cve/CVE-2020-13765.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-25084.html https://www.suse.com/security/cve/CVE-2020-25624.html https://www.suse.com/security/cve/CVE-2020-25625.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-29443.html https://www.suse.com/security/cve/CVE-2021-20181.html https://www.suse.com/security/cve/CVE-2021-20257.html https://bugzilla.suse.com/1172383 https://bugzilla.suse.com/1172384 https://bugzilla.suse.com/1172385 https://bugzilla.suse.com/1172478 https://bugzilla.suse.com/1175441 https://bugzilla.suse.com/1176673 https://bugzilla.suse.com/1176682 https://bugzilla.suse.com/1176684 https://bugzilla.suse.com/1178934 https://bugzilla.suse.com/1179467 https://bugzilla.suse.com/1181108 https://bugzilla.suse.com/1182137 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182577 From sle-security-updates at lists.suse.com Tue Apr 20 16:20:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 18:20:25 +0200 (CEST) Subject: SUSE-SU-2021:1275-1: important: Security update for sudo Message-ID: <20210420162025.9288FFF1B@maintenance.suse.de> SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1275-1 Rating: important References: #1183936 Cross-References: CVE-2021-3156 CVSS scores: CVE-2021-3156 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3156 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sudo fixes the following issues: - L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1275=1 - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1275=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1275=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1275=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1275=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1275=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1275=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1275=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1275=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1275=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1275=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1275=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1275=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1275=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1275=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 - SUSE Manager Server 4.0 (ppc64le s390x x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Manager Proxy 4.0 (x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 - SUSE CaaS Platform 4.0 (x86_64): sudo-1.8.22-4.18.1 sudo-debuginfo-1.8.22-4.18.1 sudo-debugsource-1.8.22-4.18.1 sudo-devel-1.8.22-4.18.1 References: https://www.suse.com/security/cve/CVE-2021-3156.html https://bugzilla.suse.com/1183936 From sle-security-updates at lists.suse.com Tue Apr 20 16:25:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 18:25:15 +0200 (CEST) Subject: SUSE-SU-2021:1274-1: important: Security update for sudo Message-ID: <20210420162515.DF52EFF1B@maintenance.suse.de> SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1274-1 Rating: important References: #1183936 Cross-References: CVE-2021-3156 CVSS scores: CVE-2021-3156 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3156 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sudo fixes the following issues: - L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1274=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1274=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): sudo-debuginfo-1.8.27-4.15.1 sudo-debugsource-1.8.27-4.15.1 sudo-devel-1.8.27-4.15.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): sudo-1.8.27-4.15.1 sudo-debuginfo-1.8.27-4.15.1 sudo-debugsource-1.8.27-4.15.1 References: https://www.suse.com/security/cve/CVE-2021-3156.html https://bugzilla.suse.com/1183936 From sle-security-updates at lists.suse.com Tue Apr 20 16:29:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 18:29:07 +0200 (CEST) Subject: SUSE-SU-2021:1273-1: important: Security update for sudo Message-ID: <20210420162907.D7116FF1B@maintenance.suse.de> SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1273-1 Rating: important References: #1183936 Cross-References: CVE-2021-3156 CVSS scores: CVE-2021-3156 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3156 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sudo fixes the following issues: - L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1273=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1273=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1273=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1273=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1273=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1273=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1273=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1273=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1273=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1273=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 - SUSE OpenStack Cloud 9 (x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 - SUSE OpenStack Cloud 8 (x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 - HPE Helion Openstack 8 (x86_64): sudo-1.8.20p2-3.23.1 sudo-debuginfo-1.8.20p2-3.23.1 sudo-debugsource-1.8.20p2-3.23.1 References: https://www.suse.com/security/cve/CVE-2021-3156.html https://bugzilla.suse.com/1183936 From sle-security-updates at lists.suse.com Tue Apr 20 16:32:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 18:32:36 +0200 (CEST) Subject: SUSE-SU-2021:1277-1: moderate: Security update for ImageMagick Message-ID: <20210420163236.525E0FF1B@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1277-1 Rating: moderate References: #1184624 #1184626 #1184627 #1184628 Cross-References: CVE-2021-20309 CVE-2021-20311 CVE-2021-20312 CVE-2021-20313 CVSS scores: CVE-2021-20309 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20311 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20312 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20313 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: - CVE-2021-20309: Division by zero in WaveImage() of MagickCore/visual-effects. (bsc#1184624) - CVE-2021-20311: Division by zero in sRGBTransformImage() in MagickCore/colorspace.c (bsc#1184626) - CVE-2021-20312: Integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c (bsc#1184627) - CVE-2021-20313: Cipher leak when the calculating signatures in TransformSignatureof MagickCore/signature.c (bsc#1184628) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-1277=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1277=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1277=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): ImageMagick-6.8.8.1-71.165.1 ImageMagick-debuginfo-6.8.8.1-71.165.1 ImageMagick-debugsource-6.8.8.1-71.165.1 libMagick++-6_Q16-3-6.8.8.1-71.165.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.165.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.165.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.165.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ImageMagick-6.8.8.1-71.165.1 ImageMagick-config-6-SUSE-6.8.8.1-71.165.1 ImageMagick-config-6-upstream-6.8.8.1-71.165.1 ImageMagick-debuginfo-6.8.8.1-71.165.1 ImageMagick-debugsource-6.8.8.1-71.165.1 ImageMagick-devel-6.8.8.1-71.165.1 libMagick++-6_Q16-3-6.8.8.1-71.165.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.165.1 libMagick++-devel-6.8.8.1-71.165.1 perl-PerlMagick-6.8.8.1-71.165.1 perl-PerlMagick-debuginfo-6.8.8.1-71.165.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ImageMagick-config-6-SUSE-6.8.8.1-71.165.1 ImageMagick-config-6-upstream-6.8.8.1-71.165.1 ImageMagick-debuginfo-6.8.8.1-71.165.1 ImageMagick-debugsource-6.8.8.1-71.165.1 libMagickCore-6_Q16-1-6.8.8.1-71.165.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.165.1 libMagickWand-6_Q16-1-6.8.8.1-71.165.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.165.1 References: https://www.suse.com/security/cve/CVE-2021-20309.html https://www.suse.com/security/cve/CVE-2021-20311.html https://www.suse.com/security/cve/CVE-2021-20312.html https://www.suse.com/security/cve/CVE-2021-20313.html https://bugzilla.suse.com/1184624 https://bugzilla.suse.com/1184626 https://bugzilla.suse.com/1184627 https://bugzilla.suse.com/1184628 From sle-security-updates at lists.suse.com Tue Apr 20 16:34:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 18:34:00 +0200 (CEST) Subject: SUSE-SU-2021:1280-1: moderate: Security update for ruby2.5 Message-ID: <20210420163400.2398FFF1B@maintenance.suse.de> SUSE Security Update: Security update for ruby2.5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1280-1 Rating: moderate References: #1184644 Cross-References: CVE-2021-28965 CVSS scores: CVE-2021-28965 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ruby2.5 fixes the following issues: - Update to 2.5.9 - CVE-2021-28965: XML round-trip vulnerability in REXML (bsc#1184644) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1280=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1280=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libruby2_5-2_5-2.5.9-4.17.1 libruby2_5-2_5-debuginfo-2.5.9-4.17.1 ruby2.5-2.5.9-4.17.1 ruby2.5-debuginfo-2.5.9-4.17.1 ruby2.5-debugsource-2.5.9-4.17.1 ruby2.5-stdlib-2.5.9-4.17.1 ruby2.5-stdlib-debuginfo-2.5.9-4.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libruby2_5-2_5-2.5.9-4.17.1 libruby2_5-2_5-debuginfo-2.5.9-4.17.1 ruby2.5-2.5.9-4.17.1 ruby2.5-debuginfo-2.5.9-4.17.1 ruby2.5-debugsource-2.5.9-4.17.1 ruby2.5-devel-2.5.9-4.17.1 ruby2.5-devel-extra-2.5.9-4.17.1 ruby2.5-stdlib-2.5.9-4.17.1 ruby2.5-stdlib-debuginfo-2.5.9-4.17.1 References: https://www.suse.com/security/cve/CVE-2021-28965.html https://bugzilla.suse.com/1184644 From sle-security-updates at lists.suse.com Tue Apr 20 16:35:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 18:35:04 +0200 (CEST) Subject: SUSE-SU-2021:1282-1: moderate: Security update for apache-commons-io Message-ID: <20210420163504.1E996FF1B@maintenance.suse.de> SUSE Security Update: Security update for apache-commons-io ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1282-1 Rating: moderate References: #1184755 Cross-References: CVE-2021-29425 CVSS scores: CVE-2021-29425 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache-commons-io fixes the following issues: - CVE-2021-29425: Limited path traversal when invoking the method FileNameUtils.normalize with an improper input string (bsc#1184755) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1282=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): apache-commons-io-2.6-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-29425.html https://bugzilla.suse.com/1184755 From sle-security-updates at lists.suse.com Tue Apr 20 16:36:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 20 Apr 2021 18:36:10 +0200 (CEST) Subject: SUSE-SU-2021:1276-1: moderate: Security update for ImageMagick Message-ID: <20210420163610.1AEB4FF1B@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1276-1 Rating: moderate References: #1184624 #1184626 #1184627 #1184628 Cross-References: CVE-2021-20309 CVE-2021-20311 CVE-2021-20312 CVE-2021-20313 CVSS scores: CVE-2021-20309 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20311 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20312 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20313 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: - CVE-2021-20309: Division by zero in WaveImage() of MagickCore/visual-effects. (bsc#1184624) - CVE-2021-20311: Division by zero in sRGBTransformImage() in MagickCore/colorspace.c (bsc#1184626) - CVE-2021-20312: Integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c (bsc#1184627) - CVE-2021-20313: Cipher leak when the calculating signatures in TransformSignatureof MagickCore/signature.c (bsc#1184628) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-1276=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1276=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1276=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1276=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-10.15.1 ImageMagick-debugsource-7.0.7.34-10.15.1 perl-PerlMagick-7.0.7.34-10.15.1 perl-PerlMagick-debuginfo-7.0.7.34-10.15.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-10.15.1 ImageMagick-debugsource-7.0.7.34-10.15.1 perl-PerlMagick-7.0.7.34-10.15.1 perl-PerlMagick-debuginfo-7.0.7.34-10.15.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): ImageMagick-7.0.7.34-10.15.1 ImageMagick-config-7-SUSE-7.0.7.34-10.15.1 ImageMagick-config-7-upstream-7.0.7.34-10.15.1 ImageMagick-debuginfo-7.0.7.34-10.15.1 ImageMagick-debugsource-7.0.7.34-10.15.1 ImageMagick-devel-7.0.7.34-10.15.1 libMagick++-7_Q16HDRI4-7.0.7.34-10.15.1 libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-10.15.1 libMagick++-devel-7.0.7.34-10.15.1 libMagickCore-7_Q16HDRI6-7.0.7.34-10.15.1 libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-10.15.1 libMagickWand-7_Q16HDRI6-7.0.7.34-10.15.1 libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-10.15.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): ImageMagick-7.0.7.34-10.15.1 ImageMagick-config-7-SUSE-7.0.7.34-10.15.1 ImageMagick-config-7-upstream-7.0.7.34-10.15.1 ImageMagick-debuginfo-7.0.7.34-10.15.1 ImageMagick-debugsource-7.0.7.34-10.15.1 ImageMagick-devel-7.0.7.34-10.15.1 libMagick++-7_Q16HDRI4-7.0.7.34-10.15.1 libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-10.15.1 libMagick++-devel-7.0.7.34-10.15.1 libMagickCore-7_Q16HDRI6-7.0.7.34-10.15.1 libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-10.15.1 libMagickWand-7_Q16HDRI6-7.0.7.34-10.15.1 libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-10.15.1 References: https://www.suse.com/security/cve/CVE-2021-20309.html https://www.suse.com/security/cve/CVE-2021-20311.html https://www.suse.com/security/cve/CVE-2021-20312.html https://www.suse.com/security/cve/CVE-2021-20313.html https://bugzilla.suse.com/1184624 https://bugzilla.suse.com/1184626 https://bugzilla.suse.com/1184627 https://bugzilla.suse.com/1184628 From sle-security-updates at lists.suse.com Wed Apr 21 16:25:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Apr 2021 18:25:43 +0200 (CEST) Subject: SUSE-SU-2021:1292-1: moderate: Security update for pcp Message-ID: <20210421162543.6C365FF86@maintenance.suse.de> SUSE Security Update: Security update for pcp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1292-1 Rating: moderate References: #1123311 #1171883 #1181571 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for pcp fixes the following issues: - Fixed completely CVE-2020-8025 (bsc#1171883) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1292=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1292=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1292=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1292=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libpcp-devel-3.11.9-5.11.5 libpcp3-3.11.9-5.11.5 libpcp3-debuginfo-3.11.9-5.11.5 libpcp_gui2-3.11.9-5.11.5 libpcp_gui2-debuginfo-3.11.9-5.11.5 libpcp_import1-3.11.9-5.11.5 libpcp_import1-debuginfo-3.11.9-5.11.5 libpcp_mmv1-3.11.9-5.11.5 libpcp_mmv1-debuginfo-3.11.9-5.11.5 libpcp_trace2-3.11.9-5.11.5 libpcp_trace2-debuginfo-3.11.9-5.11.5 libpcp_web1-3.11.9-5.11.5 libpcp_web1-debuginfo-3.11.9-5.11.5 pcp-3.11.9-5.11.5 pcp-conf-3.11.9-5.11.5 pcp-debuginfo-3.11.9-5.11.5 pcp-debugsource-3.11.9-5.11.5 pcp-devel-3.11.9-5.11.5 pcp-devel-debuginfo-3.11.9-5.11.5 pcp-import-iostat2pcp-3.11.9-5.11.5 pcp-import-mrtg2pcp-3.11.9-5.11.5 pcp-import-sar2pcp-3.11.9-5.11.5 perl-PCP-LogImport-3.11.9-5.11.5 perl-PCP-LogImport-debuginfo-3.11.9-5.11.5 perl-PCP-LogSummary-3.11.9-5.11.5 perl-PCP-MMV-3.11.9-5.11.5 perl-PCP-MMV-debuginfo-3.11.9-5.11.5 perl-PCP-PMDA-3.11.9-5.11.5 perl-PCP-PMDA-debuginfo-3.11.9-5.11.5 python-pcp-3.11.9-5.11.5 python-pcp-debuginfo-3.11.9-5.11.5 - SUSE Linux Enterprise Server for SAP 15 (noarch): pcp-doc-3.11.9-5.11.5 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libpcp-devel-3.11.9-5.11.5 libpcp3-3.11.9-5.11.5 libpcp3-debuginfo-3.11.9-5.11.5 libpcp_gui2-3.11.9-5.11.5 libpcp_gui2-debuginfo-3.11.9-5.11.5 libpcp_import1-3.11.9-5.11.5 libpcp_import1-debuginfo-3.11.9-5.11.5 libpcp_mmv1-3.11.9-5.11.5 libpcp_mmv1-debuginfo-3.11.9-5.11.5 libpcp_trace2-3.11.9-5.11.5 libpcp_trace2-debuginfo-3.11.9-5.11.5 libpcp_web1-3.11.9-5.11.5 libpcp_web1-debuginfo-3.11.9-5.11.5 pcp-3.11.9-5.11.5 pcp-conf-3.11.9-5.11.5 pcp-debuginfo-3.11.9-5.11.5 pcp-debugsource-3.11.9-5.11.5 pcp-devel-3.11.9-5.11.5 pcp-devel-debuginfo-3.11.9-5.11.5 pcp-import-iostat2pcp-3.11.9-5.11.5 pcp-import-mrtg2pcp-3.11.9-5.11.5 pcp-import-sar2pcp-3.11.9-5.11.5 perl-PCP-LogImport-3.11.9-5.11.5 perl-PCP-LogImport-debuginfo-3.11.9-5.11.5 perl-PCP-LogSummary-3.11.9-5.11.5 perl-PCP-MMV-3.11.9-5.11.5 perl-PCP-MMV-debuginfo-3.11.9-5.11.5 perl-PCP-PMDA-3.11.9-5.11.5 perl-PCP-PMDA-debuginfo-3.11.9-5.11.5 python-pcp-3.11.9-5.11.5 python-pcp-debuginfo-3.11.9-5.11.5 - SUSE Linux Enterprise Server 15-LTSS (noarch): pcp-doc-3.11.9-5.11.5 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libpcp-devel-3.11.9-5.11.5 libpcp3-3.11.9-5.11.5 libpcp3-debuginfo-3.11.9-5.11.5 libpcp_gui2-3.11.9-5.11.5 libpcp_gui2-debuginfo-3.11.9-5.11.5 libpcp_import1-3.11.9-5.11.5 libpcp_import1-debuginfo-3.11.9-5.11.5 libpcp_mmv1-3.11.9-5.11.5 libpcp_mmv1-debuginfo-3.11.9-5.11.5 libpcp_trace2-3.11.9-5.11.5 libpcp_trace2-debuginfo-3.11.9-5.11.5 libpcp_web1-3.11.9-5.11.5 libpcp_web1-debuginfo-3.11.9-5.11.5 pcp-3.11.9-5.11.5 pcp-conf-3.11.9-5.11.5 pcp-debuginfo-3.11.9-5.11.5 pcp-debugsource-3.11.9-5.11.5 pcp-devel-3.11.9-5.11.5 pcp-devel-debuginfo-3.11.9-5.11.5 pcp-import-iostat2pcp-3.11.9-5.11.5 pcp-import-mrtg2pcp-3.11.9-5.11.5 pcp-import-sar2pcp-3.11.9-5.11.5 perl-PCP-LogImport-3.11.9-5.11.5 perl-PCP-LogImport-debuginfo-3.11.9-5.11.5 perl-PCP-LogSummary-3.11.9-5.11.5 perl-PCP-MMV-3.11.9-5.11.5 perl-PCP-MMV-debuginfo-3.11.9-5.11.5 perl-PCP-PMDA-3.11.9-5.11.5 perl-PCP-PMDA-debuginfo-3.11.9-5.11.5 python-pcp-3.11.9-5.11.5 python-pcp-debuginfo-3.11.9-5.11.5 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): pcp-doc-3.11.9-5.11.5 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libpcp-devel-3.11.9-5.11.5 libpcp3-3.11.9-5.11.5 libpcp3-debuginfo-3.11.9-5.11.5 libpcp_gui2-3.11.9-5.11.5 libpcp_gui2-debuginfo-3.11.9-5.11.5 libpcp_import1-3.11.9-5.11.5 libpcp_import1-debuginfo-3.11.9-5.11.5 libpcp_mmv1-3.11.9-5.11.5 libpcp_mmv1-debuginfo-3.11.9-5.11.5 libpcp_trace2-3.11.9-5.11.5 libpcp_trace2-debuginfo-3.11.9-5.11.5 libpcp_web1-3.11.9-5.11.5 libpcp_web1-debuginfo-3.11.9-5.11.5 pcp-3.11.9-5.11.5 pcp-conf-3.11.9-5.11.5 pcp-debuginfo-3.11.9-5.11.5 pcp-debugsource-3.11.9-5.11.5 pcp-devel-3.11.9-5.11.5 pcp-devel-debuginfo-3.11.9-5.11.5 pcp-import-iostat2pcp-3.11.9-5.11.5 pcp-import-mrtg2pcp-3.11.9-5.11.5 pcp-import-sar2pcp-3.11.9-5.11.5 perl-PCP-LogImport-3.11.9-5.11.5 perl-PCP-LogImport-debuginfo-3.11.9-5.11.5 perl-PCP-LogSummary-3.11.9-5.11.5 perl-PCP-MMV-3.11.9-5.11.5 perl-PCP-MMV-debuginfo-3.11.9-5.11.5 perl-PCP-PMDA-3.11.9-5.11.5 perl-PCP-PMDA-debuginfo-3.11.9-5.11.5 python-pcp-3.11.9-5.11.5 python-pcp-debuginfo-3.11.9-5.11.5 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): pcp-doc-3.11.9-5.11.5 References: https://bugzilla.suse.com/1123311 https://bugzilla.suse.com/1171883 https://bugzilla.suse.com/1181571 From sle-security-updates at lists.suse.com Wed Apr 21 16:29:08 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Apr 2021 18:29:08 +0200 (CEST) Subject: SUSE-SU-2021:14705-1: important: Security update for tomcat6 Message-ID: <20210421162908.3706BFF86@maintenance.suse.de> SUSE Security Update: Security update for tomcat6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14705-1 Rating: important References: #1059554 #1180947 #1182909 Cross-References: CVE-2017-12617 CVE-2021-24122 CVE-2021-25329 CVSS scores: CVE-2017-12617 (NVD) : 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12617 (SUSE): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-24122 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-24122 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25329 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25329 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for tomcat6 fixes the following issues: - CVE-2021-25329: Fixed completely CVE-2020-9484 (bsc#1182909). - CVE-2021-24122: Fixed an information disclosure (bsc#1180947). - CVE-2017-12617: Fixed a file inclusion vulnerability through a crafted request (bsc#1059554). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-tomcat6-14705=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-tomcat6-14705=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (noarch): tomcat6-6.0.53-0.57.19.1 tomcat6-admin-webapps-6.0.53-0.57.19.1 tomcat6-docs-webapp-6.0.53-0.57.19.1 tomcat6-javadoc-6.0.53-0.57.19.1 tomcat6-jsp-2_1-api-6.0.53-0.57.19.1 tomcat6-lib-6.0.53-0.57.19.1 tomcat6-servlet-2_5-api-6.0.53-0.57.19.1 tomcat6-webapps-6.0.53-0.57.19.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): tomcat6-6.0.53-0.57.19.1 tomcat6-admin-webapps-6.0.53-0.57.19.1 tomcat6-docs-webapp-6.0.53-0.57.19.1 tomcat6-javadoc-6.0.53-0.57.19.1 tomcat6-jsp-2_1-api-6.0.53-0.57.19.1 tomcat6-lib-6.0.53-0.57.19.1 tomcat6-servlet-2_5-api-6.0.53-0.57.19.1 tomcat6-webapps-6.0.53-0.57.19.1 References: https://www.suse.com/security/cve/CVE-2017-12617.html https://www.suse.com/security/cve/CVE-2021-24122.html https://www.suse.com/security/cve/CVE-2021-25329.html https://bugzilla.suse.com/1059554 https://bugzilla.suse.com/1180947 https://bugzilla.suse.com/1182909 From sle-security-updates at lists.suse.com Wed Apr 21 16:30:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Apr 2021 18:30:27 +0200 (CEST) Subject: SUSE-SU-2021:1301-1: important: Security update for the Linux Kernel Message-ID: <20210421163027.B90ADFF86@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1301-1 Rating: important References: #1047233 #1065729 #1113295 #1152489 #1154353 #1155518 #1156395 #1178181 #1181507 #1183405 #1184074 #1184120 #1184194 #1184211 #1184388 #1184391 #1184393 #1184509 #1184511 #1184512 #1184514 #1184583 #1184647 Cross-References: CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-36310 CVE-2020-36311 CVE-2020-36312 CVE-2021-28950 CVE-2021-29154 CVE-2021-30002 CVE-2021-3483 CVSS scores: CVE-2020-25670 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25671 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2020-36310 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36311 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36312 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-28950 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-30002 (NVD) : 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP2 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 12 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181). - CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511). - CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391). - CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120). - CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393). - CVE-2020-36310: Fixed infinite loop for certain nested page faults (bsc#1184512). - CVE-2020-36312: Fixed a memory leak upon a kmalloc failure (bsc#1184509 ). - CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h due to a retry loop continually was finding the same bad inode (bsc#1184194). The following non-security bugs were fixed: - ALSA: aloop: Fix initialization of controls (git-fixes). - ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1 (git-fixes). - appletalk: Fix skb allocation size in loopback case (git-fixes). - ASoC: cygnus: fix for_each_child.cocci warnings (git-fixes). - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: intel: atom: Remove 44100 sample-rate from the media and deep-buffer DAI descriptions (git-fixes). - ASoC: intel: atom: Stop advertising non working S24LE support (git-fixes). - ASoC: max98373: Added 30ms turn on/off time delay (git-fixes). - ASoC: sunxi: sun4i-codec: fill ASoC card owner (git-fixes). - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (git-fixes). - ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() (git-fixes). - atl1c: fix error return code in atl1c_probe() (git-fixes). - atl1e: fix error return code in atl1e_probe() (git-fixes). - batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field (git-fixes). - bpf: Remove MTU check in __bpf_skb_max_len (bsc#1155518). - brcmfmac: clear EAP/association status bits on linkdown events (git-fixes). - bus: ti-sysc: Fix warning on unbind if reset is not deasserted (git-fixes). - cifs: change noisy error message to FYI (bsc#1181507). - cifs_debug: use %pd instead of messing with ->d_name (bsc#1181507). - cifs: do not send close in compound create+close requests (bsc#1181507). - cifs: New optype for session operations (bsc#1181507). - cifs: print MIDs in decimal notation (bsc#1181507). - cifs: return proper error code in statfs(2) (bsc#1181507). - cifs: Tracepoints and logs for tracing credit changes (bsc#1181507). - clk: fix invalid usage of list cursor in register (git-fixes). - clk: fix invalid usage of list cursor in unregister (git-fixes). - clk: socfpga: fix iomem pointer cast on 64-bit (git-fixes). - drivers: video: fbcon: fix NULL dereference in fbcon_cursor() (git-fixes). - drm/amdgpu: check alignment on CPU page for bo map (git-fixes). - drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() (git-fixes). - drm/i915: Fix invalid access to ACPI _DSM objects (bsc#1184074). - drm/msm/adreno: a5xx_power: Do not apply A540 lm_setup to other GPUs (git-fixes). - drm/msm: Ratelimit invalid-fence message (git-fixes). - drm/msm: Set drvdata to NULL when msm_drm_init() fails (git-fixes). - enetc: Fix reporting of h/w packet counters (git-fixes). - fuse: fix bad inode (bsc#1184211). - fuse: fix live lock in fuse_iget() (bsc#1184211). - i40e: Fix parameters in aq_get_phy_register() (jsc#SLE-8025). - i40e: Fix sparse error: 'vsi->netdev' could be null (jsc#SLE-8025). - ice: remove DCBNL_DEVRESET bit from PF state (jsc#SLE-7926). - kABI: powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - libbpf: Fix INSTALL flag order (bsc#1155518). - locking/mutex: Fix non debug version of mutex_lock_io_nested() (git-fixes). - mac80211: choose first enabled channel for monitor (git-fixes). - mac80211: fix TXQ AC confusion (git-fixes). - mISDN: fix crash in fritzpci (git-fixes). - net: atheros: switch from 'pci_' to 'dma_' API (git-fixes). - net: b44: fix error return code in b44_init_one() (git-fixes). - net: ethernet: ti: cpsw: fix error return code in cpsw_probe() (git-fixes). - net: hns3: Remove the left over redundant check & assignment (bsc#1154353). - net: lantiq: Wait for the GPHY firmware to be ready (git-fixes). - net/mlx5: Fix PPLM register mapping (jsc#SLE-8464). - net: pasemi: fix error return code in pasemi_mac_open() (git-fixes). - net: phy: broadcom: Only advertise EEE for supported modes (git-fixes). - net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup (git-fixes). - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - net: wan/lmc: unregister device when no matching device is found (git-fixes). - platform/x86: intel-hid: Support Lenovo ThinkPad X1 Tablet Gen 2 (git-fixes). - platform/x86: thinkpad_acpi: Allow the FnLock LED to change state (git-fixes). - PM: runtime: Fix ordering in pm_runtime_get_suppliers() (git-fixes). - post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388). - powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (bsc#1065729). - powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - powerpc/pseries/ras: Remove unused variable 'status' (bsc#1065729). - powerpc/sstep: Check instruction validity against ISA version before emulation (bsc#1156395). - powerpc/sstep: Fix darn emulation (bsc#1156395). - powerpc/sstep: Fix incorrect return from analyze_instr() (bsc#1156395). - powerpc/sstep: Fix load-store and update emulation (bsc#1156395). - qlcnic: fix error return code in qlcnic_83xx_restart_hw() (git-fixes). - RAS/CEC: Correct ce_add_elem()'s returned values (bsc#1152489). - rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514) - scsi: ibmvfc: Fix invalid state machine BUG_ON() (bsc#1184647 ltc#191231). - smb3: add dynamic trace point to trace when credits obtained (bsc#1181507). - smb3: fix crediting for compounding when only one request in flight (bsc#1181507). - soc/fsl: qbman: fix conflicting alignment attributes (git-fixes). - thermal/core: Add NULL pointer check before using cooling device stats (git-fixes). - USB: cdc-acm: downgrade message to debug (git-fixes). - USB: cdc-acm: untangle a circular dependency between callback and softint (git-fixes). - USBip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() (git-fixes). - USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem (git-fixes). - x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() (bsc#1152489). - x86/ioapic: Ignore IRQ2 again (bsc#1152489). - x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() (bsc#1152489). - xen/events: fix setting irq affinity (bsc#1184583). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2021-1301=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (noarch): kernel-devel-azure-5.3.18-18.44.1 kernel-source-azure-5.3.18-18.44.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (x86_64): kernel-azure-5.3.18-18.44.1 kernel-azure-debuginfo-5.3.18-18.44.1 kernel-azure-debugsource-5.3.18-18.44.1 kernel-azure-devel-5.3.18-18.44.1 kernel-azure-devel-debuginfo-5.3.18-18.44.1 kernel-syms-azure-5.3.18-18.44.1 References: https://www.suse.com/security/cve/CVE-2020-25670.html https://www.suse.com/security/cve/CVE-2020-25671.html https://www.suse.com/security/cve/CVE-2020-25672.html https://www.suse.com/security/cve/CVE-2020-25673.html https://www.suse.com/security/cve/CVE-2020-36310.html https://www.suse.com/security/cve/CVE-2020-36311.html https://www.suse.com/security/cve/CVE-2020-36312.html https://www.suse.com/security/cve/CVE-2021-28950.html https://www.suse.com/security/cve/CVE-2021-29154.html https://www.suse.com/security/cve/CVE-2021-30002.html https://www.suse.com/security/cve/CVE-2021-3483.html https://bugzilla.suse.com/1047233 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1113295 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1178181 https://bugzilla.suse.com/1181507 https://bugzilla.suse.com/1183405 https://bugzilla.suse.com/1184074 https://bugzilla.suse.com/1184120 https://bugzilla.suse.com/1184194 https://bugzilla.suse.com/1184211 https://bugzilla.suse.com/1184388 https://bugzilla.suse.com/1184391 https://bugzilla.suse.com/1184393 https://bugzilla.suse.com/1184509 https://bugzilla.suse.com/1184511 https://bugzilla.suse.com/1184512 https://bugzilla.suse.com/1184514 https://bugzilla.suse.com/1184583 https://bugzilla.suse.com/1184647 From sle-security-updates at lists.suse.com Thu Apr 22 19:15:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 22 Apr 2021 21:15:44 +0200 (CEST) Subject: SUSE-SU-2021:1305-1: important: Security update for qemu Message-ID: <20210422191544.0C77EFD9D@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1305-1 Rating: important References: #1172383 #1172384 #1172385 #1172386 #1172478 #1173612 #1174386 #1174641 #1175441 #1176673 #1176682 #1176684 #1178174 #1178934 #1179467 #1180523 #1181108 #1181639 #1182137 #1182425 #1182577 #1182968 Cross-References: CVE-2020-11947 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362 CVE-2020-13659 CVE-2020-13765 CVE-2020-14364 CVE-2020-15469 CVE-2020-15863 CVE-2020-16092 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20203 CVE-2021-20257 CVE-2021-3416 CVSS scores: CVE-2020-11947 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-11947 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-12829 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12829 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-13361 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13361 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13362 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13362 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (NVD) : 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13659 (SUSE): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-13765 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-13765 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-15469 (NVD) : 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-15469 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-15863 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2020-15863 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-16092 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-16092 (SUSE): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25625 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25625 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-27617 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27617 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29443 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-29443 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2021-20181 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20203 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20203 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3416 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-3416 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that solves 21 vulnerabilities and has one errata is now available. Description: This update for qemu fixes the following issues: - Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612) - Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577) - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) - Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416) - Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467) - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386 - Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523) - Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) - Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386) - Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641) - Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1305=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1305=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1305=1 Package List: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (noarch): qemu-ipxe-1.0.0-41.62.1 qemu-seabios-1.9.1_0_gb3ef39f-41.62.1 qemu-sgabios-8-41.62.1 qemu-vgabios-1.9.1_0_gb3ef39f-41.62.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): qemu-2.6.2-41.62.1 qemu-block-curl-2.6.2-41.62.1 qemu-block-curl-debuginfo-2.6.2-41.62.1 qemu-block-rbd-2.6.2-41.62.1 qemu-block-rbd-debuginfo-2.6.2-41.62.1 qemu-block-ssh-2.6.2-41.62.1 qemu-block-ssh-debuginfo-2.6.2-41.62.1 qemu-debugsource-2.6.2-41.62.1 qemu-guest-agent-2.6.2-41.62.1 qemu-guest-agent-debuginfo-2.6.2-41.62.1 qemu-kvm-2.6.2-41.62.1 qemu-lang-2.6.2-41.62.1 qemu-tools-2.6.2-41.62.1 qemu-tools-debuginfo-2.6.2-41.62.1 qemu-x86-2.6.2-41.62.1 qemu-x86-debuginfo-2.6.2-41.62.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): qemu-2.6.2-41.62.1 qemu-block-curl-2.6.2-41.62.1 qemu-block-curl-debuginfo-2.6.2-41.62.1 qemu-block-rbd-2.6.2-41.62.1 qemu-block-rbd-debuginfo-2.6.2-41.62.1 qemu-block-ssh-2.6.2-41.62.1 qemu-block-ssh-debuginfo-2.6.2-41.62.1 qemu-debugsource-2.6.2-41.62.1 qemu-guest-agent-2.6.2-41.62.1 qemu-guest-agent-debuginfo-2.6.2-41.62.1 qemu-kvm-2.6.2-41.62.1 qemu-lang-2.6.2-41.62.1 qemu-tools-2.6.2-41.62.1 qemu-tools-debuginfo-2.6.2-41.62.1 qemu-x86-2.6.2-41.62.1 qemu-x86-debuginfo-2.6.2-41.62.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (noarch): qemu-ipxe-1.0.0-41.62.1 qemu-seabios-1.9.1_0_gb3ef39f-41.62.1 qemu-sgabios-8-41.62.1 qemu-vgabios-1.9.1_0_gb3ef39f-41.62.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): qemu-2.6.2-41.62.1 qemu-block-curl-2.6.2-41.62.1 qemu-block-curl-debuginfo-2.6.2-41.62.1 qemu-block-rbd-2.6.2-41.62.1 qemu-block-rbd-debuginfo-2.6.2-41.62.1 qemu-block-ssh-2.6.2-41.62.1 qemu-block-ssh-debuginfo-2.6.2-41.62.1 qemu-debugsource-2.6.2-41.62.1 qemu-guest-agent-2.6.2-41.62.1 qemu-guest-agent-debuginfo-2.6.2-41.62.1 qemu-kvm-2.6.2-41.62.1 qemu-lang-2.6.2-41.62.1 qemu-tools-2.6.2-41.62.1 qemu-tools-debuginfo-2.6.2-41.62.1 qemu-x86-2.6.2-41.62.1 qemu-x86-debuginfo-2.6.2-41.62.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): qemu-ipxe-1.0.0-41.62.1 qemu-seabios-1.9.1_0_gb3ef39f-41.62.1 qemu-sgabios-8-41.62.1 qemu-vgabios-1.9.1_0_gb3ef39f-41.62.1 References: https://www.suse.com/security/cve/CVE-2020-11947.html https://www.suse.com/security/cve/CVE-2020-12829.html https://www.suse.com/security/cve/CVE-2020-13361.html https://www.suse.com/security/cve/CVE-2020-13362.html https://www.suse.com/security/cve/CVE-2020-13659.html https://www.suse.com/security/cve/CVE-2020-13765.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-15469.html https://www.suse.com/security/cve/CVE-2020-15863.html https://www.suse.com/security/cve/CVE-2020-16092.html https://www.suse.com/security/cve/CVE-2020-25084.html https://www.suse.com/security/cve/CVE-2020-25624.html https://www.suse.com/security/cve/CVE-2020-25625.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-27617.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-29443.html https://www.suse.com/security/cve/CVE-2021-20181.html https://www.suse.com/security/cve/CVE-2021-20203.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3416.html https://bugzilla.suse.com/1172383 https://bugzilla.suse.com/1172384 https://bugzilla.suse.com/1172385 https://bugzilla.suse.com/1172386 https://bugzilla.suse.com/1172478 https://bugzilla.suse.com/1173612 https://bugzilla.suse.com/1174386 https://bugzilla.suse.com/1174641 https://bugzilla.suse.com/1175441 https://bugzilla.suse.com/1176673 https://bugzilla.suse.com/1176682 https://bugzilla.suse.com/1176684 https://bugzilla.suse.com/1178174 https://bugzilla.suse.com/1178934 https://bugzilla.suse.com/1179467 https://bugzilla.suse.com/1180523 https://bugzilla.suse.com/1181108 https://bugzilla.suse.com/1181639 https://bugzilla.suse.com/1182137 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182577 https://bugzilla.suse.com/1182968 From sle-security-updates at lists.suse.com Fri Apr 23 10:15:50 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Apr 2021 12:15:50 +0200 (CEST) Subject: SUSE-SU-2021:1307-1: important: Security update for MozillaFirefox Message-ID: <20210423101550.787A2FD9D@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1307-1 Rating: important References: #1184960 Cross-References: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 CVSS scores: CVE-2021-23961 (NVD) : 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23961 (SUSE): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23994 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23995 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23998 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-23999 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-24002 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29945 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29946 (SUSE): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.10.0 ESR (bsc#1184960) * CVE-2021-23994: Out of bound write due to lazy initialization * CVE-2021-23995: Use-after-free in Responsive Design Mode * CVE-2021-23998: Secure Lock icon could have been spoofed * CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999: Blob URLs may have been granted additional privileges * CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946: Port blocking could be bypassed Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1307=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1307=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.10.0-8.38.1 MozillaFirefox-debuginfo-78.10.0-8.38.1 MozillaFirefox-debugsource-78.10.0-8.38.1 MozillaFirefox-translations-common-78.10.0-8.38.1 MozillaFirefox-translations-other-78.10.0-8.38.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le x86_64): MozillaFirefox-devel-78.10.0-8.38.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.10.0-8.38.1 MozillaFirefox-debuginfo-78.10.0-8.38.1 MozillaFirefox-debugsource-78.10.0-8.38.1 MozillaFirefox-devel-78.10.0-8.38.1 MozillaFirefox-translations-common-78.10.0-8.38.1 MozillaFirefox-translations-other-78.10.0-8.38.1 References: https://www.suse.com/security/cve/CVE-2021-23961.html https://www.suse.com/security/cve/CVE-2021-23994.html https://www.suse.com/security/cve/CVE-2021-23995.html https://www.suse.com/security/cve/CVE-2021-23998.html https://www.suse.com/security/cve/CVE-2021-23999.html https://www.suse.com/security/cve/CVE-2021-24002.html https://www.suse.com/security/cve/CVE-2021-29945.html https://www.suse.com/security/cve/CVE-2021-29946.html https://bugzilla.suse.com/1184960 From sle-security-updates at lists.suse.com Fri Apr 23 19:17:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Apr 2021 21:17:44 +0200 (CEST) Subject: SUSE-SU-2021:14706-1: important: Security update for kvm Message-ID: <20210423191744.119C6FD9D@maintenance.suse.de> SUSE Security Update: Security update for kvm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14706-1 Rating: important References: #1123156 #1146873 #1149811 #1161066 #1163018 #1170940 #1172383 #1172384 #1172385 #1172478 #1175441 #1176673 #1176682 #1176684 #1178934 #1179467 #1181108 #1182137 #1182425 #1182577 Cross-References: CVE-2014-3689 CVE-2015-1779 CVE-2019-12068 CVE-2019-15890 CVE-2019-6778 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362 CVE-2020-13765 CVE-2020-14364 CVE-2020-1983 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-29130 CVE-2020-29443 CVE-2020-7039 CVE-2020-8608 CVE-2021-20181 CVE-2021-20257 CVSS scores: CVE-2015-1779 (NVD) : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2019-12068 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2019-12068 (SUSE): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-15890 (SUSE): 5.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2019-6778 (NVD) : 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-6778 (SUSE): 7.8 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-12829 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12829 (SUSE): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-13361 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13361 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-13362 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13362 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-13765 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-13765 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-1983 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2020-1983 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-25084 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25084 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25624 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25625 (NVD) : 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25625 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29443 (NVD) : 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-29443 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L CVE-2020-7039 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-7039 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2020-8608 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8608 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2021-20181 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes 21 vulnerabilities is now available. Description: This update for kvm fixes the following issues: - Fix OOB read and write due to integer overflow in sm501_2d_operation() in hw/display/sm501.c (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577) - Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467) - Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441) - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix use-after-free in slirp (CVE-2019-15890 bsc#1149811) - Fix for similar problems as for the original fix prompting this issue (CVE-2019-6778 bsc#1123156) - Fix potential OOB accesses in slirp (CVE-2020-8608 bsc#1163018 CVE-2020-7039 bsc#1161066) - Fix use after free in slirp (CVE-2020-1983 bsc#1170940) - Fix potential DOS in lsi scsi controller emulation (CVE-2019-12068 bsc#1146873) - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-kvm-14706=1 Package List: - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): kvm-1.4.2-53.38.1 References: https://www.suse.com/security/cve/CVE-2014-3689.html https://www.suse.com/security/cve/CVE-2015-1779.html https://www.suse.com/security/cve/CVE-2019-12068.html https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2019-6778.html https://www.suse.com/security/cve/CVE-2020-12829.html https://www.suse.com/security/cve/CVE-2020-13361.html https://www.suse.com/security/cve/CVE-2020-13362.html https://www.suse.com/security/cve/CVE-2020-13765.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-1983.html https://www.suse.com/security/cve/CVE-2020-25084.html https://www.suse.com/security/cve/CVE-2020-25624.html https://www.suse.com/security/cve/CVE-2020-25625.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-29443.html https://www.suse.com/security/cve/CVE-2020-7039.html https://www.suse.com/security/cve/CVE-2020-8608.html https://www.suse.com/security/cve/CVE-2021-20181.html https://www.suse.com/security/cve/CVE-2021-20257.html https://bugzilla.suse.com/1123156 https://bugzilla.suse.com/1146873 https://bugzilla.suse.com/1149811 https://bugzilla.suse.com/1161066 https://bugzilla.suse.com/1163018 https://bugzilla.suse.com/1170940 https://bugzilla.suse.com/1172383 https://bugzilla.suse.com/1172384 https://bugzilla.suse.com/1172385 https://bugzilla.suse.com/1172478 https://bugzilla.suse.com/1175441 https://bugzilla.suse.com/1176673 https://bugzilla.suse.com/1176682 https://bugzilla.suse.com/1176684 https://bugzilla.suse.com/1178934 https://bugzilla.suse.com/1179467 https://bugzilla.suse.com/1181108 https://bugzilla.suse.com/1182137 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182577 From sle-security-updates at lists.suse.com Fri Apr 23 19:23:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 23 Apr 2021 21:23:45 +0200 (CEST) Subject: SUSE-SU-2021:1310-1: moderate: Security update for librsvg Message-ID: <20210423192345.642AFFD9D@maintenance.suse.de> SUSE Security Update: Security update for librsvg ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1310-1 Rating: moderate References: #1148293 #1181571 Cross-References: CVE-2018-20991 CVSS scores: CVE-2018-20991 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for librsvg fixes the following issues: - librsvg was updated to 2.42.9: * Update dependent crates that had security vulnerabilities: smallvec to 0.6.14 - RUSTSEC-2018-0003 - CVE-2018-20991 (bsc#1148293) -the bundled version of the cssparser crate now builds correctly on Rust 1.43 (bsc#1181571). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1310=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1310=1 Package List: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x x86_64): librsvg-debugsource-2.42.9-3.6.1 rsvg-view-2.42.9-3.6.1 rsvg-view-debuginfo-2.42.9-3.6.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64 ppc64le s390x x86_64): librsvg-debugsource-2.42.9-3.6.1 rsvg-view-2.42.9-3.6.1 rsvg-view-debuginfo-2.42.9-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-20991.html https://bugzilla.suse.com/1148293 https://bugzilla.suse.com/1181571 From sle-security-updates at lists.suse.com Sat Apr 24 06:01:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 24 Apr 2021 08:01:21 +0200 (CEST) Subject: SUSE-CU-2021:118-1: Security update of ses/7/cephcsi/cephcsi Message-ID: <20210424060121.66447B462D5@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:118-1 Container Tags : ses/7/cephcsi/cephcsi:3.2.1 , ses/7/cephcsi/cephcsi:3.2.1.0.3.321 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus , ses/7/cephcsi/cephcsi:v3.2.1 , ses/7/cephcsi/cephcsi:v3.2.1.0 Container Release : 3.321 Severity : important Type : security References : 1177047 1178219 1180836 1181976 1182791 1183791 1183801 1183936 1184136 CVE-2021-3156 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1237-1 Released: Fri Apr 16 08:16:54 2021 Summary: Recommended update for ceph-csi Type: recommended Severity: moderate References: This update for ceph-csi fixes the following issues: - Deployment: Fix snapshot controller deployment - RBD: Fix namespace json parser ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1275-1 Released: Tue Apr 20 14:31:26 2021 Summary: Security update for sudo Type: security Severity: important References: 1183936,CVE-2021-3156 This update for sudo fixes the following issues: - L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1286-1 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1180836 This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1289-1 Released: Wed Apr 21 14:02:46 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1177047 This update for gzip fixes the following issues: - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1295-1 Released: Wed Apr 21 14:08:19 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1184136 This update for systemd-presets-common-SUSE fixes the following issues: - Enabled hcn-init.service for HNV on POWER (bsc#1184136) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1299-1 Released: Wed Apr 21 14:11:41 2021 Summary: Optional update for gpgme Type: optional Severity: low References: 1183801 This update for gpgme fixes the following issues: - Fixed a bug in test cases (bsc#1183801) This patch is optional to install and does not provide any user visible bug fixes. From sle-security-updates at lists.suse.com Mon Apr 26 10:15:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Apr 2021 12:15:48 +0200 (CEST) Subject: SUSE-SU-2021:1314-1: important: Security update for java-11-openjdk Message-ID: <20210426101548.774C8FDE1@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1314-1 Rating: important References: #1184606 #1185055 #1185056 Cross-References: CVE-2021-2161 CVE-2021-2163 CVSS scores: CVE-2021-2161 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-2161 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-2163 (NVD) : 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-2163 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for java-11-openjdk fixes the following issues: - Update to upstream tag jdk-11.0.11+9 (April 2021 CPU) * CVE-2021-2163: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055) * CVE-2021-2161: Fixed incorrect handling of partially quoted arguments in ProcessBuilder (bsc#1185056) - moved mozilla-nss dependency to java-11-openjdk-headless package, this is necessary to be able to do crypto with just java-11-openjdk-headless installed (bsc#1184606). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1314=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.11.0-3.21.1 java-11-openjdk-debuginfo-11.0.11.0-3.21.1 java-11-openjdk-debugsource-11.0.11.0-3.21.1 java-11-openjdk-demo-11.0.11.0-3.21.1 java-11-openjdk-devel-11.0.11.0-3.21.1 java-11-openjdk-headless-11.0.11.0-3.21.1 References: https://www.suse.com/security/cve/CVE-2021-2161.html https://www.suse.com/security/cve/CVE-2021-2163.html https://bugzilla.suse.com/1184606 https://bugzilla.suse.com/1185055 https://bugzilla.suse.com/1185056 From sle-security-updates at lists.suse.com Mon Apr 26 10:17:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Apr 2021 12:17:07 +0200 (CEST) Subject: SUSE-SU-2021:1313-1: important: Security update for python-aiohttp Message-ID: <20210426101707.C130EFDE1@maintenance.suse.de> SUSE Security Update: Security update for python-aiohttp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1313-1 Rating: important References: #1184745 Cross-References: CVE-2021-21330 CVSS scores: CVE-2021-21330 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-21330 (SUSE): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP3 SUSE Linux Enterprise Module for Public Cloud 15-SP2 SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-aiohttp fixes the following issues: - CVE-2021-21330: Fixed the way pure-Python HTTP parser interprets `//` (bsc#1184745) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP3: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2021-1313=1 - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2021-1313=1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2021-1313=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP3 (aarch64 ppc64le s390x x86_64): python-aiohttp-debugsource-3.4.4-3.6.1 python3-aiohttp-3.4.4-3.6.1 python3-aiohttp-debuginfo-3.4.4-3.6.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (aarch64 ppc64le s390x x86_64): python-aiohttp-debugsource-3.4.4-3.6.1 python-aiohttp-doc-3.4.4-3.6.1 python3-aiohttp-3.4.4-3.6.1 python3-aiohttp-debuginfo-3.4.4-3.6.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (aarch64 ppc64le s390x x86_64): python-aiohttp-debugsource-3.4.4-3.6.1 python-aiohttp-doc-3.4.4-3.6.1 python3-aiohttp-3.4.4-3.6.1 python3-aiohttp-debuginfo-3.4.4-3.6.1 References: https://www.suse.com/security/cve/CVE-2021-21330.html https://bugzilla.suse.com/1184745 From sle-security-updates at lists.suse.com Mon Apr 26 10:18:16 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 26 Apr 2021 12:18:16 +0200 (CEST) Subject: SUSE-SU-2021:1315-1: moderate: Security update for apache-commons-io Message-ID: <20210426101816.79A24FDE1@maintenance.suse.de> SUSE Security Update: Security update for apache-commons-io ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1315-1 Rating: moderate References: #1184755 Cross-References: CVE-2021-29425 CVSS scores: CVE-2021-29425 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-29425 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache-commons-io fixes the following issues: - CVE-2021-29425: Limited path traversal when invoking the method FileNameUtils.normalize with an improper input string (bsc#1184755). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1315=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1315=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): apache-commons-io-2.4-9.3.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): apache-commons-io-2.4-9.3.1 References: https://www.suse.com/security/cve/CVE-2021-29425.html https://bugzilla.suse.com/1184755 From sle-security-updates at lists.suse.com Tue Apr 27 13:16:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 27 Apr 2021 15:16:06 +0200 (CEST) Subject: SUSE-SU-2021:1325-1: important: Security update for MozillaFirefox Message-ID: <20210427131606.19610FDE1@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1325-1 Rating: important References: #1184960 Cross-References: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 CVSS scores: CVE-2021-23961 (NVD) : 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23961 (SUSE): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23994 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23995 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23998 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-23999 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-24002 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29945 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29946 (SUSE): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.10.0 ESR (bsc#1184960) * CVE-2021-23994: Out of bound write due to lazy initialization * CVE-2021-23995: Use-after-free in Responsive Design Mode * CVE-2021-23998: Secure Lock icon could have been spoofed * CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999: Blob URLs may have been granted additional privileges * CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946: Port blocking could be bypassed Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1325=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1325=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1325=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1325=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1325=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1325=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1325=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1325=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1325=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1325=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1325=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1325=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1325=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1325=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1325=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE OpenStack Cloud 9 (x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-78.10.0-112.57.2 MozillaFirefox-debuginfo-78.10.0-112.57.2 MozillaFirefox-debugsource-78.10.0-112.57.2 MozillaFirefox-devel-78.10.0-112.57.2 MozillaFirefox-translations-common-78.10.0-112.57.2 References: https://www.suse.com/security/cve/CVE-2021-23961.html https://www.suse.com/security/cve/CVE-2021-23994.html https://www.suse.com/security/cve/CVE-2021-23995.html https://www.suse.com/security/cve/CVE-2021-23998.html https://www.suse.com/security/cve/CVE-2021-23999.html https://www.suse.com/security/cve/CVE-2021-24002.html https://www.suse.com/security/cve/CVE-2021-29945.html https://www.suse.com/security/cve/CVE-2021-29946.html https://bugzilla.suse.com/1184960 From sle-security-updates at lists.suse.com Wed Apr 28 10:16:49 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 12:16:49 +0200 (CEST) Subject: SUSE-SU-2021:1341-1: important: Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) Message-ID: <20210428101649.54A49FE04@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1341-1 Rating: important References: #1182294 Cross-References: CVE-2021-28688 CVSS scores: CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.180-94_141 fixes one issue. The following security issue was fixed: - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1341=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1341=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_141-default-3-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-3-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_141-default-3-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-3-2.2 References: https://www.suse.com/security/cve/CVE-2021-28688.html https://bugzilla.suse.com/1182294 From sle-security-updates at lists.suse.com Wed Apr 28 13:16:58 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 15:16:58 +0200 (CEST) Subject: SUSE-SU-2021:1401-1: important: Security update for gdm Message-ID: <20210428131658.AC26CFE10@maintenance.suse.de> SUSE Security Update: Security update for gdm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1401-1 Rating: important References: #1184456 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for gdm fixes the following issues: - Avoid the signal SIGTRAP when gdm exits (bsc#1184456). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1401=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1401=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1401=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1401=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1401=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1401=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1401=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1401=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1401=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1401=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1401=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1401=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1401=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1401=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1401=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE OpenStack Cloud 9 (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE OpenStack Cloud 9 (x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE OpenStack Cloud 8 (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE OpenStack Cloud 8 (x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 gdm-devel-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 - HPE Helion Openstack 8 (noarch): gdm-lang-3.10.0.1-54.20.1 gdmflexiserver-3.10.0.1-54.20.1 - HPE Helion Openstack 8 (x86_64): gdm-3.10.0.1-54.20.1 gdm-debuginfo-3.10.0.1-54.20.1 gdm-debugsource-3.10.0.1-54.20.1 libgdm1-3.10.0.1-54.20.1 libgdm1-debuginfo-3.10.0.1-54.20.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.20.1 References: https://bugzilla.suse.com/1184456 From sle-security-updates at lists.suse.com Wed Apr 28 13:18:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 15:18:14 +0200 (CEST) Subject: SUSE-SU-2021:1399-1: important: Security update for libnettle Message-ID: <20210428131814.54A35FE04@maintenance.suse.de> SUSE Security Update: Security update for libnettle ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1399-1 Rating: important References: #1183835 #1184401 Cross-References: CVE-2021-20305 CVSS scores: CVE-2021-20305 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-20305 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401, bsc#1183835). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1399=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1399=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1399=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1399=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1399=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1399=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1399=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1399=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1399=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1399=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1399=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1399=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1399=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1399=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1399=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE OpenStack Cloud 9 (x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE OpenStack Cloud 8 (x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libnettle-debugsource-2.7.1-13.3.1 libnettle-devel-2.7.1-13.3.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 - HPE Helion Openstack 8 (x86_64): libhogweed2-2.7.1-13.3.1 libhogweed2-32bit-2.7.1-13.3.1 libhogweed2-debuginfo-2.7.1-13.3.1 libhogweed2-debuginfo-32bit-2.7.1-13.3.1 libnettle-debugsource-2.7.1-13.3.1 libnettle4-2.7.1-13.3.1 libnettle4-32bit-2.7.1-13.3.1 libnettle4-debuginfo-2.7.1-13.3.1 libnettle4-debuginfo-32bit-2.7.1-13.3.1 References: https://www.suse.com/security/cve/CVE-2021-20305.html https://bugzilla.suse.com/1183835 https://bugzilla.suse.com/1184401 From sle-security-updates at lists.suse.com Wed Apr 28 13:19:39 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 15:19:39 +0200 (CEST) Subject: SUSE-SU-2021:1344-1: important: Security update for the Linux Kernel (Live Patch 21 for SLE 15) Message-ID: <20210428131939.1F941FE04@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 21 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1344-1 Rating: important References: #1182294 #1184171 Cross-References: CVE-2021-26930 CVE-2021-26931 CVE-2021-28688 CVE-2021-3444 CVSS scores: CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_63 fixes several issues. The following security issues were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184171). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646). - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-1360=1 SUSE-SLE-Module-Live-Patching-15-2021-1361=1 SUSE-SLE-Module-Live-Patching-15-2021-1362=1 SUSE-SLE-Module-Live-Patching-15-2021-1363=1 SUSE-SLE-Module-Live-Patching-15-2021-1376=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-1342=1 SUSE-SLE-Live-Patching-12-SP4-2021-1343=1 SUSE-SLE-Live-Patching-12-SP4-2021-1344=1 SUSE-SLE-Live-Patching-12-SP4-2021-1345=1 SUSE-SLE-Live-Patching-12-SP4-2021-1346=1 SUSE-SLE-Live-Patching-12-SP4-2021-1374=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_52-default-9-2.2 kernel-livepatch-4_12_14-150_52-default-debuginfo-9-2.2 kernel-livepatch-4_12_14-150_55-default-9-2.2 kernel-livepatch-4_12_14-150_55-default-debuginfo-9-2.2 kernel-livepatch-4_12_14-150_58-default-8-2.2 kernel-livepatch-4_12_14-150_58-default-debuginfo-8-2.2 kernel-livepatch-4_12_14-150_63-default-6-2.2 kernel-livepatch-4_12_14-150_63-default-debuginfo-6-2.2 kernel-livepatch-4_12_14-150_66-default-4-2.2 kernel-livepatch-4_12_14-150_66-default-debuginfo-4-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_51-default-11-2.2 kgraft-patch-4_12_14-95_54-default-9-2.2 kgraft-patch-4_12_14-95_57-default-9-2.2 kgraft-patch-4_12_14-95_60-default-8-2.2 kgraft-patch-4_12_14-95_65-default-5-2.2 kgraft-patch-4_12_14-95_68-default-4-2.2 References: https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-3444.html https://bugzilla.suse.com/1182294 https://bugzilla.suse.com/1184171 From sle-security-updates at lists.suse.com Wed Apr 28 13:20:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 15:20:55 +0200 (CEST) Subject: SUSE-SU-2021:14707-1: moderate: Security update for curl Message-ID: <20210428132055.62AFDFE04@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14707-1 Rating: moderate References: #1183933 Cross-References: CVE-2021-22876 CVSS scores: CVE-2021-22876 (SUSE): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server 11-SECURITY ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-curl-14707=1 Package List: - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): curl-openssl1-7.37.0-70.60.1 libcurl4-openssl1-7.37.0-70.60.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libcurl4-openssl1-32bit-7.37.0-70.60.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libcurl4-openssl1-x86-7.37.0-70.60.1 References: https://www.suse.com/security/cve/CVE-2021-22876.html https://bugzilla.suse.com/1183933 From sle-security-updates at lists.suse.com Wed Apr 28 13:22:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 15:22:57 +0200 (CEST) Subject: SUSE-SU-2021:1347-1: important: Security update for the Linux Kernel (Live Patch 23 for SLE 15) Message-ID: <20210428132257.1626EFE04@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 23 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1347-1 Rating: important References: #1182294 #1184171 Cross-References: CVE-2021-28688 CVE-2021-3444 CVSS scores: CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_69 fixes several issues. The following security issues were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184171). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-1364=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-1347=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_69-default-3-2.2 kernel-livepatch-4_12_14-150_69-default-debuginfo-3-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_71-default-3-2.2 References: https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-3444.html https://bugzilla.suse.com/1182294 https://bugzilla.suse.com/1184171 From sle-security-updates at lists.suse.com Wed Apr 28 13:24:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 15:24:06 +0200 (CEST) Subject: SUSE-SU-2021:1395-1: important: Security update for the Linux Kernel (Live Patch 23 for SLE 15 SP1) Message-ID: <20210428132406.30930FE04@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 23 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1395-1 Rating: important References: #1182294 #1183658 #1184171 Cross-References: CVE-2021-28660 CVE-2021-28688 CVE-2021-3444 CVSS scores: CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-197_86 fixes several issues. The following security issues were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184171). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183658). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-1395=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-1385=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_52-default-3-2.2 kernel-livepatch-5_3_18-24_52-default-debuginfo-3-2.2 kernel-livepatch-SLE15-SP2_Update_11-debugsource-3-2.2 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_86-default-3-2.2 References: https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-3444.html https://bugzilla.suse.com/1182294 https://bugzilla.suse.com/1183658 https://bugzilla.suse.com/1184171 From sle-security-updates at lists.suse.com Wed Apr 28 13:25:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 15:25:27 +0200 (CEST) Subject: SUSE-SU-2021:1373-1: important: Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) Message-ID: <20210428132527.35CCFFE04@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1373-1 Rating: important References: #1182294 Cross-References: CVE-2021-26930 CVE-2021-26931 CVE-2021-28688 CVSS scores: CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.180-94_135 fixes one issue. The following security issues were fixed: - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646). - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1337=1 SUSE-SLE-SAP-12-SP3-2021-1338=1 SUSE-SLE-SAP-12-SP3-2021-1339=1 SUSE-SLE-SAP-12-SP3-2021-1340=1 SUSE-SLE-SAP-12-SP3-2021-1371=1 SUSE-SLE-SAP-12-SP3-2021-1372=1 SUSE-SLE-SAP-12-SP3-2021-1373=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1337=1 SUSE-SLE-SERVER-12-SP3-2021-1338=1 SUSE-SLE-SERVER-12-SP3-2021-1339=1 SUSE-SLE-SERVER-12-SP3-2021-1340=1 SUSE-SLE-SERVER-12-SP3-2021-1371=1 SUSE-SLE-SERVER-12-SP3-2021-1372=1 SUSE-SLE-SERVER-12-SP3-2021-1373=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_116-default-10-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_121-default-9-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_124-default-9-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_127-default-9-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_130-default-8-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_135-default-6-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-6-2.2 kgraft-patch-4_4_180-94_138-default-4-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-4-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_116-default-10-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_121-default-9-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_124-default-9-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_127-default-9-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_130-default-8-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_135-default-6-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-6-2.2 kgraft-patch-4_4_180-94_138-default-4-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-4-2.2 References: https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-28688.html https://bugzilla.suse.com/1182294 From sle-security-updates at lists.suse.com Wed Apr 28 13:27:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 15:27:00 +0200 (CEST) Subject: SUSE-SU-2021:1365-1: important: Security update for the Linux Kernel (Live Patch 17 for SLE 15 SP1) Message-ID: <20210428132700.47678FE04@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 17 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1365-1 Rating: important References: #1182294 #1183658 #1184171 Cross-References: CVE-2021-26930 CVE-2021-26931 CVE-2021-28660 CVE-2021-28688 CVE-2021-3444 CVSS scores: CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-197_64 fixes several issues. The following security issues were fixed: - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184171). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183658). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646). - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-1369=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1370=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1386=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1387=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1388=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1389=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1390=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1391=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1392=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1393=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-1394=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-1365=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1366=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1367=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1368=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1377=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1378=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1379=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1380=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1381=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1382=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1383=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-1384=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-1348=1 SUSE-SLE-Live-Patching-12-SP5-2021-1349=1 SUSE-SLE-Live-Patching-12-SP5-2021-1350=1 SUSE-SLE-Live-Patching-12-SP5-2021-1351=1 SUSE-SLE-Live-Patching-12-SP5-2021-1352=1 SUSE-SLE-Live-Patching-12-SP5-2021-1353=1 SUSE-SLE-Live-Patching-12-SP5-2021-1354=1 SUSE-SLE-Live-Patching-12-SP5-2021-1355=1 SUSE-SLE-Live-Patching-12-SP5-2021-1356=1 SUSE-SLE-Live-Patching-12-SP5-2021-1357=1 SUSE-SLE-Live-Patching-12-SP5-2021-1358=1 SUSE-SLE-Live-Patching-12-SP5-2021-1359=1 SUSE-SLE-Live-Patching-12-SP5-2021-1375=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-22-default-10-5.2 kernel-livepatch-5_3_18-22-default-debuginfo-10-5.2 kernel-livepatch-5_3_18-24_12-default-8-2.2 kernel-livepatch-5_3_18-24_12-default-debuginfo-8-2.2 kernel-livepatch-5_3_18-24_15-default-8-2.2 kernel-livepatch-5_3_18-24_15-default-debuginfo-8-2.2 kernel-livepatch-5_3_18-24_24-default-8-2.2 kernel-livepatch-5_3_18-24_24-default-debuginfo-8-2.2 kernel-livepatch-5_3_18-24_29-default-6-2.2 kernel-livepatch-5_3_18-24_29-default-debuginfo-6-2.2 kernel-livepatch-5_3_18-24_34-default-6-2.2 kernel-livepatch-5_3_18-24_34-default-debuginfo-6-2.2 kernel-livepatch-5_3_18-24_37-default-6-2.2 kernel-livepatch-5_3_18-24_37-default-debuginfo-6-2.2 kernel-livepatch-5_3_18-24_43-default-5-2.2 kernel-livepatch-5_3_18-24_43-default-debuginfo-5-2.2 kernel-livepatch-5_3_18-24_46-default-5-2.2 kernel-livepatch-5_3_18-24_46-default-debuginfo-5-2.2 kernel-livepatch-5_3_18-24_49-default-4-2.2 kernel-livepatch-5_3_18-24_49-default-debuginfo-4-2.2 kernel-livepatch-5_3_18-24_9-default-9-2.2 kernel-livepatch-5_3_18-24_9-default-debuginfo-9-2.2 kernel-livepatch-SLE15-SP2_Update_0-debugsource-10-5.2 kernel-livepatch-SLE15-SP2_Update_1-debugsource-9-2.2 kernel-livepatch-SLE15-SP2_Update_10-debugsource-4-2.2 kernel-livepatch-SLE15-SP2_Update_2-debugsource-8-2.2 kernel-livepatch-SLE15-SP2_Update_3-debugsource-8-2.2 kernel-livepatch-SLE15-SP2_Update_4-debugsource-8-2.2 kernel-livepatch-SLE15-SP2_Update_5-debugsource-6-2.2 kernel-livepatch-SLE15-SP2_Update_6-debugsource-6-2.2 kernel-livepatch-SLE15-SP2_Update_7-debugsource-6-2.2 kernel-livepatch-SLE15-SP2_Update_8-debugsource-5-2.2 kernel-livepatch-SLE15-SP2_Update_9-debugsource-5-2.2 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_40-default-11-2.2 kernel-livepatch-4_12_14-197_45-default-9-2.2 kernel-livepatch-4_12_14-197_48-default-9-2.2 kernel-livepatch-4_12_14-197_51-default-9-2.2 kernel-livepatch-4_12_14-197_56-default-8-2.2 kernel-livepatch-4_12_14-197_61-default-7-2.2 kernel-livepatch-4_12_14-197_64-default-6-2.2 kernel-livepatch-4_12_14-197_67-default-6-2.2 kernel-livepatch-4_12_14-197_72-default-5-2.2 kernel-livepatch-4_12_14-197_75-default-5-2.2 kernel-livepatch-4_12_14-197_78-default-5-2.2 kernel-livepatch-4_12_14-197_83-default-4-2.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_20-default-12-2.2 kgraft-patch-4_12_14-122_23-default-11-2.2 kgraft-patch-4_12_14-122_26-default-11-2.2 kgraft-patch-4_12_14-122_29-default-11-2.2 kgraft-patch-4_12_14-122_32-default-11-2.2 kgraft-patch-4_12_14-122_37-default-10-2.2 kgraft-patch-4_12_14-122_41-default-9-2.2 kgraft-patch-4_12_14-122_46-default-7-2.2 kgraft-patch-4_12_14-122_51-default-7-2.2 kgraft-patch-4_12_14-122_54-default-5-2.2 kgraft-patch-4_12_14-122_57-default-5-2.2 kgraft-patch-4_12_14-122_60-default-4-2.2 kgraft-patch-4_12_14-122_63-default-3-2.2 References: https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-3444.html https://bugzilla.suse.com/1182294 https://bugzilla.suse.com/1183658 https://bugzilla.suse.com/1184171 From sle-security-updates at lists.suse.com Wed Apr 28 13:28:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 15:28:36 +0200 (CEST) Subject: SUSE-SU-2021:1396-1: moderate: Security update for curl Message-ID: <20210428132836.3373EFE04@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1396-1 Rating: moderate References: #1183933 Cross-References: CVE-2021-22876 CVSS scores: CVE-2021-22876 (SUSE): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1396=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1396=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): curl-debuginfo-7.60.0-11.15.1 curl-debugsource-7.60.0-11.15.1 libcurl-devel-7.60.0-11.15.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): curl-7.60.0-11.15.1 curl-debuginfo-7.60.0-11.15.1 curl-debugsource-7.60.0-11.15.1 libcurl4-7.60.0-11.15.1 libcurl4-debuginfo-7.60.0-11.15.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libcurl4-32bit-7.60.0-11.15.1 libcurl4-debuginfo-32bit-7.60.0-11.15.1 References: https://www.suse.com/security/cve/CVE-2021-22876.html https://bugzilla.suse.com/1183933 From sle-security-updates at lists.suse.com Wed Apr 28 19:16:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 21:16:21 +0200 (CEST) Subject: SUSE-SU-2021:1408-1: important: Security update for librsvg Message-ID: <20210428191621.7A771FDE1@maintenance.suse.de> SUSE Security Update: Security update for librsvg ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1408-1 Rating: important References: #1183403 Cross-References: CVE-2021-25900 CVSS scores: CVE-2021-25900 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for librsvg fixes the following issues: - librsvg was updated to 2.46.5: * Update dependent crates that had security vulnerabilities: smallvec to 0.6.14 - RUSTSEC-2018-0003 - CVE-2021-25900 (bsc#1183403) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1408=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1408=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1408=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1408=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): librsvg-debugsource-2.46.5-3.3.1 librsvg-devel-2.46.5-3.3.1 typelib-1_0-Rsvg-2_0-2.46.5-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): librsvg-debugsource-2.46.5-3.3.1 librsvg-devel-2.46.5-3.3.1 typelib-1_0-Rsvg-2_0-2.46.5-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): gdk-pixbuf-loader-rsvg-2.46.5-3.3.1 gdk-pixbuf-loader-rsvg-debuginfo-2.46.5-3.3.1 librsvg-2-2-2.46.5-3.3.1 librsvg-2-2-debuginfo-2.46.5-3.3.1 librsvg-debugsource-2.46.5-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): gdk-pixbuf-loader-rsvg-2.46.5-3.3.1 gdk-pixbuf-loader-rsvg-debuginfo-2.46.5-3.3.1 librsvg-2-2-2.46.5-3.3.1 librsvg-2-2-debuginfo-2.46.5-3.3.1 librsvg-debugsource-2.46.5-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-25900.html https://bugzilla.suse.com/1183403 From sle-security-updates at lists.suse.com Wed Apr 28 19:17:31 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 21:17:31 +0200 (CEST) Subject: SUSE-SU-2021:14708-1: important: Security update for MozillaFirefox Message-ID: <20210428191731.4C521FDE1@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14708-1 Rating: important References: #1184960 Cross-References: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 CVSS scores: CVE-2021-23961 (NVD) : 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23961 (SUSE): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23994 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23995 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23998 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-23999 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-24002 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29945 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29946 (SUSE): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.10.0 ESR (bsc#1184960) * CVE-2021-23994: Out of bound write due to lazy initialization * CVE-2021-23995: Use-after-free in Responsive Design Mode * CVE-2021-23998: Secure Lock icon could have been spoofed * CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999: Blob URLs may have been granted additional privileges * CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946: Port blocking could be bypassed Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14708=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-14708=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-78.10.0-78.126.1 MozillaFirefox-translations-common-78.10.0-78.126.1 MozillaFirefox-translations-other-78.10.0-78.126.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): MozillaFirefox-debuginfo-78.10.0-78.126.1 References: https://www.suse.com/security/cve/CVE-2021-23961.html https://www.suse.com/security/cve/CVE-2021-23994.html https://www.suse.com/security/cve/CVE-2021-23995.html https://www.suse.com/security/cve/CVE-2021-23998.html https://www.suse.com/security/cve/CVE-2021-23999.html https://www.suse.com/security/cve/CVE-2021-24002.html https://www.suse.com/security/cve/CVE-2021-29945.html https://www.suse.com/security/cve/CVE-2021-29946.html https://bugzilla.suse.com/1184960 From sle-security-updates at lists.suse.com Wed Apr 28 19:19:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 21:19:51 +0200 (CEST) Subject: SUSE-SU-2021:1409-1: Security update for giflib Message-ID: <20210428191951.D4D7EFDE1@maintenance.suse.de> SUSE Security Update: Security update for giflib ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1409-1 Rating: low References: #1184123 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for giflib fixes the following issues: - Enable Position Independent Code and inherit CFLAGS from the build system (bsc#1184123). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1409=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1409=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): giflib-debugsource-5.1.4-4.3.1 giflib-devel-5.1.4-4.3.1 libgif7-5.1.4-4.3.1 libgif7-debuginfo-5.1.4-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): giflib-debugsource-5.1.4-4.3.1 giflib-devel-5.1.4-4.3.1 libgif7-5.1.4-4.3.1 libgif7-debuginfo-5.1.4-4.3.1 References: https://bugzilla.suse.com/1184123 From sle-security-updates at lists.suse.com Wed Apr 28 19:21:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Apr 2021 21:21:02 +0200 (CEST) Subject: SUSE-SU-2021:1412-1: important: Security update for libnettle Message-ID: <20210428192102.B056BFDE1@maintenance.suse.de> SUSE Security Update: Security update for libnettle ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1412-1 Rating: important References: #1184401 Cross-References: CVE-2021-20305 CVSS scores: CVE-2021-20305 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-20305 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1412=1 - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1412=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1412=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1412=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1412=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1412=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1412=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1412=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1412=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1412=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1412=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1412=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1412=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1412=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1412=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1412=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Manager Server 4.0 (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Manager Proxy 4.0 (x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 - SUSE Enterprise Storage 6 (x86_64): libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 - SUSE CaaS Platform 4.0 (x86_64): libhogweed4-3.4.1-4.15.1 libhogweed4-32bit-3.4.1-4.15.1 libhogweed4-32bit-debuginfo-3.4.1-4.15.1 libhogweed4-debuginfo-3.4.1-4.15.1 libnettle-debugsource-3.4.1-4.15.1 libnettle-devel-3.4.1-4.15.1 libnettle6-3.4.1-4.15.1 libnettle6-32bit-3.4.1-4.15.1 libnettle6-32bit-debuginfo-3.4.1-4.15.1 libnettle6-debuginfo-3.4.1-4.15.1 References: https://www.suse.com/security/cve/CVE-2021-20305.html https://bugzilla.suse.com/1184401 From sle-security-updates at lists.suse.com Thu Apr 29 06:09:30 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 08:09:30 +0200 (CEST) Subject: SUSE-CU-2021:124-1: Security update of suse/sles12sp3 Message-ID: <20210429060930.4FE2DB460A3@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:124-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.248 , suse/sles12sp3:latest Container Release : 24.248 Severity : moderate Type : security References : 1183933 CVE-2021-22876 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1398-1 Released: Wed Apr 28 09:24:14 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,CVE-2021-22876 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). From sle-security-updates at lists.suse.com Thu Apr 29 06:17:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 08:17:29 +0200 (CEST) Subject: SUSE-CU-2021:125-1: Security update of suse/sles12sp5 Message-ID: <20210429061729.48A64B460A3@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:125-1 Container Tags : suse/sles12sp5:6.5.169 , suse/sles12sp5:latest Container Release : 6.5.169 Severity : moderate Type : security References : 1183933 CVE-2021-22876 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1396-1 Released: Wed Apr 28 09:23:39 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,CVE-2021-22876 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). From sle-security-updates at lists.suse.com Thu Apr 29 06:46:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 08:46:23 +0200 (CEST) Subject: SUSE-CU-2021:127-1: Security update of suse/sle15 Message-ID: <20210429064623.251A6B45F8A@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:127-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.442 Container Release : 6.2.442 Severity : important Type : security References : 1184401 1184690 CVE-2021-20305 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). From sle-security-updates at lists.suse.com Thu Apr 29 06:53:33 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 08:53:33 +0200 (CEST) Subject: SUSE-CU-2021:128-1: Security update of suse/sle15 Message-ID: <20210429065333.8CD8EB45F8A@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:128-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.8.2.899 Container Release : 8.2.899 Severity : important Type : security References : 1184401 1184690 CVE-2021-20305 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). From sle-security-updates at lists.suse.com Thu Apr 29 13:17:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 15:17:01 +0200 (CEST) Subject: SUSE-SU-2021:1432-1: important: Security update for MozillaThunderbird Message-ID: <20210429131701.ECE4FFDE1@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1432-1 Rating: important References: #1184960 Cross-References: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 CVE-2021-29948 CVSS scores: CVE-2021-23961 (NVD) : 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23961 (SUSE): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23994 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23995 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23998 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-23999 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-24002 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29945 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29946 (SUSE): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2021-29948 (SUSE): 4.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: - Firefox was updated to 78.10.0 ESR (bsc#1184960) * CVE-2021-23994: Out of bound write due to lazy initialization * CVE-2021-23995: Use-after-free in Responsive Design Mode * CVE-2021-23998: Secure Lock icon could have been spoofed * CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999: Blob URLs may have been granted additional privileges * CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946: Port blocking could be bypassed * CVE-2021-29948: Race condition when reading from disk while verifying signatures Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-1432=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1432=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): MozillaThunderbird-78.10.0-8.23.1 MozillaThunderbird-debuginfo-78.10.0-8.23.1 MozillaThunderbird-debugsource-78.10.0-8.23.1 MozillaThunderbird-translations-common-78.10.0-8.23.1 MozillaThunderbird-translations-other-78.10.0-8.23.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): MozillaThunderbird-78.10.0-8.23.1 MozillaThunderbird-debuginfo-78.10.0-8.23.1 MozillaThunderbird-debugsource-78.10.0-8.23.1 MozillaThunderbird-translations-common-78.10.0-8.23.1 MozillaThunderbird-translations-other-78.10.0-8.23.1 References: https://www.suse.com/security/cve/CVE-2021-23961.html https://www.suse.com/security/cve/CVE-2021-23994.html https://www.suse.com/security/cve/CVE-2021-23995.html https://www.suse.com/security/cve/CVE-2021-23998.html https://www.suse.com/security/cve/CVE-2021-23999.html https://www.suse.com/security/cve/CVE-2021-24002.html https://www.suse.com/security/cve/CVE-2021-29945.html https://www.suse.com/security/cve/CVE-2021-29946.html https://www.suse.com/security/cve/CVE-2021-29948.html https://bugzilla.suse.com/1184960 From sle-security-updates at lists.suse.com Thu Apr 29 13:20:18 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 15:20:18 +0200 (CEST) Subject: SUSE-SU-2021:1430-1: important: Security update for webkit2gtk3 Message-ID: <20210429132018.7D225FDE1@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1430-1 Rating: important References: #1182719 #1184155 #1184262 Cross-References: CVE-2020-27918 CVE-2020-29623 CVE-2021-1765 CVE-2021-1788 CVE-2021-1789 CVE-2021-1799 CVE-2021-1801 CVE-2021-1844 CVE-2021-1870 CVE-2021-1871 CVSS scores: CVE-2020-27918 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-29623 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2021-1765 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-1788 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1789 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1799 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-1801 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-1844 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1871 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for webkit2gtk3 fixes the following issues: - Update to version 2.32.0 (bsc#1184155): * Fix the authentication request port when URL omits the port. * Fix iframe scrolling when main frame is scrolled in async * scrolling mode. * Stop using g_memdup. * Show a warning message when overriding signal handler for * threading suspension. * Fix the build on RISC-V with GCC 11. * Fix several crashes and rendering issues. * Security fixes: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871 - Update in version 2.30.6 (bsc#1184262): * Update user agent quirks again for Google Docs and Google Drive. * Fix several crashes and rendering issues. * Security fixes: CVE-2020-27918, CVE-2020-29623, CVE-2021-1765 CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, CVE-2021-1870. - Update _constraints for armv6/armv7 (bsc#1182719) - restore NPAPI plugin support which was removed in 2.32.0 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1430=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1430=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1430=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1430=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): typelib-1_0-JavaScriptCore-4_0-2.32.0-3.15.1 typelib-1_0-WebKit2-4_0-2.32.0-3.15.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.0-3.15.1 webkit2gtk3-debugsource-2.32.0-3.15.1 webkit2gtk3-devel-2.32.0-3.15.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): typelib-1_0-JavaScriptCore-4_0-2.32.0-3.15.1 typelib-1_0-WebKit2-4_0-2.32.0-3.15.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.0-3.15.1 webkit2gtk3-debugsource-2.32.0-3.15.1 webkit2gtk3-devel-2.32.0-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.0-3.15.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.0-3.15.1 libwebkit2gtk-4_0-37-2.32.0-3.15.1 libwebkit2gtk-4_0-37-debuginfo-2.32.0-3.15.1 webkit2gtk-4_0-injected-bundles-2.32.0-3.15.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.0-3.15.1 webkit2gtk3-debugsource-2.32.0-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): libwebkit2gtk3-lang-2.32.0-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.0-3.15.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.0-3.15.1 libwebkit2gtk-4_0-37-2.32.0-3.15.1 libwebkit2gtk-4_0-37-debuginfo-2.32.0-3.15.1 webkit2gtk-4_0-injected-bundles-2.32.0-3.15.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.0-3.15.1 webkit2gtk3-debugsource-2.32.0-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): libwebkit2gtk3-lang-2.32.0-3.15.1 References: https://www.suse.com/security/cve/CVE-2020-27918.html https://www.suse.com/security/cve/CVE-2020-29623.html https://www.suse.com/security/cve/CVE-2021-1765.html https://www.suse.com/security/cve/CVE-2021-1788.html https://www.suse.com/security/cve/CVE-2021-1789.html https://www.suse.com/security/cve/CVE-2021-1799.html https://www.suse.com/security/cve/CVE-2021-1801.html https://www.suse.com/security/cve/CVE-2021-1844.html https://www.suse.com/security/cve/CVE-2021-1870.html https://www.suse.com/security/cve/CVE-2021-1871.html https://bugzilla.suse.com/1182719 https://bugzilla.suse.com/1184155 https://bugzilla.suse.com/1184262 From sle-security-updates at lists.suse.com Thu Apr 29 13:21:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 15:21:44 +0200 (CEST) Subject: SUSE-SU-2021:1433-1: important: Security update for MozillaFirefox Message-ID: <20210429132144.1E2EDFDE1@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1433-1 Rating: important References: #1184960 Cross-References: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 CVSS scores: CVE-2021-23961 (NVD) : 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23961 (SUSE): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-23994 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23995 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-23998 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-23999 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-24002 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29945 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29946 (SUSE): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - MozillaFirefox was updated to 78.10.0 ESR (bsc#1184960) * CVE-2021-23994: Out of bound write due to lazy initialization * CVE-2021-23995: Use-after-free in Responsive Design Mode * CVE-2021-23998: Secure Lock icon could have been spoofed * CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999: Blob URLs may have been granted additional privileges * CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946: Port blocking could be bypassed Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1433=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1433=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1433=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1433=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1433=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1433=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1433=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1433=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1433=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1433=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1433=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1433=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1433=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Manager Proxy 4.0 (x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 - SUSE CaaS Platform 4.0 (x86_64): MozillaFirefox-78.10.0-3.139.1 MozillaFirefox-debuginfo-78.10.0-3.139.1 MozillaFirefox-debugsource-78.10.0-3.139.1 MozillaFirefox-devel-78.10.0-3.139.1 MozillaFirefox-translations-common-78.10.0-3.139.1 MozillaFirefox-translations-other-78.10.0-3.139.1 References: https://www.suse.com/security/cve/CVE-2021-23961.html https://www.suse.com/security/cve/CVE-2021-23994.html https://www.suse.com/security/cve/CVE-2021-23995.html https://www.suse.com/security/cve/CVE-2021-23998.html https://www.suse.com/security/cve/CVE-2021-23999.html https://www.suse.com/security/cve/CVE-2021-24002.html https://www.suse.com/security/cve/CVE-2021-29945.html https://www.suse.com/security/cve/CVE-2021-29946.html https://bugzilla.suse.com/1184960 From sle-security-updates at lists.suse.com Thu Apr 29 13:22:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 15:22:56 +0200 (CEST) Subject: SUSE-SU-2021:1435-1: moderate: Security update for java-1_7_0-openjdk Message-ID: <20210429132256.B226BFDE1@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1435-1 Rating: moderate References: #1181239 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for java-1_7_0-openjdk fixes the following issues: - Update to 2.6.25 - OpenJDK 7u291 (January 2021 CPU, bsc#1181239) * Security fixes + JDK-8247619: Improve Direct Buffering of Characters * Import of OpenJDK 7 u291 build 1 + JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b + JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c + JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1435=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1435=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1435=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1435=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1435=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1435=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1435=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1435=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1435=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1435=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1435=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1435=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE OpenStack Cloud 9 (x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE OpenStack Cloud 8 (x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 - HPE Helion Openstack 8 (x86_64): java-1_7_0-openjdk-1.7.0.291-43.47.3 java-1_7_0-openjdk-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-debugsource-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-1.7.0.291-43.47.3 java-1_7_0-openjdk-demo-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-1.7.0.291-43.47.3 java-1_7_0-openjdk-devel-debuginfo-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-1.7.0.291-43.47.3 java-1_7_0-openjdk-headless-debuginfo-1.7.0.291-43.47.3 References: https://bugzilla.suse.com/1181239 From sle-security-updates at lists.suse.com Thu Apr 29 13:24:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 15:24:03 +0200 (CEST) Subject: SUSE-SU-2021:1429-1: important: Security update for permissions Message-ID: <20210429132403.AD218FDE1@maintenance.suse.de> SUSE Security Update: Security update for permissions ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1429-1 Rating: important References: #1050467 #1182899 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for permissions fixes the following issues: - Update to version 20170707: * make btmp root:utmp (bsc#1050467, bsc#1182899) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1429=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1429=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1429=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1429=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): permissions-20170707-3.27.1 permissions-debuginfo-20170707-3.27.1 permissions-debugsource-20170707-3.27.1 - SUSE OpenStack Cloud 9 (x86_64): permissions-20170707-3.27.1 permissions-debuginfo-20170707-3.27.1 permissions-debugsource-20170707-3.27.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): permissions-20170707-3.27.1 permissions-debuginfo-20170707-3.27.1 permissions-debugsource-20170707-3.27.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): permissions-20170707-3.27.1 permissions-debuginfo-20170707-3.27.1 permissions-debugsource-20170707-3.27.1 References: https://bugzilla.suse.com/1050467 https://bugzilla.suse.com/1182899 From sle-security-updates at lists.suse.com Thu Apr 29 13:25:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 15:25:14 +0200 (CEST) Subject: SUSE-SU-2021:1431-1: important: Security update for tomcat Message-ID: <20210429132514.9D6BCFDE1@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1431-1 Rating: important References: #1182909 Cross-References: CVE-2021-25329 CVSS scores: CVE-2021-25329 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25329 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1431=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1431=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1431=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1431=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1431=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1431=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1431=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1431=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1431=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): tomcat-8.0.53-29.46.1 tomcat-admin-webapps-8.0.53-29.46.1 tomcat-docs-webapp-8.0.53-29.46.1 tomcat-el-3_0-api-8.0.53-29.46.1 tomcat-javadoc-8.0.53-29.46.1 tomcat-jsp-2_3-api-8.0.53-29.46.1 tomcat-lib-8.0.53-29.46.1 tomcat-servlet-3_1-api-8.0.53-29.46.1 tomcat-webapps-8.0.53-29.46.1 - SUSE OpenStack Cloud 8 (noarch): tomcat-8.0.53-29.46.1 tomcat-admin-webapps-8.0.53-29.46.1 tomcat-docs-webapp-8.0.53-29.46.1 tomcat-el-3_0-api-8.0.53-29.46.1 tomcat-javadoc-8.0.53-29.46.1 tomcat-jsp-2_3-api-8.0.53-29.46.1 tomcat-lib-8.0.53-29.46.1 tomcat-servlet-3_1-api-8.0.53-29.46.1 tomcat-webapps-8.0.53-29.46.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): tomcat-8.0.53-29.46.1 tomcat-admin-webapps-8.0.53-29.46.1 tomcat-docs-webapp-8.0.53-29.46.1 tomcat-el-3_0-api-8.0.53-29.46.1 tomcat-javadoc-8.0.53-29.46.1 tomcat-jsp-2_3-api-8.0.53-29.46.1 tomcat-lib-8.0.53-29.46.1 tomcat-servlet-3_1-api-8.0.53-29.46.1 tomcat-webapps-8.0.53-29.46.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): tomcat-8.0.53-29.46.1 tomcat-admin-webapps-8.0.53-29.46.1 tomcat-docs-webapp-8.0.53-29.46.1 tomcat-el-3_0-api-8.0.53-29.46.1 tomcat-javadoc-8.0.53-29.46.1 tomcat-jsp-2_3-api-8.0.53-29.46.1 tomcat-lib-8.0.53-29.46.1 tomcat-servlet-3_1-api-8.0.53-29.46.1 tomcat-webapps-8.0.53-29.46.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): tomcat-8.0.53-29.46.1 tomcat-admin-webapps-8.0.53-29.46.1 tomcat-docs-webapp-8.0.53-29.46.1 tomcat-el-3_0-api-8.0.53-29.46.1 tomcat-javadoc-8.0.53-29.46.1 tomcat-jsp-2_3-api-8.0.53-29.46.1 tomcat-lib-8.0.53-29.46.1 tomcat-servlet-3_1-api-8.0.53-29.46.1 tomcat-webapps-8.0.53-29.46.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (noarch): tomcat-8.0.53-29.46.1 tomcat-admin-webapps-8.0.53-29.46.1 tomcat-docs-webapp-8.0.53-29.46.1 tomcat-el-3_0-api-8.0.53-29.46.1 tomcat-javadoc-8.0.53-29.46.1 tomcat-jsp-2_3-api-8.0.53-29.46.1 tomcat-lib-8.0.53-29.46.1 tomcat-servlet-3_1-api-8.0.53-29.46.1 tomcat-webapps-8.0.53-29.46.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (noarch): tomcat-8.0.53-29.46.1 tomcat-admin-webapps-8.0.53-29.46.1 tomcat-docs-webapp-8.0.53-29.46.1 tomcat-el-3_0-api-8.0.53-29.46.1 tomcat-javadoc-8.0.53-29.46.1 tomcat-jsp-2_3-api-8.0.53-29.46.1 tomcat-lib-8.0.53-29.46.1 tomcat-servlet-3_1-api-8.0.53-29.46.1 tomcat-webapps-8.0.53-29.46.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): tomcat-8.0.53-29.46.1 tomcat-admin-webapps-8.0.53-29.46.1 tomcat-docs-webapp-8.0.53-29.46.1 tomcat-el-3_0-api-8.0.53-29.46.1 tomcat-javadoc-8.0.53-29.46.1 tomcat-jsp-2_3-api-8.0.53-29.46.1 tomcat-lib-8.0.53-29.46.1 tomcat-servlet-3_1-api-8.0.53-29.46.1 tomcat-webapps-8.0.53-29.46.1 - HPE Helion Openstack 8 (noarch): tomcat-8.0.53-29.46.1 tomcat-admin-webapps-8.0.53-29.46.1 tomcat-docs-webapp-8.0.53-29.46.1 tomcat-el-3_0-api-8.0.53-29.46.1 tomcat-javadoc-8.0.53-29.46.1 tomcat-jsp-2_3-api-8.0.53-29.46.1 tomcat-lib-8.0.53-29.46.1 tomcat-servlet-3_1-api-8.0.53-29.46.1 tomcat-webapps-8.0.53-29.46.1 References: https://www.suse.com/security/cve/CVE-2021-25329.html https://bugzilla.suse.com/1182909 From sle-security-updates at lists.suse.com Thu Apr 29 16:15:35 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 18:15:35 +0200 (CEST) Subject: SUSE-SU-2021:14709-1: important: Security update for samba Message-ID: <20210429161535.AF16DFDE1@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14709-1 Rating: important References: #1178469 #1184677 Cross-References: CVE-2021-20254 CVSS scores: CVE-2021-20254 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for samba fixes the following issues: - CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677). - Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-samba-14709=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-samba-14709=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-samba-14709=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-samba-14709=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): ldapsmb-1.34b-94.34.1 libldb1-3.6.3-94.34.1 libsmbclient0-3.6.3-94.34.1 libtalloc2-3.6.3-94.34.1 libtdb1-3.6.3-94.34.1 libtevent0-3.6.3-94.34.1 libwbclient0-3.6.3-94.34.1 samba-3.6.3-94.34.1 samba-client-3.6.3-94.34.1 samba-krb-printing-3.6.3-94.34.1 samba-winbind-3.6.3-94.34.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libsmbclient0-32bit-3.6.3-94.34.1 libtalloc2-32bit-3.6.3-94.34.1 libtdb1-32bit-3.6.3-94.34.1 libtevent0-32bit-3.6.3-94.34.1 libwbclient0-32bit-3.6.3-94.34.1 samba-32bit-3.6.3-94.34.1 samba-client-32bit-3.6.3-94.34.1 samba-winbind-32bit-3.6.3-94.34.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (noarch): samba-doc-3.6.3-94.34.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): samba-doc-3.6.3-94.34.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): ldapsmb-1.34b-94.34.1 libldb1-3.6.3-94.34.1 libsmbclient0-3.6.3-94.34.1 libtalloc2-3.6.3-94.34.1 libtdb1-3.6.3-94.34.1 libtevent0-3.6.3-94.34.1 libwbclient0-3.6.3-94.34.1 samba-3.6.3-94.34.1 samba-client-3.6.3-94.34.1 samba-krb-printing-3.6.3-94.34.1 samba-winbind-3.6.3-94.34.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): samba-debuginfo-3.6.3-94.34.1 samba-debugsource-3.6.3-94.34.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): samba-debuginfo-32bit-3.6.3-94.34.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): samba-debuginfo-3.6.3-94.34.1 samba-debugsource-3.6.3-94.34.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x): samba-debuginfo-32bit-3.6.3-94.34.1 References: https://www.suse.com/security/cve/CVE-2021-20254.html https://bugzilla.suse.com/1178469 https://bugzilla.suse.com/1184677 From sle-security-updates at lists.suse.com Thu Apr 29 16:16:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 18:16:43 +0200 (CEST) Subject: SUSE-SU-2021:1438-1: important: Security update for samba Message-ID: <20210429161643.D3BEEFDE1@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1438-1 Rating: important References: #1178469 #1179156 #1184677 Cross-References: CVE-2021-20254 CVSS scores: CVE-2021-20254 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for samba fixes the following issues: - CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677). - Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156). - Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1438=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1438=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2021-1438=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libndr-devel-4.10.18+git.269.dd608524c88-3.27.1 libndr-krb5pac-devel-4.10.18+git.269.dd608524c88-3.27.1 libndr-nbt-devel-4.10.18+git.269.dd608524c88-3.27.1 libndr-standard-devel-4.10.18+git.269.dd608524c88-3.27.1 libsamba-util-devel-4.10.18+git.269.dd608524c88-3.27.1 libsmbclient-devel-4.10.18+git.269.dd608524c88-3.27.1 libwbclient-devel-4.10.18+git.269.dd608524c88-3.27.1 samba-core-devel-4.10.18+git.269.dd608524c88-3.27.1 samba-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 samba-debugsource-4.10.18+git.269.dd608524c88-3.27.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.10.18+git.269.dd608524c88-3.27.1 libdcerpc-binding0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libdcerpc0-4.10.18+git.269.dd608524c88-3.27.1 libdcerpc0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libndr-krb5pac0-4.10.18+git.269.dd608524c88-3.27.1 libndr-krb5pac0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libndr-nbt0-4.10.18+git.269.dd608524c88-3.27.1 libndr-nbt0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libndr-standard0-4.10.18+git.269.dd608524c88-3.27.1 libndr-standard0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libndr0-4.10.18+git.269.dd608524c88-3.27.1 libndr0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libnetapi0-4.10.18+git.269.dd608524c88-3.27.1 libnetapi0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libsamba-credentials0-4.10.18+git.269.dd608524c88-3.27.1 libsamba-credentials0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libsamba-errors0-4.10.18+git.269.dd608524c88-3.27.1 libsamba-errors0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libsamba-hostconfig0-4.10.18+git.269.dd608524c88-3.27.1 libsamba-hostconfig0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libsamba-passdb0-4.10.18+git.269.dd608524c88-3.27.1 libsamba-passdb0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libsamba-util0-4.10.18+git.269.dd608524c88-3.27.1 libsamba-util0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libsamdb0-4.10.18+git.269.dd608524c88-3.27.1 libsamdb0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libsmbclient0-4.10.18+git.269.dd608524c88-3.27.1 libsmbclient0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libsmbconf0-4.10.18+git.269.dd608524c88-3.27.1 libsmbconf0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libsmbldap2-4.10.18+git.269.dd608524c88-3.27.1 libsmbldap2-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libtevent-util0-4.10.18+git.269.dd608524c88-3.27.1 libtevent-util0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 libwbclient0-4.10.18+git.269.dd608524c88-3.27.1 libwbclient0-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 samba-4.10.18+git.269.dd608524c88-3.27.1 samba-client-4.10.18+git.269.dd608524c88-3.27.1 samba-client-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 samba-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 samba-debugsource-4.10.18+git.269.dd608524c88-3.27.1 samba-libs-4.10.18+git.269.dd608524c88-3.27.1 samba-libs-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 samba-libs-python3-4.10.18+git.269.dd608524c88-3.27.1 samba-libs-python3-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 samba-winbind-4.10.18+git.269.dd608524c88-3.27.1 samba-winbind-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libdcerpc-binding0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libdcerpc-binding0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libdcerpc0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libdcerpc0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libndr-krb5pac0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libndr-krb5pac0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libndr-nbt0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libndr-nbt0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libndr-standard0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libndr-standard0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libndr0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libndr0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libnetapi0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libnetapi0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-credentials0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-credentials0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-errors0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-errors0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-hostconfig0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-hostconfig0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-passdb0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-passdb0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-util0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamba-util0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamdb0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsamdb0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsmbclient0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsmbclient0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsmbconf0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsmbconf0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsmbldap2-32bit-4.10.18+git.269.dd608524c88-3.27.1 libsmbldap2-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libtevent-util0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libtevent-util0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 libwbclient0-32bit-4.10.18+git.269.dd608524c88-3.27.1 libwbclient0-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 samba-client-32bit-4.10.18+git.269.dd608524c88-3.27.1 samba-client-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 samba-libs-32bit-4.10.18+git.269.dd608524c88-3.27.1 samba-libs-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 samba-libs-python3-32bit-4.10.18+git.269.dd608524c88-3.27.1 samba-libs-python3-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 samba-winbind-32bit-4.10.18+git.269.dd608524c88-3.27.1 samba-winbind-debuginfo-32bit-4.10.18+git.269.dd608524c88-3.27.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): samba-doc-4.10.18+git.269.dd608524c88-3.27.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): ctdb-4.10.18+git.269.dd608524c88-3.27.1 ctdb-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 samba-debuginfo-4.10.18+git.269.dd608524c88-3.27.1 samba-debugsource-4.10.18+git.269.dd608524c88-3.27.1 References: https://www.suse.com/security/cve/CVE-2021-20254.html https://bugzilla.suse.com/1178469 https://bugzilla.suse.com/1179156 https://bugzilla.suse.com/1184677 From sle-security-updates at lists.suse.com Thu Apr 29 16:17:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 18:17:55 +0200 (CEST) Subject: SUSE-SU-2021:1439-1: important: Security update for samba Message-ID: <20210429161755.44F07FDE1@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1439-1 Rating: important References: #1178469 #1184677 Cross-References: CVE-2021-20254 CVSS scores: CVE-2021-20254 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Affected Products: SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for samba fixes the following issues: - CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677). - Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1439=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1439=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1439=1 Package List: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (noarch): samba-doc-4.4.2-38.42.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): ctdb-4.4.2-38.42.1 ctdb-debuginfo-4.4.2-38.42.1 libdcerpc-binding0-32bit-4.4.2-38.42.1 libdcerpc-binding0-4.4.2-38.42.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-38.42.1 libdcerpc-binding0-debuginfo-4.4.2-38.42.1 libdcerpc0-32bit-4.4.2-38.42.1 libdcerpc0-4.4.2-38.42.1 libdcerpc0-debuginfo-32bit-4.4.2-38.42.1 libdcerpc0-debuginfo-4.4.2-38.42.1 libndr-krb5pac0-32bit-4.4.2-38.42.1 libndr-krb5pac0-4.4.2-38.42.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-38.42.1 libndr-krb5pac0-debuginfo-4.4.2-38.42.1 libndr-nbt0-32bit-4.4.2-38.42.1 libndr-nbt0-4.4.2-38.42.1 libndr-nbt0-debuginfo-32bit-4.4.2-38.42.1 libndr-nbt0-debuginfo-4.4.2-38.42.1 libndr-standard0-32bit-4.4.2-38.42.1 libndr-standard0-4.4.2-38.42.1 libndr-standard0-debuginfo-32bit-4.4.2-38.42.1 libndr-standard0-debuginfo-4.4.2-38.42.1 libndr0-32bit-4.4.2-38.42.1 libndr0-4.4.2-38.42.1 libndr0-debuginfo-32bit-4.4.2-38.42.1 libndr0-debuginfo-4.4.2-38.42.1 libnetapi0-32bit-4.4.2-38.42.1 libnetapi0-4.4.2-38.42.1 libnetapi0-debuginfo-32bit-4.4.2-38.42.1 libnetapi0-debuginfo-4.4.2-38.42.1 libsamba-credentials0-32bit-4.4.2-38.42.1 libsamba-credentials0-4.4.2-38.42.1 libsamba-credentials0-debuginfo-32bit-4.4.2-38.42.1 libsamba-credentials0-debuginfo-4.4.2-38.42.1 libsamba-errors0-32bit-4.4.2-38.42.1 libsamba-errors0-4.4.2-38.42.1 libsamba-errors0-debuginfo-32bit-4.4.2-38.42.1 libsamba-errors0-debuginfo-4.4.2-38.42.1 libsamba-hostconfig0-32bit-4.4.2-38.42.1 libsamba-hostconfig0-4.4.2-38.42.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.42.1 libsamba-hostconfig0-debuginfo-4.4.2-38.42.1 libsamba-passdb0-32bit-4.4.2-38.42.1 libsamba-passdb0-4.4.2-38.42.1 libsamba-passdb0-debuginfo-32bit-4.4.2-38.42.1 libsamba-passdb0-debuginfo-4.4.2-38.42.1 libsamba-util0-32bit-4.4.2-38.42.1 libsamba-util0-4.4.2-38.42.1 libsamba-util0-debuginfo-32bit-4.4.2-38.42.1 libsamba-util0-debuginfo-4.4.2-38.42.1 libsamdb0-32bit-4.4.2-38.42.1 libsamdb0-4.4.2-38.42.1 libsamdb0-debuginfo-32bit-4.4.2-38.42.1 libsamdb0-debuginfo-4.4.2-38.42.1 libsmbclient0-32bit-4.4.2-38.42.1 libsmbclient0-4.4.2-38.42.1 libsmbclient0-debuginfo-32bit-4.4.2-38.42.1 libsmbclient0-debuginfo-4.4.2-38.42.1 libsmbconf0-32bit-4.4.2-38.42.1 libsmbconf0-4.4.2-38.42.1 libsmbconf0-debuginfo-32bit-4.4.2-38.42.1 libsmbconf0-debuginfo-4.4.2-38.42.1 libsmbldap0-32bit-4.4.2-38.42.1 libsmbldap0-4.4.2-38.42.1 libsmbldap0-debuginfo-32bit-4.4.2-38.42.1 libsmbldap0-debuginfo-4.4.2-38.42.1 libtevent-util0-32bit-4.4.2-38.42.1 libtevent-util0-4.4.2-38.42.1 libtevent-util0-debuginfo-32bit-4.4.2-38.42.1 libtevent-util0-debuginfo-4.4.2-38.42.1 libwbclient0-32bit-4.4.2-38.42.1 libwbclient0-4.4.2-38.42.1 libwbclient0-debuginfo-32bit-4.4.2-38.42.1 libwbclient0-debuginfo-4.4.2-38.42.1 samba-4.4.2-38.42.1 samba-client-32bit-4.4.2-38.42.1 samba-client-4.4.2-38.42.1 samba-client-debuginfo-32bit-4.4.2-38.42.1 samba-client-debuginfo-4.4.2-38.42.1 samba-debuginfo-4.4.2-38.42.1 samba-debugsource-4.4.2-38.42.1 samba-libs-32bit-4.4.2-38.42.1 samba-libs-4.4.2-38.42.1 samba-libs-debuginfo-32bit-4.4.2-38.42.1 samba-libs-debuginfo-4.4.2-38.42.1 samba-winbind-32bit-4.4.2-38.42.1 samba-winbind-4.4.2-38.42.1 samba-winbind-debuginfo-32bit-4.4.2-38.42.1 samba-winbind-debuginfo-4.4.2-38.42.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (noarch): samba-doc-4.4.2-38.42.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): ctdb-4.4.2-38.42.1 ctdb-debuginfo-4.4.2-38.42.1 libdcerpc-binding0-32bit-4.4.2-38.42.1 libdcerpc-binding0-4.4.2-38.42.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-38.42.1 libdcerpc-binding0-debuginfo-4.4.2-38.42.1 libdcerpc0-32bit-4.4.2-38.42.1 libdcerpc0-4.4.2-38.42.1 libdcerpc0-debuginfo-32bit-4.4.2-38.42.1 libdcerpc0-debuginfo-4.4.2-38.42.1 libndr-krb5pac0-32bit-4.4.2-38.42.1 libndr-krb5pac0-4.4.2-38.42.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-38.42.1 libndr-krb5pac0-debuginfo-4.4.2-38.42.1 libndr-nbt0-32bit-4.4.2-38.42.1 libndr-nbt0-4.4.2-38.42.1 libndr-nbt0-debuginfo-32bit-4.4.2-38.42.1 libndr-nbt0-debuginfo-4.4.2-38.42.1 libndr-standard0-32bit-4.4.2-38.42.1 libndr-standard0-4.4.2-38.42.1 libndr-standard0-debuginfo-32bit-4.4.2-38.42.1 libndr-standard0-debuginfo-4.4.2-38.42.1 libndr0-32bit-4.4.2-38.42.1 libndr0-4.4.2-38.42.1 libndr0-debuginfo-32bit-4.4.2-38.42.1 libndr0-debuginfo-4.4.2-38.42.1 libnetapi0-32bit-4.4.2-38.42.1 libnetapi0-4.4.2-38.42.1 libnetapi0-debuginfo-32bit-4.4.2-38.42.1 libnetapi0-debuginfo-4.4.2-38.42.1 libsamba-credentials0-32bit-4.4.2-38.42.1 libsamba-credentials0-4.4.2-38.42.1 libsamba-credentials0-debuginfo-32bit-4.4.2-38.42.1 libsamba-credentials0-debuginfo-4.4.2-38.42.1 libsamba-errors0-32bit-4.4.2-38.42.1 libsamba-errors0-4.4.2-38.42.1 libsamba-errors0-debuginfo-32bit-4.4.2-38.42.1 libsamba-errors0-debuginfo-4.4.2-38.42.1 libsamba-hostconfig0-32bit-4.4.2-38.42.1 libsamba-hostconfig0-4.4.2-38.42.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.42.1 libsamba-hostconfig0-debuginfo-4.4.2-38.42.1 libsamba-passdb0-32bit-4.4.2-38.42.1 libsamba-passdb0-4.4.2-38.42.1 libsamba-passdb0-debuginfo-32bit-4.4.2-38.42.1 libsamba-passdb0-debuginfo-4.4.2-38.42.1 libsamba-util0-32bit-4.4.2-38.42.1 libsamba-util0-4.4.2-38.42.1 libsamba-util0-debuginfo-32bit-4.4.2-38.42.1 libsamba-util0-debuginfo-4.4.2-38.42.1 libsamdb0-32bit-4.4.2-38.42.1 libsamdb0-4.4.2-38.42.1 libsamdb0-debuginfo-32bit-4.4.2-38.42.1 libsamdb0-debuginfo-4.4.2-38.42.1 libsmbclient0-32bit-4.4.2-38.42.1 libsmbclient0-4.4.2-38.42.1 libsmbclient0-debuginfo-32bit-4.4.2-38.42.1 libsmbclient0-debuginfo-4.4.2-38.42.1 libsmbconf0-32bit-4.4.2-38.42.1 libsmbconf0-4.4.2-38.42.1 libsmbconf0-debuginfo-32bit-4.4.2-38.42.1 libsmbconf0-debuginfo-4.4.2-38.42.1 libsmbldap0-32bit-4.4.2-38.42.1 libsmbldap0-4.4.2-38.42.1 libsmbldap0-debuginfo-32bit-4.4.2-38.42.1 libsmbldap0-debuginfo-4.4.2-38.42.1 libtevent-util0-32bit-4.4.2-38.42.1 libtevent-util0-4.4.2-38.42.1 libtevent-util0-debuginfo-32bit-4.4.2-38.42.1 libtevent-util0-debuginfo-4.4.2-38.42.1 libwbclient0-32bit-4.4.2-38.42.1 libwbclient0-4.4.2-38.42.1 libwbclient0-debuginfo-32bit-4.4.2-38.42.1 libwbclient0-debuginfo-4.4.2-38.42.1 samba-4.4.2-38.42.1 samba-client-32bit-4.4.2-38.42.1 samba-client-4.4.2-38.42.1 samba-client-debuginfo-32bit-4.4.2-38.42.1 samba-client-debuginfo-4.4.2-38.42.1 samba-debuginfo-4.4.2-38.42.1 samba-debugsource-4.4.2-38.42.1 samba-libs-32bit-4.4.2-38.42.1 samba-libs-4.4.2-38.42.1 samba-libs-debuginfo-32bit-4.4.2-38.42.1 samba-libs-debuginfo-4.4.2-38.42.1 samba-winbind-32bit-4.4.2-38.42.1 samba-winbind-4.4.2-38.42.1 samba-winbind-debuginfo-32bit-4.4.2-38.42.1 samba-winbind-debuginfo-4.4.2-38.42.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libdcerpc-binding0-32bit-4.4.2-38.42.1 libdcerpc-binding0-4.4.2-38.42.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-38.42.1 libdcerpc-binding0-debuginfo-4.4.2-38.42.1 libdcerpc0-32bit-4.4.2-38.42.1 libdcerpc0-4.4.2-38.42.1 libdcerpc0-debuginfo-32bit-4.4.2-38.42.1 libdcerpc0-debuginfo-4.4.2-38.42.1 libndr-krb5pac0-32bit-4.4.2-38.42.1 libndr-krb5pac0-4.4.2-38.42.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-38.42.1 libndr-krb5pac0-debuginfo-4.4.2-38.42.1 libndr-nbt0-32bit-4.4.2-38.42.1 libndr-nbt0-4.4.2-38.42.1 libndr-nbt0-debuginfo-32bit-4.4.2-38.42.1 libndr-nbt0-debuginfo-4.4.2-38.42.1 libndr-standard0-32bit-4.4.2-38.42.1 libndr-standard0-4.4.2-38.42.1 libndr-standard0-debuginfo-32bit-4.4.2-38.42.1 libndr-standard0-debuginfo-4.4.2-38.42.1 libndr0-32bit-4.4.2-38.42.1 libndr0-4.4.2-38.42.1 libndr0-debuginfo-32bit-4.4.2-38.42.1 libndr0-debuginfo-4.4.2-38.42.1 libnetapi0-32bit-4.4.2-38.42.1 libnetapi0-4.4.2-38.42.1 libnetapi0-debuginfo-32bit-4.4.2-38.42.1 libnetapi0-debuginfo-4.4.2-38.42.1 libsamba-credentials0-32bit-4.4.2-38.42.1 libsamba-credentials0-4.4.2-38.42.1 libsamba-credentials0-debuginfo-32bit-4.4.2-38.42.1 libsamba-credentials0-debuginfo-4.4.2-38.42.1 libsamba-errors0-32bit-4.4.2-38.42.1 libsamba-errors0-4.4.2-38.42.1 libsamba-errors0-debuginfo-32bit-4.4.2-38.42.1 libsamba-errors0-debuginfo-4.4.2-38.42.1 libsamba-hostconfig0-32bit-4.4.2-38.42.1 libsamba-hostconfig0-4.4.2-38.42.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.42.1 libsamba-hostconfig0-debuginfo-4.4.2-38.42.1 libsamba-passdb0-32bit-4.4.2-38.42.1 libsamba-passdb0-4.4.2-38.42.1 libsamba-passdb0-debuginfo-32bit-4.4.2-38.42.1 libsamba-passdb0-debuginfo-4.4.2-38.42.1 libsamba-util0-32bit-4.4.2-38.42.1 libsamba-util0-4.4.2-38.42.1 libsamba-util0-debuginfo-32bit-4.4.2-38.42.1 libsamba-util0-debuginfo-4.4.2-38.42.1 libsamdb0-32bit-4.4.2-38.42.1 libsamdb0-4.4.2-38.42.1 libsamdb0-debuginfo-32bit-4.4.2-38.42.1 libsamdb0-debuginfo-4.4.2-38.42.1 libsmbclient0-32bit-4.4.2-38.42.1 libsmbclient0-4.4.2-38.42.1 libsmbclient0-debuginfo-32bit-4.4.2-38.42.1 libsmbclient0-debuginfo-4.4.2-38.42.1 libsmbconf0-32bit-4.4.2-38.42.1 libsmbconf0-4.4.2-38.42.1 libsmbconf0-debuginfo-32bit-4.4.2-38.42.1 libsmbconf0-debuginfo-4.4.2-38.42.1 libsmbldap0-32bit-4.4.2-38.42.1 libsmbldap0-4.4.2-38.42.1 libsmbldap0-debuginfo-32bit-4.4.2-38.42.1 libsmbldap0-debuginfo-4.4.2-38.42.1 libtevent-util0-32bit-4.4.2-38.42.1 libtevent-util0-4.4.2-38.42.1 libtevent-util0-debuginfo-32bit-4.4.2-38.42.1 libtevent-util0-debuginfo-4.4.2-38.42.1 libwbclient0-32bit-4.4.2-38.42.1 libwbclient0-4.4.2-38.42.1 libwbclient0-debuginfo-32bit-4.4.2-38.42.1 libwbclient0-debuginfo-4.4.2-38.42.1 samba-4.4.2-38.42.1 samba-client-32bit-4.4.2-38.42.1 samba-client-4.4.2-38.42.1 samba-client-debuginfo-32bit-4.4.2-38.42.1 samba-client-debuginfo-4.4.2-38.42.1 samba-debuginfo-4.4.2-38.42.1 samba-debugsource-4.4.2-38.42.1 samba-libs-32bit-4.4.2-38.42.1 samba-libs-4.4.2-38.42.1 samba-libs-debuginfo-32bit-4.4.2-38.42.1 samba-libs-debuginfo-4.4.2-38.42.1 samba-winbind-32bit-4.4.2-38.42.1 samba-winbind-4.4.2-38.42.1 samba-winbind-debuginfo-32bit-4.4.2-38.42.1 samba-winbind-debuginfo-4.4.2-38.42.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): samba-doc-4.4.2-38.42.1 References: https://www.suse.com/security/cve/CVE-2021-20254.html https://bugzilla.suse.com/1178469 https://bugzilla.suse.com/1184677 From sle-security-updates at lists.suse.com Thu Apr 29 16:19:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 18:19:01 +0200 (CEST) Subject: SUSE-SU-2021:1440-1: important: Security update for ldb, samba Message-ID: <20210429161901.D772CFDE1@maintenance.suse.de> SUSE Security Update: Security update for ldb, samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1440-1 Rating: important References: #1182830 #1183572 #1183574 #1184677 #14571 Cross-References: CVE-2020-27840 CVE-2021-20254 CVE-2021-20277 CVSS scores: CVE-2020-27840 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-20254 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVE-2021-20277 (SUSE): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H Affected Products: SUSE Enterprise Storage 7 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update for ldb, samba fixes the following issues: - ldb was updated to 2.2.1 - CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574). - CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677). - CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572). - samba was updated to 4.13.6 - CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574). - CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677). - CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572). - Spec file fixes around systemd and requires; (bsc#1182830); Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2021-1440=1 Package List: - SUSE Enterprise Storage 7 (aarch64 x86_64): ctdb-4.13.6+git.211.555d60b24ba-3.9.1 ctdb-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 ldb-debugsource-2.2.1-4.3.1 libdcerpc-binding0-4.13.6+git.211.555d60b24ba-3.9.1 libdcerpc-binding0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libdcerpc0-4.13.6+git.211.555d60b24ba-3.9.1 libdcerpc0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libldb2-2.2.1-4.3.1 libldb2-debuginfo-2.2.1-4.3.1 libndr-krb5pac0-4.13.6+git.211.555d60b24ba-3.9.1 libndr-krb5pac0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libndr-nbt0-4.13.6+git.211.555d60b24ba-3.9.1 libndr-nbt0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libndr-standard0-4.13.6+git.211.555d60b24ba-3.9.1 libndr-standard0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libndr1-4.13.6+git.211.555d60b24ba-3.9.1 libndr1-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libnetapi0-4.13.6+git.211.555d60b24ba-3.9.1 libnetapi0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-credentials0-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-credentials0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-errors0-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-errors0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-hostconfig0-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-hostconfig0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-passdb0-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-passdb0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-util0-4.13.6+git.211.555d60b24ba-3.9.1 libsamba-util0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libsamdb0-4.13.6+git.211.555d60b24ba-3.9.1 libsamdb0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libsmbclient0-4.13.6+git.211.555d60b24ba-3.9.1 libsmbclient0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libsmbconf0-4.13.6+git.211.555d60b24ba-3.9.1 libsmbconf0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libsmbldap2-4.13.6+git.211.555d60b24ba-3.9.1 libsmbldap2-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libtevent-util0-4.13.6+git.211.555d60b24ba-3.9.1 libtevent-util0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 libwbclient0-4.13.6+git.211.555d60b24ba-3.9.1 libwbclient0-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 python3-ldb-2.2.1-4.3.1 python3-ldb-debuginfo-2.2.1-4.3.1 samba-4.13.6+git.211.555d60b24ba-3.9.1 samba-ceph-4.13.6+git.211.555d60b24ba-3.9.1 samba-ceph-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 samba-client-4.13.6+git.211.555d60b24ba-3.9.1 samba-client-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 samba-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 samba-debugsource-4.13.6+git.211.555d60b24ba-3.9.1 samba-libs-4.13.6+git.211.555d60b24ba-3.9.1 samba-libs-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 samba-libs-python3-4.13.6+git.211.555d60b24ba-3.9.1 samba-libs-python3-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 samba-winbind-4.13.6+git.211.555d60b24ba-3.9.1 samba-winbind-debuginfo-4.13.6+git.211.555d60b24ba-3.9.1 References: https://www.suse.com/security/cve/CVE-2020-27840.html https://www.suse.com/security/cve/CVE-2021-20254.html https://www.suse.com/security/cve/CVE-2021-20277.html https://bugzilla.suse.com/1182830 https://bugzilla.suse.com/1183572 https://bugzilla.suse.com/1183574 https://bugzilla.suse.com/1184677 https://bugzilla.suse.com/14571 From sle-security-updates at lists.suse.com Thu Apr 29 16:20:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 18:20:17 +0200 (CEST) Subject: SUSE-SU-2021:1442-1: important: Security update for samba Message-ID: <20210429162017.7AD5BFE04@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1442-1 Rating: important References: #1184677 Cross-References: CVE-2021-20254 CVSS scores: CVE-2021-20254 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Affected Products: SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for samba fixes the following issues: - CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1442=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1442=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1442=1 Package List: - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): libdcerpc-atsvc0-4.2.4-28.39.1 libdcerpc-atsvc0-debuginfo-4.2.4-28.39.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): libdcerpc-atsvc0-4.2.4-28.39.1 libdcerpc-atsvc0-debuginfo-4.2.4-28.39.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libdcerpc-atsvc0-4.2.4-28.39.1 libdcerpc-atsvc0-debuginfo-4.2.4-28.39.1 References: https://www.suse.com/security/cve/CVE-2021-20254.html https://bugzilla.suse.com/1184677 From sle-security-updates at lists.suse.com Thu Apr 29 19:15:33 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 21:15:33 +0200 (CEST) Subject: SUSE-SU-2021:1444-1: important: Security update for samba Message-ID: <20210429191533.B6566FDE1@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1444-1 Rating: important References: #1178469 #1179156 #1183572 #1183574 #1184310 #1184677 Cross-References: CVE-2020-27840 CVE-2021-20254 CVE-2021-20277 CVSS scores: CVE-2020-27840 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-20254 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVE-2021-20277 (SUSE): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update for samba fixes the following issues: - CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574). - CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677). - CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572). - Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156). - s3-libads: use dns name to open a ldap session (bsc#1184310). - Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2021-1444=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1444=1 - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-1444=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP2 (aarch64 ppc64le s390x x86_64): samba-ad-dc-4.11.14+git.247.8c858f7ee14-4.19.1 samba-ad-dc-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-debugsource-4.11.14+git.247.8c858f7ee14-4.19.1 samba-dsdb-modules-4.11.14+git.247.8c858f7ee14-4.19.1 samba-dsdb-modules-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc-binding0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc-samr-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc-samr0-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc-samr0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc0-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-krb5pac-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-krb5pac0-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-krb5pac0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-nbt-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-nbt0-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-nbt0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-standard-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-standard0-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-standard0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libndr0-4.11.14+git.247.8c858f7ee14-4.19.1 libndr0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libnetapi-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libnetapi0-4.11.14+git.247.8c858f7ee14-4.19.1 libnetapi0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-credentials-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-credentials0-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-credentials0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-errors-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-errors0-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-errors0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-hostconfig-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-hostconfig0-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-hostconfig0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-passdb-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-passdb0-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-passdb0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-policy-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-policy-python3-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-policy0-python3-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-policy0-python3-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-util-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-util0-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-util0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamdb-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsamdb0-4.11.14+git.247.8c858f7ee14-4.19.1 libsamdb0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbclient-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbclient0-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbclient0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbconf-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbconf0-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbconf0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbldap-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbldap2-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbldap2-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libtevent-util-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libtevent-util0-4.11.14+git.247.8c858f7ee14-4.19.1 libtevent-util0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libwbclient-devel-4.11.14+git.247.8c858f7ee14-4.19.1 libwbclient0-4.11.14+git.247.8c858f7ee14-4.19.1 libwbclient0-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-4.11.14+git.247.8c858f7ee14-4.19.1 samba-client-4.11.14+git.247.8c858f7ee14-4.19.1 samba-client-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-core-devel-4.11.14+git.247.8c858f7ee14-4.19.1 samba-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-debugsource-4.11.14+git.247.8c858f7ee14-4.19.1 samba-dsdb-modules-4.11.14+git.247.8c858f7ee14-4.19.1 samba-dsdb-modules-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-libs-4.11.14+git.247.8c858f7ee14-4.19.1 samba-libs-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-libs-python3-4.11.14+git.247.8c858f7ee14-4.19.1 samba-libs-python3-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-python3-4.11.14+git.247.8c858f7ee14-4.19.1 samba-python3-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-winbind-4.11.14+git.247.8c858f7ee14-4.19.1 samba-winbind-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 x86_64): samba-ceph-4.11.14+git.247.8c858f7ee14-4.19.1 samba-ceph-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libdcerpc-binding0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc-binding0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libdcerpc0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-krb5pac0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-krb5pac0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-nbt0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-nbt0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-standard0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libndr-standard0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libndr0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libndr0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libnetapi0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libnetapi0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-credentials0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-credentials0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-errors0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-errors0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-hostconfig0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-hostconfig0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-passdb0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-passdb0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-util0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libsamba-util0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsamdb0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libsamdb0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbconf0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbconf0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbldap2-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libsmbldap2-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libtevent-util0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libtevent-util0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 libwbclient0-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 libwbclient0-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-libs-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 samba-libs-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-winbind-32bit-4.11.14+git.247.8c858f7ee14-4.19.1 samba-winbind-32bit-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): ctdb-4.11.14+git.247.8c858f7ee14-4.19.1 ctdb-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-debuginfo-4.11.14+git.247.8c858f7ee14-4.19.1 samba-debugsource-4.11.14+git.247.8c858f7ee14-4.19.1 References: https://www.suse.com/security/cve/CVE-2020-27840.html https://www.suse.com/security/cve/CVE-2021-20254.html https://www.suse.com/security/cve/CVE-2021-20277.html https://bugzilla.suse.com/1178469 https://bugzilla.suse.com/1179156 https://bugzilla.suse.com/1183572 https://bugzilla.suse.com/1183574 https://bugzilla.suse.com/1184310 https://bugzilla.suse.com/1184677 From sle-security-updates at lists.suse.com Thu Apr 29 19:18:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Apr 2021 21:18:04 +0200 (CEST) Subject: SUSE-SU-2021:1445-1: important: Security update for samba Message-ID: <20210429191804.DD6A3FDE1@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1445-1 Rating: important References: #1178469 #1179156 #1184677 Cross-References: CVE-2021-20254 CVSS scores: CVE-2021-20254 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for samba fixes the following issues: - CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677). - Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156). - Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1445=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1445=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1445=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1445=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2021-1445=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libdcerpc-binding0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-binding0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-devel-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr-devel-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-standard-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr0-4.7.11+git.316.432f0218290-4.54.1 libndr0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libnetapi-devel-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-policy-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-policy0-4.7.11+git.316.432f0218290-4.54.1 libsamba-util-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamdb-devel-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbclient-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbconf-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbldap-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libtevent-util-devel-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libwbclient-devel-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-4.7.11+git.316.432f0218290-4.54.1 samba-client-4.7.11+git.316.432f0218290-4.54.1 samba-client-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-core-devel-4.7.11+git.316.432f0218290-4.54.1 samba-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-debugsource-4.7.11+git.316.432f0218290-4.54.1 samba-libs-4.7.11+git.316.432f0218290-4.54.1 samba-libs-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-debuginfo-4.7.11+git.316.432f0218290-4.54.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libdcerpc-binding0-32bit-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-32bit-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-32bit-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-32bit-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-32bit-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-32bit-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-client-32bit-4.7.11+git.316.432f0218290-4.54.1 samba-client-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-libs-32bit-4.7.11+git.316.432f0218290-4.54.1 samba-libs-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-32bit-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libdcerpc-binding0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-binding0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-devel-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr-devel-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-standard-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr0-4.7.11+git.316.432f0218290-4.54.1 libndr0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libnetapi-devel-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-policy-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-policy0-4.7.11+git.316.432f0218290-4.54.1 libsamba-util-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamdb-devel-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbclient-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbconf-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbldap-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libtevent-util-devel-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libwbclient-devel-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-4.7.11+git.316.432f0218290-4.54.1 samba-client-4.7.11+git.316.432f0218290-4.54.1 samba-client-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-core-devel-4.7.11+git.316.432f0218290-4.54.1 samba-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-debugsource-4.7.11+git.316.432f0218290-4.54.1 samba-libs-4.7.11+git.316.432f0218290-4.54.1 samba-libs-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-debuginfo-4.7.11+git.316.432f0218290-4.54.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libdcerpc-binding0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-binding0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-devel-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr-devel-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-standard-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr0-4.7.11+git.316.432f0218290-4.54.1 libndr0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libnetapi-devel-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-policy-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-policy0-4.7.11+git.316.432f0218290-4.54.1 libsamba-util-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamdb-devel-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbclient-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbconf-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbldap-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libtevent-util-devel-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libwbclient-devel-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-4.7.11+git.316.432f0218290-4.54.1 samba-client-4.7.11+git.316.432f0218290-4.54.1 samba-client-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-core-devel-4.7.11+git.316.432f0218290-4.54.1 samba-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-debugsource-4.7.11+git.316.432f0218290-4.54.1 samba-libs-4.7.11+git.316.432f0218290-4.54.1 samba-libs-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-debuginfo-4.7.11+git.316.432f0218290-4.54.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libdcerpc-binding0-32bit-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-32bit-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-32bit-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-32bit-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-32bit-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-32bit-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-client-32bit-4.7.11+git.316.432f0218290-4.54.1 samba-client-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-libs-32bit-4.7.11+git.316.432f0218290-4.54.1 samba-libs-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-32bit-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libdcerpc-binding0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-binding0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-devel-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr-devel-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-samr0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-standard-devel-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr0-4.7.11+git.316.432f0218290-4.54.1 libndr0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libnetapi-devel-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-policy-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-policy0-4.7.11+git.316.432f0218290-4.54.1 libsamba-util-devel-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamdb-devel-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbclient-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbconf-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbldap-devel-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libtevent-util-devel-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libwbclient-devel-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-4.7.11+git.316.432f0218290-4.54.1 samba-client-4.7.11+git.316.432f0218290-4.54.1 samba-client-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-core-devel-4.7.11+git.316.432f0218290-4.54.1 samba-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-debugsource-4.7.11+git.316.432f0218290-4.54.1 samba-libs-4.7.11+git.316.432f0218290-4.54.1 samba-libs-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-debuginfo-4.7.11+git.316.432f0218290-4.54.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libdcerpc-binding0-32bit-4.7.11+git.316.432f0218290-4.54.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-32bit-4.7.11+git.316.432f0218290-4.54.1 libdcerpc0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr-standard0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libndr0-32bit-4.7.11+git.316.432f0218290-4.54.1 libndr0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-32bit-4.7.11+git.316.432f0218290-4.54.1 libnetapi0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamba-util0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsamdb0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsmbclient0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-32bit-4.7.11+git.316.432f0218290-4.54.1 libsmbconf0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-32bit-4.7.11+git.316.432f0218290-4.54.1 libsmbldap2-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-32bit-4.7.11+git.316.432f0218290-4.54.1 libtevent-util0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-32bit-4.7.11+git.316.432f0218290-4.54.1 libwbclient0-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-client-32bit-4.7.11+git.316.432f0218290-4.54.1 samba-client-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-libs-32bit-4.7.11+git.316.432f0218290-4.54.1 samba-libs-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-32bit-4.7.11+git.316.432f0218290-4.54.1 samba-winbind-32bit-debuginfo-4.7.11+git.316.432f0218290-4.54.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): ctdb-4.7.11+git.316.432f0218290-4.54.1 ctdb-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-debuginfo-4.7.11+git.316.432f0218290-4.54.1 samba-debugsource-4.7.11+git.316.432f0218290-4.54.1 References: https://www.suse.com/security/cve/CVE-2021-20254.html https://bugzilla.suse.com/1178469 https://bugzilla.suse.com/1179156 https://bugzilla.suse.com/1184677 From sle-security-updates at lists.suse.com Fri Apr 30 06:10:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Apr 2021 08:10:45 +0200 (CEST) Subject: SUSE-CU-2021:129-1: Security update of suse/sles12sp4 Message-ID: <20210430061045.59297B45E67@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:129-1 Container Tags : suse/sles12sp4:26.284 , suse/sles12sp4:latest Container Release : 26.284 Severity : important Type : security References : 1050467 1182899 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1429-1 Released: Thu Apr 29 10:04:35 2021 Summary: Security update for permissions Type: security Severity: important References: 1050467,1182899 This update for permissions fixes the following issues: - Update to version 20170707: * make btmp root:utmp (bsc#1050467, bsc#1182899) From sle-security-updates at lists.suse.com Fri Apr 30 06:18:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Apr 2021 08:18:48 +0200 (CEST) Subject: SUSE-CU-2021:130-1: Security update of suse/sles12sp5 Message-ID: <20210430061848.B6A48B4613A@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:130-1 Container Tags : suse/sles12sp5:6.5.170 , suse/sles12sp5:latest Container Release : 6.5.170 Severity : important Type : security References : 1050467 1182899 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1429-1 Released: Thu Apr 29 10:04:35 2021 Summary: Security update for permissions Type: security Severity: important References: 1050467,1182899 This update for permissions fixes the following issues: - Update to version 20170707: * make btmp root:utmp (bsc#1050467, bsc#1182899) From sle-security-updates at lists.suse.com Fri Apr 30 10:22:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Apr 2021 12:22:14 +0200 (CEST) Subject: SUSE-SU-2021:1453-1: important: Security update for cups Message-ID: <20210430102214.C2688FDE1@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1453-1 Rating: important References: #1184161 Cross-References: CVE-2021-25317 CVSS scores: CVE-2021-25317 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-SAP SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cups fixes the following issues: - CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1453=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1453=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1453=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1453=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1453=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1453=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1453=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1453=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1453=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1453=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1453=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1453=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1453=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1453=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1453=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE OpenStack Cloud 9 (x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE OpenStack Cloud 8 (x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): cups-ddk-1.7.5-20.36.1 cups-ddk-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-devel-1.7.5-20.36.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 - HPE Helion Openstack 8 (x86_64): cups-1.7.5-20.36.1 cups-client-1.7.5-20.36.1 cups-client-debuginfo-1.7.5-20.36.1 cups-debuginfo-1.7.5-20.36.1 cups-debugsource-1.7.5-20.36.1 cups-libs-1.7.5-20.36.1 cups-libs-32bit-1.7.5-20.36.1 cups-libs-debuginfo-1.7.5-20.36.1 cups-libs-debuginfo-32bit-1.7.5-20.36.1 References: https://www.suse.com/security/cve/CVE-2021-25317.html https://bugzilla.suse.com/1184161 From sle-security-updates at lists.suse.com Fri Apr 30 10:23:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Apr 2021 12:23:28 +0200 (CEST) Subject: SUSE-SU-2021:14712-1: important: Security update for cups Message-ID: <20210430102328.B6E2CFDE1@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14712-1 Rating: important References: #1184161 Cross-References: CVE-2021-25317 CVSS scores: CVE-2021-25317 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cups fixes the following issues: - CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-cups-14712=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-cups-14712=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-cups-14712=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-cups-14712=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): cups-1.3.9-8.46.56.18.1 cups-client-1.3.9-8.46.56.18.1 cups-libs-1.3.9-8.46.56.18.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): cups-libs-32bit-1.3.9-8.46.56.18.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): cups-1.3.9-8.46.56.18.1 cups-client-1.3.9-8.46.56.18.1 cups-libs-1.3.9-8.46.56.18.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): cups-debuginfo-1.3.9-8.46.56.18.1 cups-debugsource-1.3.9-8.46.56.18.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): cups-debuginfo-1.3.9-8.46.56.18.1 cups-debugsource-1.3.9-8.46.56.18.1 References: https://www.suse.com/security/cve/CVE-2021-25317.html https://bugzilla.suse.com/1184161 From sle-security-updates at lists.suse.com Fri Apr 30 10:24:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Apr 2021 12:24:45 +0200 (CEST) Subject: SUSE-SU-2021:1454-1: important: Security update for cups Message-ID: <20210430102445.53FBBFDE1@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1454-1 Rating: important References: #1184161 Cross-References: CVE-2021-25317 CVSS scores: CVE-2021-25317 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cups fixes the following issues: - CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1454=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1454=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1454=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1454=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1454=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1454=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1454=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1454=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-1454=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1454=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1454=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1454=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1454=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1454=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1454=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1454=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1454=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Manager Server 4.0 (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Manager Proxy 4.0 (x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 - SUSE Enterprise Storage 6 (x86_64): libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 - SUSE CaaS Platform 4.0 (x86_64): cups-2.2.7-3.26.1 cups-client-2.2.7-3.26.1 cups-client-debuginfo-2.2.7-3.26.1 cups-config-2.2.7-3.26.1 cups-ddk-2.2.7-3.26.1 cups-ddk-debuginfo-2.2.7-3.26.1 cups-debuginfo-2.2.7-3.26.1 cups-debugsource-2.2.7-3.26.1 cups-devel-2.2.7-3.26.1 libcups2-2.2.7-3.26.1 libcups2-32bit-2.2.7-3.26.1 libcups2-32bit-debuginfo-2.2.7-3.26.1 libcups2-debuginfo-2.2.7-3.26.1 libcupscgi1-2.2.7-3.26.1 libcupscgi1-debuginfo-2.2.7-3.26.1 libcupsimage2-2.2.7-3.26.1 libcupsimage2-debuginfo-2.2.7-3.26.1 libcupsmime1-2.2.7-3.26.1 libcupsmime1-debuginfo-2.2.7-3.26.1 libcupsppdc1-2.2.7-3.26.1 libcupsppdc1-debuginfo-2.2.7-3.26.1 References: https://www.suse.com/security/cve/CVE-2021-25317.html https://bugzilla.suse.com/1184161 From sle-security-updates at lists.suse.com Fri Apr 30 13:17:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Apr 2021 15:17:11 +0200 (CEST) Subject: SUSE-SU-2021:1455-1: important: Security update for cifs-utils Message-ID: <20210430131711.F01D7FE04@maintenance.suse.de> SUSE Security Update: Security update for cifs-utils ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1455-1 Rating: important References: #1152930 #1174477 #1183239 #1184815 Cross-References: CVE-2020-14342 CVE-2021-20208 CVSS scores: CVE-2020-14342 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-14342 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2021-20208 (NVD) : 6.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N CVE-2021-20208 (SUSE): 6.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for cifs-utils fixes the following security issues: - CVE-2021-20208: Fixed a potential kerberos auth leak escaping from container. (bsc#1183239) - CVE-2020-14342: Fixed a shell command injection vulnerability in mount.cifs. (bsc#1174477) This update for cifs-utils fixes the following issues: - Solve invalid directory mounting. When attempting to change the current working directory into non-existing directories, mount.cifs crashes. (bsc#1152930) - Fixed a bug where it was no longer possible to mount CIFS filesystem after the last maintenance update. (bsc#1184815) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1455=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1455=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1455=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1455=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): cifs-utils-6.9-3.14.1 cifs-utils-debuginfo-6.9-3.14.1 cifs-utils-debugsource-6.9-3.14.1 cifs-utils-devel-6.9-3.14.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): cifs-utils-6.9-3.14.1 cifs-utils-debuginfo-6.9-3.14.1 cifs-utils-debugsource-6.9-3.14.1 cifs-utils-devel-6.9-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): cifs-utils-6.9-3.14.1 cifs-utils-debuginfo-6.9-3.14.1 cifs-utils-debugsource-6.9-3.14.1 cifs-utils-devel-6.9-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): cifs-utils-6.9-3.14.1 cifs-utils-debuginfo-6.9-3.14.1 cifs-utils-debugsource-6.9-3.14.1 cifs-utils-devel-6.9-3.14.1 References: https://www.suse.com/security/cve/CVE-2020-14342.html https://www.suse.com/security/cve/CVE-2021-20208.html https://bugzilla.suse.com/1152930 https://bugzilla.suse.com/1174477 https://bugzilla.suse.com/1183239 https://bugzilla.suse.com/1184815 From sle-security-updates at lists.suse.com Fri Apr 30 16:18:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Apr 2021 18:18:36 +0200 (CEST) Subject: SUSE-SU-2021:1458-1: important: Security update for containerd, docker, runc Message-ID: <20210430161836.75D22FE04@maintenance.suse.de> SUSE Security Update: Security update for containerd, docker, runc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1458-1 Rating: important References: #1028638 #1034053 #1048046 #1051429 #1053532 #1095817 #1118897 #1118898 #1118899 #1121967 #1131314 #1131553 #1149954 #1152308 #1160452 #1168481 #1175081 #1175821 #1181594 #1181641 #1181677 #1181730 #1181732 #1181749 #1182451 #1182476 #1182947 #1183024 #1183397 #1183855 #1184768 #1184962 Cross-References: CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 CVE-2019-16884 CVE-2019-19921 CVE-2019-5736 CVE-2021-21284 CVE-2021-21285 CVE-2021-21334 CVSS scores: CVE-2018-16873 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16873 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-16874 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2018-16875 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16875 (SUSE): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-16884 (SUSE): 5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-19921 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-5736 (NVD) : 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2019-5736 (SUSE): 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVE-2021-21284 (NVD) : 6.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N CVE-2021-21284 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N CVE-2021-21285 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-21285 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2021-21334 (NVD) : 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-21334 (SUSE): 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Containers 12 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 23 fixes is now available. Description: This update for containerd, docker, runc fixes the following issues: - Docker was updated to 20.10.6-ce * Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476). * CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) * CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730). - runc was updated to v1.0.0~rc93 (bsc#1182451 and bsc#1184962). * Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821). * Fixed /dev/null is not available (bsc#1168481). * Fixed an issue where podman hangs when spawned by salt-minion process (bsc#1149954). * CVE-2019-19921: Fixed a race condition with shared mounts (bsc#1160452). * CVE-2019-16884: Fixed an LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308). * CVE-2019-5736: Fixed potential write attacks to the host runc binary (bsc#1121967). * Fixed an issue where after a kernel-update docker doesn't run (bsc#1131314 bsc#1131553) * Ensure that we always include the version information in runc (bsc#1053532). - Switch to Go 1.13 for build. * CVE-2018-16873: Fixed a potential remote code execution (bsc#1118897). * CVE-2018-16874: Fixed a directory traversal in "go get" via curly braces in import paths (bsc#1118898). * CVE-2018-16875: Fixed a CPU denial of service (bsc#1118899). * Fixed an issue with building containers (bsc#1095817). - containerd was updated to v1.4.4 * CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397). * Handle a requirement from docker (bsc#1181594). * Install the containerd-shim* binaries and stop creating (bsc#1183024). * update version to the one required by docker (bsc#1034053) - Use -buildmode=pie for tests and binary build (bsc#1048046, bsc#1051429) - Cleanup seccomp builds similar (bsc#1028638). - Update to handle the docker-runc removal, and drop the -kubic flavour (bsc#1181677, bsc#1181749) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2021-1458=1 Package List: - SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64): containerd-1.4.4-16.38.1 docker-20.10.6_ce-98.66.1 docker-debuginfo-20.10.6_ce-98.66.1 runc-1.0.0~rc93-16.8.1 runc-debuginfo-1.0.0~rc93-16.8.1 References: https://www.suse.com/security/cve/CVE-2018-16873.html https://www.suse.com/security/cve/CVE-2018-16874.html https://www.suse.com/security/cve/CVE-2018-16875.html https://www.suse.com/security/cve/CVE-2019-16884.html https://www.suse.com/security/cve/CVE-2019-19921.html https://www.suse.com/security/cve/CVE-2019-5736.html https://www.suse.com/security/cve/CVE-2021-21284.html https://www.suse.com/security/cve/CVE-2021-21285.html https://www.suse.com/security/cve/CVE-2021-21334.html https://bugzilla.suse.com/1028638 https://bugzilla.suse.com/1034053 https://bugzilla.suse.com/1048046 https://bugzilla.suse.com/1051429 https://bugzilla.suse.com/1053532 https://bugzilla.suse.com/1095817 https://bugzilla.suse.com/1118897 https://bugzilla.suse.com/1118898 https://bugzilla.suse.com/1118899 https://bugzilla.suse.com/1121967 https://bugzilla.suse.com/1131314 https://bugzilla.suse.com/1131553 https://bugzilla.suse.com/1149954 https://bugzilla.suse.com/1152308 https://bugzilla.suse.com/1160452 https://bugzilla.suse.com/1168481 https://bugzilla.suse.com/1175081 https://bugzilla.suse.com/1175821 https://bugzilla.suse.com/1181594 https://bugzilla.suse.com/1181641 https://bugzilla.suse.com/1181677 https://bugzilla.suse.com/1181730 https://bugzilla.suse.com/1181732 https://bugzilla.suse.com/1181749 https://bugzilla.suse.com/1182451 https://bugzilla.suse.com/1182476 https://bugzilla.suse.com/1182947 https://bugzilla.suse.com/1183024 https://bugzilla.suse.com/1183397 https://bugzilla.suse.com/1183855 https://bugzilla.suse.com/1184768 https://bugzilla.suse.com/1184962 From sle-security-updates at lists.suse.com Fri Apr 30 16:22:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Apr 2021 18:22:26 +0200 (CEST) Subject: SUSE-SU-2021:1460-1: important: Security update for xen Message-ID: <20210430162226.DDD4FFE04@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1460-1 Rating: important References: #1027519 #1177204 #1178591 #1179148 #1181254 #1181989 #1183072 Cross-References: CVE-2020-28368 CVE-2021-28687 CVE-2021-3308 CVSS scores: CVE-2020-28368 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2020-28368 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-3308 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3308 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves three vulnerabilities and has four fixes is now available. Description: This update for xen fixes the following issues: - CVE-2020-28368: Intel RAPL sidechannel attack aka PLATYPUS attack (bsc#1178591, XSA-351) - CVE-2021-3308: IRQ vector leak on x86 (bsc#1181254, XSA-360) - CVE-2021-28687: HVM soft-reset crashes toolstack (bsc#1183072, XSA-368) - L3: conring size for XEN HV's with huge memory to small (bsc#1177204). - kdump of HVM fails, soft-reset not handled by libxl (bsc#1179148) - openQA job causes libvirtd to dump core when running kdump inside domain (bsc#1181989). - Upstream bug fixes (bsc#1027519) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1460=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1460=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1460=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1460=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1460=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1460=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1460=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1460=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1460=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 - SUSE Manager Retail Branch Server 4.0 (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 - SUSE Manager Proxy 4.0 (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 - SUSE Enterprise Storage 6 (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 - SUSE CaaS Platform 4.0 (x86_64): xen-4.12.4_08-3.43.3 xen-debugsource-4.12.4_08-3.43.3 xen-devel-4.12.4_08-3.43.3 xen-libs-4.12.4_08-3.43.3 xen-libs-debuginfo-4.12.4_08-3.43.3 xen-tools-4.12.4_08-3.43.3 xen-tools-debuginfo-4.12.4_08-3.43.3 xen-tools-domU-4.12.4_08-3.43.3 xen-tools-domU-debuginfo-4.12.4_08-3.43.3 References: https://www.suse.com/security/cve/CVE-2020-28368.html https://www.suse.com/security/cve/CVE-2021-28687.html https://www.suse.com/security/cve/CVE-2021-3308.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1177204 https://bugzilla.suse.com/1178591 https://bugzilla.suse.com/1179148 https://bugzilla.suse.com/1181254 https://bugzilla.suse.com/1181989 https://bugzilla.suse.com/1183072